Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Mon, 20 Jul 2015 13:14:19 +0800
Hi Jim,

On Mon, Jul 20, 2015 at 10:48 AM, Jim Young <jyoung@xxxxxxx> wrote:
Hello Yang,

Similar to Tyson I had quite a bit of difficulty in getting Npcap 0.01.r02 installed and running.

Looking back at a Device Manager Screen Shot I took PRIOR to attempting to install the 2nd version of Npcap yesterday I realized that I had an orphaned "Microsoft LM-TEST Loopback Adapter" on this system.  After the 2nd version if Npcap stalled yesterday I ended up simply forcing a reboot.  When the system came back up I noticed I now an additional device "Microsoft LM-TEST Loopback Adapter #2" listed in Device Manager.  Today my first attempt to install the third version of the beta image (the .r2 version) I ended up with a "Npcap Loopback Adapter" but Wireshark reported "No interfaces found".   The Npcap uninstaller removed the "Npcap Loopback Adapter" but the two  "Microsoft LM-TEST Loopback Adapter" devices persisted.  I manually removed these two devices by right mouse clicking on them in the Device Manger and selecting "Uninstall".


"No interfaces found" is also an issue I have encountered, but it disappears after several times' Npcap installation adding some reboots. I think this is because some previous states Windows kept when installing previous version Npcap. This condition won't happen in a new system, and nearly won't happen after some time for a old system (have installed prevous version Npcap).
 
I've attempted several uninstall/reinstall sequences sometimes alternating with WinPcap uninstall/installs.   When WinPcap was installed I could see interfaces and sniff.   But with Npcap 0.01.r2 installed I had no luck. Occasionally when installing Npcap 0.01 .r2 I was presented with the message "Npcap version 0.1.0.710 exists on this system. Replace with version 0.01?"   I could successfully runs the uninstaller and then run the Installer.   But one time I opted to cancel the Npcap install and reboot.  

Trying several uninstall/reinstall sequences is a good way, I also used it. Npcap detects itself based on C:\Program Files\NPFInstall.exe's binary version, so if you have installed Npcap, you should be definitely prompted with the "Npcap version 0.1.0.710 exists on this system. Replace with version 0.01?" message.
 

After rebooting and loading Wireshark I was presented with the message "Unable to load WinPcap …" instead of the "No interfaces found" message.  I guessed that from Wireshark's (well dumpcap's?) point-of-view, the Npcap uninstall had sufficiently cleaned up the previous *pcap install that no remnants of any *Pcap files persisted.   

After uninstalling Npcap I opened a cmd shell and entered:  dir /s \npf.sys  Two entries were listed in the C:\Windows\System32\DriverStore\FileRepository\inf_amd62_<hexstring>.  One was dated July 19, 2015 09:09 and had a size of 51920 bytes.  The other was dated Jul 11, 2015 03:46 AM and had a size of 41072 bytes.  After re-installing WinPcap I ended up with a npf.sys in C:\Windows\System32\drivers with a date of Feb 28, 2013 09:49 PM and a size of 36600 bytes.   Interestingly an uninstall of  WinPcap does not immediately appear to delete the npf.sys file in C:\Windows\System32\drivers nor the wpcap.dll and Packet.dll files in c:\Windows\System32 folder.  But WinPcap's uninstall does delete the wpcap.dll and Packet.dll files installed in C:\Windows\SysWOW64.  After rebooting the system these three obsolete WinPcap files still persisted.  Wireshark will apparently report the "No interfaces found" messages if one of these obsolete WinPcap files persists.

A subsequent install of Npcap presented "The target file exists and is newer than the source." message as follows:

> Source: C:\Program Files\Npcap\npf.sys
> Target: C:\Windows\system32\DRIVERS\npf.sys
> The target file exists and is newer than the source.
>
> Overwright the newer file?

Is the specific timestamp that is being checked by the Npcap installer the "wrong" timestamp (each file has several timestamp values (atime, mtime, etc))?  The obsolete WinPcap npf.sys file in the C:\Windows\System32\drivers file is in fact older than Npcap's npf.sys file in the Program Files\Npcap folder.  This can be confirmed with the command: dir /s \npf.sys

I have also tried the stock WinPcap 4.1.3 and confirmed that WinPcap 4.1.3 didn't successfully remove the npf.sys and DLLs in System32 on my Win8.1 x64, only DLLs in SysWOW64 are removed. I think this is a bug in WinPcap.

About the "Overwright the newer file?" issue, I think this is because of version number instead of time stamp. Because obviously, Npcap driver's time stamp is 2015 (actually just yesterday, because I rebuilt them) and much newer than WinPcap's 2013/3/1 9:49 timestamp. But the version number is different: WinPcap 4.1.3's driver binary version is 4.1.0.2980, while Npcap is 0.1.0.710, much smaller than WinPcap. I think Npcap needs to use a new version number, so I can't change to back to 4.1.4 or what. A possible solution would be that WinPcap fixed this bug to remove all obsolete files or currently the user chooses to "Overwrite the newer file".
 

As Tyson reported, after an install of Npcap 0.01.r2 the npf service did not start.   You can enter the command: "sc queryex npf" to see it is stopped (in my case with a WIN32_EXIT_CODE of 1077 (0x435)).  Compare this to what WinPcap looks like after installation.   I also entered "sc start npf" and npf started successfully.  An "sc queryex npf" now looks similar to what one sees when WinPcap is installed.  I started Wireshark and this time I could see interfaces including the Npcap Loopback Adapter.  I started a second copy of Wireshark so I could both watch the "spark lines" on one copy while I started a capture on the Loopback adapter in the second Wireshark instance.  I could see and capture pings to the 127.0.0.1 address.

I think that Npcap's npf service didn't start automatically after installation that you found is a bug in Npcap, I will fix it. But for now this actually doesn't cause much issue, as nearly all the user softwares (like Wireshark or Nmap) will start the npf service by themselves.
 

I then did a netstat -a and noted a number of TCP and UDP ports were in a LISTENING state.

I used cygwin's "nc" utility to confirm the Npcap loopback interface could see tcp connections.  I first did some "nc -z 127.0.0.1 <PORT>" where <PORT> was some of the TCP ports listed in the netstat -a report.  For each nc -z test I would see a 7 packet exchange (SYN, SYN/ACK, ACK, FIN/ACK, ACK, FIN/ACK, ACK).  I then created a small text file called hello.txt with 13 bytes of data ("Hello world<0x0a><0x0a>").   I then entered the command: nc 127.0.0.1 135 <hello.txt.  Wireshark captured the SYN, SYN/ACK, ACK, followed by a FIN/ACK with a Seq number of 14 and Wireshark reporting [TCP Previous segment not captured]", an ACK with a [TCP Window Update] followed by a RST/ACK, ACK [TCP Dup Ack] and finally a [RST].

Thanks for testing nc. It seems that Npcap works well with nc. I'd like to see other user software's compatible report with Npcap, as I only tested Wireshark for now myself.
 

Cheers,
Yang