Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Thu, 23 Jul 2015 00:25:06 +0800
Hi Pascal,

On Wed, Jul 22, 2015 at 11:33 PM, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:


I just gave a try to this new installer:
- still my rename issue of the loop back installer (as expected ;)). Is there some debug log / test I could do on my side? I will double check if the rename works fine on a French Win 7. 

I think I perhaps know why this doesn't work on your French Win10. It can be language related. Because the Win10 renaming way uses string parsing again. This is the mechanism:
1) First Npcap runs "netsh.exe interface show interface" to get all interfaces before install "Npcap Loopback Adapter", you will get something like below in English language (but I don't know if my code adapts to French, this is the key point).
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet

Npcap will parse this output to get all interface names, the method is first going to the third line, then find the line feed char '\n', if '\n' found, then reverse-find the two continuous space char "  ". Then we can get a name like "VMware Network Adapter VMnet1", the same for other names. Save them to a vector<string>.

2) After "Npcap Loopback Adapter" installed, Npcap will run "netsh.exe interface show interface" again, to get the updated interface list, like below:
Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VMware Network Adapter VMnet1
Enabled        Connected      Dedicated        VMware Network Adapter VMnet8
Enabled        Connected      Dedicated        VMware Network Adapter VMnet2
Enabled        Connected      Dedicated        VMware Network Adapter VMnet3
Enabled        Connected      Dedicated        Wi-Fi
Disabled       Disconnected   Dedicated        Ethernet
Enabled        Connected      Dedicated        Ethernet 2
 
We can get another vector<string> from above output, compare these two vectors, find the new name, which is "Ethernet 2".

3) Then Npcap will rename this new adapter using "netsh.exe interface set interface name=\"%s\" newname=\"%s\", the first %s is previous "Ethernet 2", and the second %s is "Npcap Loopback Adapter".

So I think this way possibly fail in a different language system than English, because the output of "netsh.exe interface show interface" can be language specific. You can try these commands manually to see whether this method works.

- driver can be started after reboot (manually or with Wireshark)

Good for this.
 

- for those having User Account Control activated, you need to start Wireshark as administrator (even without restricting Npcap to admin during installation) to have the driver started. Unfortunate... If this is the loopback adapter that triggers the issue at startup, should its installation be optional?

I don't know whether there are many people using Wireshark in a non-Admin privilege? If yes, then I think the lacking boot start support needs a solution. Making loopback code optional is kind of difficult, because its code is deep in the driver and has tight connection with other parts. 
 

- I finally got the opportunity to test with a MBIM WWAN device (long due task on my side ;)). The interface is not listed unfortunately.

This is weird, because in the driver's INF file, I have specified:
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan, bluetooth, ndis5, vwifi, nolower"
It should have includes WAN interfaces. Perhaps you would like to find out if this WAN device has appeared in registry, because Npcap or WinPcap only sees interfaces that appears in registry, registry path is: \\HKLM\\System\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}.
 

Cheers,
Yang