Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capt

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Fri, 17 Jul 2015 08:44:32 +0800
Hello Jim,

First of all, thanks for this elaborate testing!

On Thu, Jul 16, 2015 at 2:30 PM, Jim Young <jyoung@xxxxxxx> wrote:

I opted to leave Wireshark up capturing on the loopback interface for
several hours.  In these captures I occasionally saw that TCP sessions
were successfully setup and then torn down via a RST packet usually about
19 seconds later.  The TCP RST packets were sent with Sequence numbers of
4-8 to Sequence numbers like 98 implying that perhaps some data packet was
sent but not captured.

 I think I have some clue about where could go wrong if this is an issue, I will look into this later after other bugs are fixed (like the service don't start after reboot).


When I later attempted to install a new version of Wireshark, Wireshark's
installer assumed there was no WinPcap installed; Wireshark's install
process can not detect that Npcap has been installed in WinPcap mode.  In
this case I opted skip the install of WinPcap but allowed the newer
Wireshark to install.  I opted to leave the Qt based Wireshark now using
Npcap in WinPcap mode up and running overnight at the Welcome screen.

 
It looks like that Wireshark checks WinPcap's existence based on registry or WinPcap installation folder. I don't know if this is suitable for Npcap to use WinPcap installation folder and "WinPcap" name in registry even in "WinPcap Mode". Official WinPcap installer checks its previous versions based on wpcap.dll version in System32 directory. I think this could be viewed as some kind of standard, and perhaps Wireshark should also check in this way?

The following morning I noticed that the Cisco AnyConnect VPN Client
installed on this workstation had failed.   This was a new behavior. I
rebooted the workstation to see if it would resolve the Cisco AnyConnect
issue.   But shortly after the system had rebooted the AnyConnect would
again fail.  I opted to uninstall Npcap 0.01 and rebooted the system.
Once Npcap was removed and the system no longer reported and any problems
for the Cisco AnyConnect Client.

When your Cisco AnyConnect VPN Client stops working, how about your other Internect connections? There seems to be a bug in Npcap that will lead to the whole network failure. 
 

I then opted to re-install Npcap 0.01 to see if the AnyConnect problem
would reappear.  But this time the installation failed with the message
"Failed to create the npcap service for Win7 and Win8.  Please try
installing Npcap again, or use the official Npcap installer from
www.nmap.org".  I retried the Npcap installation which appeared to be
successful.   But after starting Wireshark I had the message "No
interfaces found".  I uninstalled Npcap and reinstalled WinPcap.   I could
now see interfaces.  I then uninstalled WinPcap.  Wireshark reported "No
interface found" (I expected Wireshark to report that WinPcap was not
installed).

I think this is caused by Npcap's not start after reboot bug.
 

I then opted to reinstall Npcap yet again.  This time the Npcap
installation failed spectacularly with a message of BAD_POOL_CALLER and
Windows subsequently crashed and rebooted.  After the system was up I
attempted to load Wireshark but was presented with an error dialog with
the title "Wireshark.exe - Bad Image".  Here was the message text.

> C:\Windows\system32\wpcap.dll is either not designed to run on Windows
>or it contains an error.  Try installing the program again using the
>original installation media or contact your system administrator or the
>software vendor for support.  Error status 0xc00012f.

This error was followed by the same dialog but for for packet.dll, and
then a similar pair of messages except this time it was dumpcap.exe that
was listed in the dialog's title.  Wireshark subsequently display a
message in the interface section of the Welcome screen that said:

"Unable to load WinPcap (wpcap.dll); you will not be able to capture
packets. Š"

 About this BAD_POOL_CALLER BSOD, I think there may be some bugs in allocating pool memory. I have found this in MS: https://msdn.microsoft.com/en-us/library/windows/hardware/ff560185(v=vs.85).aspx. It needs the four parameters in your BSOD screen to check the detailed crash reason. It's good if you can provide it:)


I opted to try the Npcap installation yet again.  This time the "Npcap
0.01 for Nmap (beta) Setup" dialog displayed the message "Npcap version
0.1.0.710 exists on this system.  Replace with version 0.01?"  I clicked
[Yes].  But On the Security and API Options page the "Install Npcap in
Winpcap AP compatible mode" was disabled.  Since I could not install Npcap
in WinPcap mode I choose to abort [Cancel] this install.

This is caused by the BSOD. Normally you shouldn't encounter this.



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


Cheers,
Yang