[Yang Luo <hsluoyb@xxxxxxxxx>]

Hi Tyson,

I have analyzed the five dumps you provided:

1) 072715-32078-01.dmp

This dump is caused by nt!VerifierBugCheckIfAppropriate+0x3c code from process svchost.exe, and it seems to be that you switched on Verifier function for your system. I think there's no relationship with Npcap.

2) 072715-31968-01.dmp and 072715-32468-01.dmp

this dump provides BSoD about SYSTEM_SERVICE_EXCEPTION. It is caused by ndis!NdisFOidRequest+62 code from process dumpcap.exe. As Npcap uses NdisFOidRequest calls, I think it's possibly a bug. I'd like to know how you used dumpcap.exe, like parameters?

3) 072715-33859-01.dmp and 072715-48062-01.dmp

It is caused by Asset-uPNP.exe, from Asset audio server software provided by illustrate. I think maybe you would like to disable or uninstall it first, to see if the fault still happens. WinDbg also reports that OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap. 'appexDrv.sys''s description is " "AppEx Accelerator LWF/WFP Driver L.E."".  nwifi.sys seems to be a Microsoft built-in component, and AppEx Networks Accelerator seems to be a VPN software, unfortunately, I didn't find a download link. But this is maybe not the main cause, whatever you can try to shutdown it to see if there's any change.

072715-48062-01.dmp's report is pasted here:

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1200, 0, ffffe0008d01cbf8}

fffff80059152240: Unable to get special pool info

fffff80059152240: Unable to get special pool info

unable to get nt!MmPoolCodeStart

unable to get nt!MmPoolCodeEnd

Probably caused by : NETIO.SYS ( NETIO!NetioCompleteCloneNetBufferListChain+1508d )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

BAD_POOL_CALLER (c2)

The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.

Arguments:

Arg1: 0000000000000007, Attempt to free pool which was already freed

Arg2: 0000000000001200, (reserved)

Arg3: 0000000000000000, Memory contents of the pool block

Arg4: ffffe0008d01cbf8, Address of the block of pool being deallocated

Debugging Details:

------------------

OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap

POOL_ADDRESS:  ffffe0008d01cbf8 

FREED_POOL_TAG:  NDnd

BUGCHECK_STR:  0xc2_7_NDnd

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  Asset-uPNP.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff8005912fff2 to fffff80058fdbca0

STACK_TEXT:  

ffffd000`27118f88 fffff800`5912fff2 : 00000000`000000c2 00000000`00000007 00000000`00001200 00000000`00000000 : nt!KeBugCheckEx

ffffd000`27118f90 fffff800`3763083d : 00000000`00000000 ffffe000`8d596040 000008fe`00000010 00000014`00000000 : nt!ExAllocatePoolWithTag+0x1102

ffffd000`27119080 fffff800`376023f1 : 00000000`00000000 ffffe000`8ceb3740 00000000`00000000 00000000`00000000 : NETIO!NetioCompleteCloneNetBufferListChain+0x1508d

ffffd000`271190f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2d1

STACK_COMMAND:  kb

FOLLOWUP_IP: 

NETIO!NetioCompleteCloneNetBufferListChain+1508d

fffff800`3763083d 90              nop

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  NETIO!NetioCompleteCloneNetBufferListChain+1508d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  540ebbe6

FAILURE_BUCKET_ID:  X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d

BUCKET_ID:  X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d

Followup: MachineOwner

---------

On Tue, Jul 28, 2015 at 3:12 PM, Tyson Key <tyson.key@xxxxxxxxx> wrote:

I just uploaded my MiniDumps to https://dl.dropboxusercontent.com/u/670345/MiniDump.rar, if it makes debugging this easier.

Tyson.

2015-07-28 8:08 GMT+01:00 Tyson Key <tyson.key@xxxxxxxxx>:

Hi Yang,

Thanks for looking into this. 

I can't remember when/how I installed Win10PCap (guessing that I briefly had a look, but couldn't get it to do anything on my machine, and just removed it), but I'm using VMware Player 6.0.7 build-2844087 (haven't got Workstation/Server installed); and I tried a dance of upgrading/downgrading/upgrading my AR9485WB-EG WLAN driver (first by downloading the package from http://support.lenovo.com/us/en/downloads/ds032333, to take me from 10.0.0.242, to 10.0.0.75; and then using Device Manager's driver update function, to take me to 3.0.1.155 (which I'm guessing is probably older than 242 - I'm just guessing from the sketchy build dates) - which gave me a different type of BSoD, initially, after starting Wireshark, but let me capture traffic for a little while, after rebooting.

