[Jim Young <jyoung@xxxxxxx>]

Hello Yang,

From:  Yang Luo <hsluoyb@xxxxxxxxx>, Date:  Wednesday, July 22, 2015 11:12
PM

>I tested it against Win10 10240 x64 (French and Chinese), try installer
>at:
>https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r2.exe


I've continued to test the various Npcap versions in WinPcap API mode on
Windows 8.1 system.

Here are some observations.

1 - I can not uninstall and then install Npcap successfully without
rebooting the system between the Uninstall and Install.

If I attempt the install without the reboot then the NPFInstall.exe -i1
step will stall and I am forced to reboot the system.  After rebooting I
can see that the various Npcap components like npf.sys, packet.dll,
wocap.dll will have been placed in the expected locations, but the newly
created loop back interface will not have the expected Npcap name.  To
clean this up I manually Uninstall the orphaned loop back adapter and then
rerun the Npcap installer which will detect the files from the previous
install attempt which launch the Npcap uninstaller.  After the uninstaller
finishes I [Cancel] the Npcap Install and reboot the system.   Upon reboot
I can successfully re-install Npcap.

I've been using the following set of commands in a cmd shell to get a
quick look-see at the state of the Npcap install and uninstall:

netsh.exe interface show interface
sc queryex npf
dir /s \npf.sys
dir /s \packet.dll
dir /s \wpcap.dll

Interestingly when Npcap fails to install (because I didn't reboot after
the last Uninstall), the orphaned "Microsoft KM-TEST Loopback Adapter"
will NOT be listed in the netsh insterface show interface report.  I see
this in the Device Manager's Network Adapters list.

2 - If I attempts to uninstall Npcap while npf is in use (Wireshark is
running), the system will crash with the message:
PAGE_FAULT_IN_NONPAGED_AREA or PAGE_FAULT_IN_NOT_PAGED_AREA(npf.sys).   If
I do not have Wireshark running, then the uninstall will complete
successfully (but I still need to reboot to reinstall Npcap successfully).
 Interestingly is one tries to stop npf while Wireshark is running, (from
an admin level cmd shell enter: sc stop npf), sc will report the stop
request as "pending".  Once Wireshark is shutdown the npf service will
stop.   Should the uninstaller detect that the npf service could not
shutdown and abort the uninstall attempt?

3 - TCP packets captured on the loopback interface do not have payloads.
With long running traces I see various occasional traffic on the LoopBack
interface.  It looks like only the TCP packets does not show payload
packets.  Interestingly when the Firefox browser is running I see various
short lived TCP sessions on the loopback using adjacent port numbers (for
example SYN src=49225, dstport=49224).

4 - With the recent Npcap versions I had not had seen any more issues with
the Cisco AnyConnect VPN client.  I had left some of these later Npcap
versions running for hours with Wireshark sniffing on the loopback and
sometimes other adapters.   But immediately after I first installed Npcap
0.02.r2 the Cisco VPN client failed.   I've uninstalled, rebooted and
reinstalled Npcap 0.02.r2 a few times and each time I have had the Cisco
AnyConnect VPN fail (sooner or later).

5 - The Npf installer (or uninstaller) is leaving what I assume are
obsolete folders (and files in those folders) in subfolders of
C:\Windows\System32\DriverStore\FileRepository.  These subfolders have
names that begin with "npf.inf_amd64_" followed by 16 hexidecimal
characters.  Should these be deleted as part of the install or uninstall
process?

6 - After the initial install of Npcap 0.02.r1, the npf service is
immediately started, but upon a reboot the npf service is stopped and must
be manually started. (from a admin cmd shell: netsh start npf).  Running
Wireshark (as a normal user) does not automatically start the npf service.
 I have not attempted to start Wireshark in an admin level cmd shell.

Best regards,

Jim Y.