Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Pascal Quantin <[email protected]>
Date: Fri, 24 Jul 2015 19:56:30 +0200


2015-07-24 15:14 GMT+02:00 Yang Luo <[email protected]>:
Hi Parscal,

I think I have added the "flpp4" and "flpp6" to Npcap, but I don't know if this works, you could try latest installer:

Hi Yang,

I can see the interface listed now. I will not be able to try capturing traffic before next Thursday unfortunately as I'm traveling.

Regards,
Pascal.
 

On Thu, Jul 23, 2015 at 4:18 PM, Pascal Quantin <[email protected]> wrote:


2015-07-22 21:39 GMT+02:00 Pascal Quantin <[email protected]>:


2015-07-22 18:25 GMT+02:00 Yang Luo <[email protected]>:
Hi Pascal,

On Wed, Jul 22, 2015 at 11:33 PM, Pascal Quantin <[email protected]> wrote:


I just gave a try to this new installer:
- still my rename issue of the loop back installer (as expected ;)). Is there some debug log / test I could do on my side? I will double check if the rename works fine on a French Win 7. 

I think I perhaps know why this doesn't work on your French Win10. It can be language related. Because the Win10 renaming way uses string parsing again. This is the mechanism:
1) First Npcap runs "netsh.exe interface show interface" to get all interfaces before install "Npcap Loopback Adapter", you will get something like below in English language (but I don't know if my code adapts to French, this is the key point).
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet

Npcap will parse this output to get all interface names, the method is first going to the third line, then find the line feed char '\n', if '\n' found, then reverse-find the two continuous space char "  ". Then we can get a name like "VMware Network Adapter VMnet1", the same for other names. Save them to a vector<string>.

2) After "Npcap Loopback Adapter" installed, Npcap will run "netsh.exe interface show interface" again, to get the updated interface list, like below:
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet
Enabled        Connected      Dedicated        Ethernet 2
 
We can get another vector<string> from above output, compare these two vectors, find the new name, which is "Ethernet 2".

3) Then Npcap will rename this new adapter using "netsh.exe interface set interface name=\"%s\" newname=\"%s\", the first %s is previous "Ethernet 2", and the second %s is "Npcap Loopback Adapter".

So I think this way possibly fail in a different language system than English, because the output of "netsh.exe interface show interface" can be language specific. You can try these commands manually to see whether this method works.

Indeed the command output is localized. Before installing Npcap, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet

After the installation, I have:
État admin    État          Type            Nom de l'interface
-------------------------------------------------------------------------
Activé         Connecté       Dédié            Ethernet
Activé         Connecté       Dédié            Ethernet 2

Executing manually the command netsh.exe interface set interface name="Ethernet 2" newname="Npcap Loopback Adapter"
does work.


- driver can be started after reboot (manually or with Wireshark)

Good for this.
 

- for those having User Account Control activated, you need to start Wireshark as administrator (even without restricting Npcap to admin during installation) to have the driver started. Unfortunate... If this is the loopback adapter that triggers the issue at startup, should its installation be optional?

I don't know whether there are many people using Wireshark in a non-Admin privilege? If yes, then I think the lacking boot start support needs a solution. Making loopback code optional is kind of difficult, because its code is deep in the driver and has tight connection with other parts. 
 

- I finally got the opportunity to test with a MBIM WWAN device (long due task on my side ;)). The interface is not listed unfortunately.

This is weird, because in the driver's INF file, I have specified:
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan, bluetooth, ndis5, vwifi, nolower"
It should have includes WAN interfaces. Perhaps you would like to find out if this WAN device has appeared in registry, because Npcap or WinPcap only sees interfaces that appears in registry, registry path is: \\HKLM\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}.

I will try to get my hands on the PC again (gave it back to my colleague) to verify this.
 

I got access to the PC. There are 2 Mobile Broadband interfaces being listed on the PC and not seen by Npcap. You will find attached the corrresponding registry key dumps.

Cheers,
Pascal.

 

Cheers,
Yang


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:[email protected]?subject=unsubscribe