Here's all of the MiniDump summaries that I could find:

==================================================

Dump File         : 072715-31968-01.dmp

Crash Time        : 27/07/2015 07:02:32 pm

Bug Check String  : SYSTEM_SERVICE_EXCEPTION

Bug Check Code    : 0x0000003b

Parameter 1       : 00000000`c0000005

Parameter 2       : fffff801`1be5d485

Parameter 3       : ffffd000`2324e980

Parameter 4       : 00000000`00000000

Caused By Driver  : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+150ca0

File Description  : NT Kernel & System

Product Name      : Microsoft® Windows® Operating System

Company           : Microsoft Corporation

File Version      : 6.3.9600.17736 (winblue_r9.150322-1500)

Processor         : x64

Crash Address     : ntoskrnl.exe+150ca0

Stack Address 1   : 

Stack Address 2   : 

Stack Address 3   : 

Computer Name     : 

Full Path         : C:\WINDOWS\Minidump\072715-31968-01.dmp

Processors Count  : 4

Major Version     : 15

Minor Version     : 9600

Dump File Size    : 281,520

Dump File Time    : 27/07/2015 07:03:33 pm

==================================================

==================================================

Dump File         : 072715-32078-01.dmp

Crash Time        : 27/07/2015 06:47:01 pm

Bug Check String  : BAD_POOL_CALLER

Bug Check Code    : 0x000000c2

Parameter 1       : 00000000`00000099

Parameter 2       : ffffe000`7d4b31b8

Parameter 3       : 00000000`00000000

Parameter 4       : 00000000`00000000

Caused By Driver  : tcpip.sys

Caused By Address : tcpip.sys+42856

File Description  : TCP/IP Driver

Product Name      : Microsoft® Windows® Operating System

Company           : Microsoft Corporation

File Version      : 6.3.9600.16384 (winblue_rtm.130821-1623)

Processor         : x64

Crash Address     : ntoskrnl.exe+150ca0

Stack Address 1   : 

Stack Address 2   : 

Stack Address 3   : 

Computer Name     : 

Full Path         : C:\WINDOWS\Minidump\072715-32078-01.dmp

Processors Count  : 4

Major Version     : 15

Minor Version     : 9600

Dump File Size    : 281,520

Dump File Time    : 27/07/2015 06:48:04 pm

==================================================

==================================================

Dump File         : 072715-32468-01.dmp

Crash Time        : 27/07/2015 06:34:37 pm

Bug Check String  : SYSTEM_SERVICE_EXCEPTION

Bug Check Code    : 0x0000003b

Parameter 1       : 00000000`c0000005

Parameter 2       : fffff801`962a446e

Parameter 3       : ffffd001`1bd0f980

Parameter 4       : 00000000`00000000

Caused By Driver  : ndis.sys

Caused By Address : ndis.sys+546e

File Description  : Network Driver Interface Specification (NDIS)

Product Name      : Microsoft® Windows® Operating System

Company           : Microsoft Corporation

File Version      : 6.3.9600.16384 (winblue_rtm.130821-1623)

Processor         : x64

Crash Address     : ntoskrnl.exe+150ca0

Stack Address 1   : 

Stack Address 2   : 

Stack Address 3   : 

Computer Name     : 

Full Path         : C:\WINDOWS\Minidump\072715-32468-01.dmp

Processors Count  : 4

Major Version     : 15

Minor Version     : 9600

Dump File Size    : 281,520

Dump File Time    : 27/07/2015 06:35:48 pm

==================================================

==================================================

Dump File         : 072715-33859-01.dmp

Crash Time        : 27/07/2015 05:11:25 pm

Bug Check String  : BAD_POOL_CALLER

Bug Check Code    : 0x000000c2

Parameter 1       : 00000000`00000007

Parameter 2       : 00000000`00001200

Parameter 3       : 00000000`00000000

Parameter 4       : ffffe000`8d01cbf8

Caused By Driver  : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+150ca0

File Description  : NT Kernel & System

Product Name      : Microsoft® Windows® Operating System

Company           : Microsoft Corporation

File Version      : 6.3.9600.17736 (winblue_r9.150322-1500)

Processor         : x64

Crash Address     : ntoskrnl.exe+150ca0

Stack Address 1   : 

Stack Address 2   : 

Stack Address 3   : 

Computer Name     : 

