Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Yang Luo <[email protected]>
Date: Fri, 24 Jul 2015 21:12:11 +0800
Hi Jim,

Thanks for this detailed test and I have fixed some of the problems. Latest installer is:

See more feedbacks below:

On Thu, Jul 23, 2015 at 1:06 PM, Jim Young <[email protected]> wrote:
Hello Yang,

From:  Yang Luo <[email protected]>, Date:  Wednesday, July 22, 2015 11:12

>I tested it against Win10 10240 x64 (French and Chinese), try installer

I've continued to test the various Npcap versions in WinPcap API mode on
Windows 8.1 system.

Here are some observations.

1 - I can not uninstall and then install Npcap successfully without
rebooting the system between the Uninstall and Install.

If I attempt the install without the reboot then the NPFInstall.exe -i1
step will stall and I am forced to reboot the system.  After rebooting I
can see that the various Npcap components like npf.sys, packet.dll,
wocap.dll will have been placed in the expected locations, but the newly
created loop back interface will not have the expected Npcap name.  To
clean this up I manually Uninstall the orphaned loop back adapter and then
rerun the Npcap installer which will detect the files from the previous
install attempt which launch the Npcap uninstaller.  After the uninstaller
finishes I [Cancel] the Npcap Install and reboot the system.   Upon reboot
I can successfully re-install Npcap.

This is so weird that NPFInstall.exe -il will stall, I encountered this before sometimes several days before, but I can't see it these days. I don't know if you can reproduce it stably and tell me the steps.

I've been using the following set of commands in a cmd shell to get a
quick look-see at the state of the Npcap install and uninstall:

netsh.exe interface show interface
sc queryex npf
dir /s \npf.sys
dir /s \packet.dll
dir /s \wpcap.dll

Interestingly when Npcap fails to install (because I didn't reboot after
the last Uninstall), the orphaned "Microsoft KM-TEST Loopback Adapter"
will NOT be listed in the netsh insterface show interface report.  I see
this in the Device Manager's Network Adapters list.

This is also so weird. maybe caused by the the problem above.

2 - If I attempts to uninstall Npcap while npf is in use (Wireshark is
running), the system will crash with the message:
I do not have Wireshark running, then the uninstall will complete
successfully (but I still need to reboot to reinstall Npcap successfully).
 Interestingly is one tries to stop npf while Wireshark is running, (from
an admin level cmd shell enter: sc stop npf), sc will report the stop
request as "pending".  Once Wireshark is shutdown the npf service will
stop.   Should the uninstaller detect that the npf service could not
shutdown and abort the uninstall attempt?

This is a big issue, and I have fixed it in the latest release. First BSoD is fixed, then I forbid the uninstallation in the installer if Npcap is still in use.
3 - TCP packets captured on the loopback interface do not have payloads.
With long running traces I see various occasional traffic on the LoopBack
interface.  It looks like only the TCP packets does not show payload
packets.  Interestingly when the Firefox browser is running I see various
short lived TCP sessions on the loopback using adjacent port numbers (for
example SYN src="" dstport=49224).

I have reproduced it, I will look into this.

4 - With the recent Npcap versions I had not had seen any more issues with
the Cisco AnyConnect VPN client.  I had left some of these later Npcap
versions running for hours with Wireshark sniffing on the loopback and
sometimes other adapters.   But immediately after I first installed Npcap
0.02.r2 the Cisco VPN client failed.   I've uninstalled, rebooted and
reinstalled Npcap 0.02.r2 a few times and each time I have had the Cisco
AnyConnect VPN fail (sooner or later).

What technique is Cisco AnyConnect VPN client based on? PPTP or L2TP or IPSec? I googled it but I didn't find a link to download it. Also I don't know if I need to buy for an account, is there a way that I could try it?

5 - The Npf installer (or uninstaller) is leaving what I assume are
obsolete folders (and files in those folders) in subfolders of
C:\Windows\System32\DriverStore\FileRepository.  These subfolders have
names that begin with "npf.inf_amd64_" followed by 16 hexidecimal
characters.  Should these be deleted as part of the install or uninstall

This is expected, and not a part for Npcap to uninstall.

6 - After the initial install of Npcap 0.02.r1, the npf service is
immediately started, but upon a reboot the npf service is stopped and must
be manually started. (from a admin cmd shell: netsh start npf).  Running
Wireshark (as a normal user) does not automatically start the npf service.
 I have not attempted to start Wireshark in an admin level cmd shell.

I am looking into it, I think there is a need to automatically start the npf service instead of the current way. It is related to WFP callout and still needs time to be solved.

Best regards,

Jim Y.

Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe