Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)

From: Jim Young <jyoung@xxxxxxx>
Date: Mon, 20 Jul 2015 02:48:06 +0000
Hello Yang,

Similar to Tyson I had quite a bit of difficulty in getting Npcap 0.01.r02 installed and running.

Looking back at a Device Manager Screen Shot I took PRIOR to attempting to install the 2nd version of Npcap yesterday I realized that I had an orphaned "Microsoft LM-TEST Loopback Adapter" on this system.  After the 2nd version if Npcap stalled yesterday I ended up simply forcing a reboot.  When the system came back up I noticed I now an additional device "Microsoft LM-TEST Loopback Adapter #2" listed in Device Manager.  Today my first attempt to install the third version of the beta image (the .r2 version) I ended up with a "Npcap Loopback Adapter" but Wireshark reported "No interfaces found".   The Npcap uninstaller removed the "Npcap Loopback Adapter" but the two  "Microsoft LM-TEST Loopback Adapter" devices persisted.  I manually removed these two devices by right mouse clicking on them in the Device Manger and selecting "Uninstall".

I've attempted several uninstall/reinstall sequences sometimes alternating with WinPcap uninstall/installs.   When WinPcap was installed I could see interfaces and sniff.   But with Npcap 0.01.r2 installed I had no luck. Occasionally when installing Npcap 0.01 .r2 I was presented with the message "Npcap version 0.1.0.710 exists on this system. Replace with version 0.01?"   I could successfully runs the uninstaller and then run the Installer.   But one time I opted to cancel the Npcap install and reboot.  

After rebooting and loading Wireshark I was presented with the message "Unable to load WinPcap …" instead of the "No interfaces found" message.  I guessed that from Wireshark's (well dumpcap's?) point-of-view, the Npcap uninstall had sufficiently cleaned up the previous *pcap install that no remnants of any *Pcap files persisted.   

After uninstalling Npcap I opened a cmd shell and entered:  dir /s \npf.sys  Two entries were listed in the C:\Windows\System32\DriverStore\FileRepository\inf_amd62_<hexstring>.  One was dated July 19, 2015 09:09 and had a size of 51920 bytes.  The other was dated Jul 11, 2015 03:46 AM and had a size of 41072 bytes.  After re-installing WinPcap I ended up with a npf.sys in C:\Windows\System32\drivers with a date of Feb 28, 2013 09:49 PM and a size of 36600 bytes.   Interestingly an uninstall of  WinPcap does not immediately appear to delete the npf.sys file in C:\Windows\System32\drivers nor the wpcap.dll and Packet.dll files in c:\Windows\System32 folder.  But WinPcap's uninstall does delete the wpcap.dll and Packet.dll files installed in C:\Windows\SysWOW64.  After rebooting the system these three obsolete WinPcap files still persisted.  Wireshark will apparently report the "No interfaces found" messages if one of these obsolete WinPcap files persists.

A subsequent install of Npcap presented "The target file exists and is newer than the source." message as follows:

> Source: C:\Program Files\Npcap\npf.sys
> Target: C:\Windows\system32\DRIVERS\npf.sys
> The target file exists and is newer than the source.
>
> Overwright the newer file?

Is the specific timestamp that is being checked by the Npcap installer the "wrong" timestamp (each file has several timestamp values (atime, mtime, etc))?  The obsolete WinPcap npf.sys file in the C:\Windows\System32\drivers file is in fact older than Npcap's npf.sys file in the Program Files\Npcap folder.  This can be confirmed with the command: dir /s \npf.sys

As Tyson reported, after an install of Npcap 0.01.r2 the npf service did not start.   You can enter the command: "sc queryex npf" to see it is stopped (in my case with a WIN32_EXIT_CODE of 1077 (0x435)).  Compare this to what WinPcap looks like after installation.   I also entered "sc start npf" and npf started successfully.  An "sc queryex npf" now looks similar to what one sees when WinPcap is installed.  I started Wireshark and this time I could see interfaces including the Npcap Loopback Adapter.  I started a second copy of Wireshark so I could both watch the "spark lines" on one copy while I started a capture on the Loopback adapter in the second Wireshark instance.  I could see and capture pings to the 127.0.0.1 address.

I then did a netstat -a and noted a number of TCP and UDP ports were in a LISTENING state.

I used cygwin's "nc" utility to confirm the Npcap loopback interface could see tcp connections.  I first did some "nc -z 127.0.0.1 <PORT>" where <PORT> was some of the TCP ports listed in the netstat -a report.  For each nc -z test I would see a 7 packet exchange (SYN, SYN/ACK, ACK, FIN/ACK, ACK, FIN/ACK, ACK).  I then created a small text file called hello.txt with 13 bytes of data ("Hello world<0x0a><0x0a>").   I then entered the command: nc 127.0.0.1 135 <hello.txt.  Wireshark captured the SYN, SYN/ACK, ACK, followed by a FIN/ACK with a Seq number of 14 and Wireshark reporting [TCP Previous segment not captured]", an ACK with a [TCP Window Update] followed by a RST/ACK, ACK [TCP Dup Ack] and finally a [RST].

For the rest of the evening I'm going to leave this instance of Npcap and Wireshark up and running to see if we have any crashes. 

Best regards,

Jim Y.