Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Pascal Quantin <[email protected]>
Date: Mon, 20 Jul 2015 14:36:56 +0200
Hi Yang,

2015-07-20 13:07 GMT+02:00 Yang Luo <[email protected]>:
Hi Pascal,

I just gave a quick test to 0.1-r2 version on my Windows 10 virtual machine.
- I uninstalled WinPcap and installed Npcap in Winpcap mode without reboot. I got the same warning as Tyson regarding the upgrade of npf.sys file, presumably because yours as version against Winpcap that uses version Maybe you should advice to reboot the PC after uninstalling Winpcap.

This is WinPcap's bug as it doesn't delete installed npf.sys file in system drivers directory. And Npcap's version is smaller than WinPcap's as you said, so you can just choose overwrite the existed files, and I will advise this in next Npcap call for test.
- The loopback interface is still named 'Ethernet 2'. I run on Windows 10.0.10240 with French local in case this matters.

The version of Win10 I used before is 10102, so I just installed a Win10 10240 x64 Pro English (en_windows_10_pro_10240_x64_dvd.iso) on my virtual machine. I tried Npcap and the loopback interface was successfully renamed to "Npcap Loopback Adapter" (I mean the topmost name beside ncpa.cpl's icons). In fact, Npcap first uses "ver" command to decide whether it is run on a Win10 machine, if yes, Npcap will rename the adapter in the way only for Win10. When Npcap gets the "Microsoft Windows [Version 10.0.10240]" output string from "ver" command, it parses out the string after "Version " and before ".", so Npcap will get a "10", then Npcap thinks it is run on a Win10. GetVersionEx API doesn't work on Win10, so Npcap has to use this "not standard" way. But it should be reliable enough, as "ver" is a built-in command.

I gave another try to a second Win10 x64 French virtual machine and it was not renamed either. The 'ver' command typed in a console does work like in your picture.

For your information GetVersionEx API can work on Windows 10 (that's what we use in Wireshark). But you need to embed a manifest in your application indicating that Windows 10 is supported by adding its GUID (see https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=image/wireshark.exe.manifest.in;h=9a3f32c912aae5ec8f05266f4ac28f14446025a1;hb=refs/heads/master that we use for Wireshark).

Inline image 1
- After reboot, Wireshark could not see any interface. I doubled checked the driver state and saw that it was stopped. Manually starting it with 'sc npf start' command allowed Wireshark to see interfaces. After reboot the service does not start automatically.

I have already confirmed the bug that Npcap fails to start the driver when installation finishes. But it's weird for WIreshark to see no interfaces. Because as far as I know, Wireshark will try to start the npf service when it starts.

Yes that's what happens with WinPcap. The driver starts automatically when calling p_pcap_findalldevs() from wpcap.dll but it does not seem to work with Npcap.