Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capt

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Fri, 17 Jul 2015 08:57:00 +0800
Hi Tyson,

On Thu, Jul 16, 2015 at 6:10 PM, Tyson Key <tyson.key@xxxxxxxxx> wrote:
Hi Yang,

Come to think of it, I got exactly the same BSoD error as Jim (BAD_POOL_CALLER). 

About this BAD_POOL_CALLER BSOD, I think there may be some bugs in allocating pool memory. I have found this in MS: https://msdn.microsoft.com/en-us/library/windows/hardware/ff560185(v=vs.85).aspx. It needs the four parameters in your BSOD screen to check the detailed crash reason. It's good if you can provide it:) 

However, my configuration is different (I have a bunch of VMware interfaces, and an Atheros AR9485WB-EG WLAN adaptor, which is also semi-supported by Acrylic Wi-Fi - but BSoDs for a different reason (seems to be related to NDIS drivers, with that)), and multiple loopback adaptors were created on my machine (named "Microsoft KM-TEST Loopback Adaptor", instead of "NPCap Loopback", if memory serves correctly). 

If you run "NPFInstall.exe -il" one time, Npcap will install one adapter for you. This is why you have so many loopback adapters. You should run "NPFInstall.exe -ul" to uninstall the lastest loopback adapter. 
And it seems that Npcap's renaming adapter to "Npcap Loopback Adapter" code doesn't work on Win10 and with no obvious reason. I have reported this to Microsoft to see if there's a solution.


Bizarrely, even after uninstalling NPCap, and replacing it with WinPCap, these KM-TEST adaptors still persist across reboots:
埋め込み画像 1

I assume that these are a side-effect of manually installing the .ini file, after attempting to run the set-up tool ("npfinstall -r", "npfinstall -li", and then "npfinstall -i") via a batch script with Administrator privileges.

I also found that although I could see packets containing a MAC address with the mnemonic "LOOP", I could not capture any ICMP traffic, when trying to ping 127.0.0.1, or ::1 (using both Microsoft Network Monitor, and Wireshark - the latter of which would not detect any interfaces, after reinstalling NPCap a few times, before eventually replacing it with WinPCap, until I rebooted).

If you have installed multiple loopback adapters using  "NPFInstall.exe -il", Npcap will view only the last one as the real "Npcap Loopback Adapter", so in your picture, it is only "Ethernet 4" that can be recognized by Npcap as loopback adapter. In this adapter, you should be able to see the loopback traffic.

If I get time, I'm going to see if I can reproduce the BSoD, and try writing down the steps involved.

If you found another BSOD, perhaps you can take a picture of it, so I can get enough details about the causes and parameters about it.
 
Tyson.


Cheers,
Yang