Full Path         : C:\WINDOWS\Minidump\072715-33859-01.dmp

Processors Count  : 4

Major Version     : 15

Minor Version     : 9600

Dump File Size    : 281,520

Dump File Time    : 27/07/2015 05:12:34 pm

==================================================

==================================================

Dump File         : 072715-48062-01.dmp

Crash Time        : 27/07/2015 05:00:25 pm

Bug Check String  : BAD_POOL_CALLER

Bug Check Code    : 0x000000c2

Parameter 1       : 00000000`00000007

Parameter 2       : 00000000`00001200

Parameter 3       : 00000000`00000000

Parameter 4       : ffffe000`4bc1b4c8

Caused By Driver  : ntoskrnl.exe

Caused By Address : ntoskrnl.exe+150ca0

File Description  : NT Kernel & System

Product Name      : Microsoft® Windows® Operating System

Company           : Microsoft Corporation

File Version      : 6.3.9600.17736 (winblue_r9.150322-1500)

Processor         : x64

Crash Address     : ntoskrnl.exe+150ca0

Stack Address 1   : 

Stack Address 2   : 

Stack Address 3   : 

Computer Name     : 

Full Path         : C:\WINDOWS\Minidump\072715-48062-01.dmp

Processors Count  : 4

Major Version     : 15

Minor Version     : 9600

Dump File Size    : 281,520

Dump File Time    : 27/07/2015 05:01:58 pm

==================================================

Frustratingly, since there are so many variables involved (unscientific method!), it seems like I'm playing a Jenga game with trying to make this work, since if I remove, or change something, it works for a little while, and then crashes in a creative, new way. (And I don't want to reinstall everything, since I don't have a disk big enough to back everything up). :(

I've uploaded a copy of the Nurago Web Meter to https://dl.dropboxusercontent.com/u/670345/nurago%20web%20meter.exe, and I seem to also have an older installer for it in my "Downloads" directory, which may exercise the LSP architecture of WinSock differently.

The SYSTEM_SERVICE_EXCEPTION error is interesting, as it is one of the few that reveals a problem in WinSock/NDIS...

I would try it in a virtual machine - but it wouldn't get us any closer to diagnosing why it fails to work, with my not-so-unique configuration.

Tyson.

2015-07-28 7:27 GMT+01:00 Yang Luo <hsluoyb@xxxxxxxxx>:

On Mon, Jul 27, 2015 at 10:42 PM, Tyson Key <tyson.key@xxxxxxxxx> wrote:

After rebooting from uninstalling MS NetMon, I restarted Wireshark, and got the usual "NPF service not running; no interfaces available" note. This persists, even if I try "NPFInstall -r", and Wireshark still claims that no interfaces are available. 

"NPFInstall -r" isn't used in Npcap. "NPF service not running; no interfaces available" is a common problem for Npcap previous versions. And I think it should disappear if you have uninstalled previous versions totally.

 

Eventually, after uninstalling NPCap, removing all of the loopback interfaces, and running CCleaner to remove any residual registry data, and then rebooting yet again, I could start Wireshark, and list the installed interfaces - but unsurprisingly, a few moments later, I received another BSoD.

If it helps, my Wireshark version is:

Version 1.99.8-492-g3f0f49d (v1.99.8rc0-492-g3f0f49d from master)

Copyright 1998-2015 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.

License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>

This is free software; see the source for copying conditions. There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango 1.36.8, with

WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, with

c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with MIT

Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 22 2015), with

AirPcap.

Running on 64-bit Windows 8.1, build 9600, with locale English_United

Kingdom.1252, with Npcap version 0.01 (packet.dll version 0.03), based on

WinPcap version 4.1.3 (packet.dll version 4.1.0.3001), based on libpcap version

1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without

AirPcap.

AMD A6-5200 APU with Radeon(TM) HD Graphics     (with SSE4.2), with 5577MB of

physical memory.

Built using Microsoft Visual C++ 12.0 build 31101

Wireshark is Open Source Software released under the GNU General Public License.

Check the man page and http://www.wireshark.org for more information.

I used Wireshark latest stable version: Version 1.12.6 (v1.12.6-0-gee1fce6 from master-1.12). But I don't think it makes a difference by using stable version or development version, as its WinPcap related low-level code rarely changed between these two versions.

 

Other than NetMon (which I've removed), the only other things that I think could be causing a conflict are either the VMware host-only networking filters; the networking components included with whatever Bluetooth stack Lenovo shipped; the massive pile of hacks installed by the Gacela component of "Nurago Web Meter", or my Atheros WLAN drivers (which caused Acrylic Wi-Fi's NDIS filters to crash, when I briefly had that installed, a while ago).

What version VMware are you using? Workstation or just Player? I used VMware Workstation 11.1.2 build-2780323 on my host, but I didn't install it on my test VM yet.

 

Cheers,

Yang

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

--

                                          Fight Internet Censorship! http://www.eff.org

http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844

--

                                          Fight Internet Censorship! http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe