Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, Sometimes network is not working because Npcap is a optional filter driver and can cause network to be unavailable for up to 90 seconds (refers to: https://support.microsoft.com/en-us/kb/2019184), so this is expected, I think adding a hint about this is a good idea, and moreover if some

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-09-02 8:38 GMT+02:00 Yang Luo : > Hi Pascal, > > On Wed, Sep 2, 2015 at 1:57 AM, Pascal Quantin > wrote: > >> >> >> 2015-09-01 17:23 GMT+02:00 Pascal Quantin : >> >>> >>> >>> 2015-09-01 3:19 GMT+02:00 Yang Luo : >>> Hi Pascal, Thanks for this bug. This bug is because loopback

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, On Wed, Sep 2, 2015 at 1:57 AM, Pascal Quantin wrote: > > > 2015-09-01 17:23 GMT+02:00 Pascal Quantin : > >> >> >> 2015-09-01 3:19 GMT+02:00 Yang Luo : >> >>> Hi Pascal, >>> >>> Thanks for this bug. This bug is because loopback flag in Npcap driver >>> isn't set when the driver is pau

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-09-01 17:23 GMT+02:00 Pascal Quantin : > > > 2015-09-01 3:19 GMT+02:00 Yang Luo : > >> Hi Pascal, >> >> Thanks for this bug. This bug is because loopback flag in Npcap driver >> isn't set when the driver is paused and restarted (occurs when system >> resumes from sleep). I have fixed it. >> T

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-09-01 3:19 GMT+02:00 Yang Luo : > Hi Pascal, > > Thanks for this bug. This bug is because loopback flag in Npcap driver > isn't set when the driver is paused and restarted (occurs when system > resumes from sleep). I have fixed it. > Try lastest installer at: > https://svn.nmap.org/nmap-exp/y

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, Thanks for this bug. This bug is because loopback flag in Npcap driver isn't set when the driver is paused and restarted (occurs when system resumes from sleep). I have fixed it. Try lastest installer at: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04-r9.exe Cheers, Yang

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Guy, Now PCAP_IF_LOOPBACK flag in pcap_if_t struct will be set for "Npcap Loopback Adapter" both for DLT_NULL mode and Fake Ethernet mode. See Npcap 0.04 r8 at: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04-r8.exe Cheers, Yang On Tue, Aug 25, 2015 at 3:15 PM, Guy Harris wrote:

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 24, 2015, at 11:19 PM, Yang Luo wrote: > Npcap 0.04 r7 is released. > > 1) One change is that PCAP_IF_LOOPBACK is set for "Npcap Loopback Adapter" in > DLT_NULL mode It should be set in *both* modes - it's a loopback interface regardless of whether it uses DLT_NULL or DLT_EN10MB heade

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi, Npcap 0.04 r7 is released. 1) One change is that PCAP_IF_LOOPBACK is set for "Npcap Loopback Adapter" in DLT_NULL mode in Npcap 0.04 r7. So if you install Npcap with DLT_NULL mode checked, you can see "Npcap Loopback Adapter" is listed in the last row of Wireshark UI. 2) Another change is th

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 24, 2015, at 6:08 AM, Yang Luo wrote: > I have looked at all occurrences of PCAP_IF_LOOPBACK in Npcap's wpcap.dll > code at > https://github.com/nmap/npcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK, it > seems that this property is never effectively used inside wpcap.dll's code. In fad

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Guy, I have looked at all occurrences of PCAP_IF_LOOPBACK in Npcap's wpcap.dll code at https://github.com/nmap/npcap/search?utf8=%E2%9C%93&q=PCAP_IF_LOOPBACK, it seems that this property is never effectively used inside wpcap.dll's code. In Wireshark's WinPcap official trunk, it is totally unus

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 13:18 GMT+02:00 Yang Luo : > Hi Pascal, > > I think you would like to add the link types that WinPcap defined but NDIS > doesn't define, see: > https://github.com/wireshark/winpcap/blob/master/Common/Packet32.h from > Line: 76. Comments said that these are "Custom linktype: NDIS doesn't

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, I think you would like to add the link types that WinPcap defined but NDIS doesn't define, see: https://github.com/wireshark/winpcap/blob/master/Common/Packet32.h from Line: 76. Comments said that these are "Custom linktype: NDIS doesn't provide an equivalent". And it seems that Npcap l

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 12:30 GMT+02:00 Yang Luo : > Hi Pascal, > > On Mon, Aug 24, 2015 at 5:46 PM, Pascal Quantin > wrote: > >> >> >>> I personally think data returned by OID_GEN_MEDIA_IN_USE should be >>> identical with the one returned by OID_GEN_MEDIA_SUPPORTED for our loopback >>> condition based on MSD

Re: [Wireshark-dev] Npcap 0.04 call for test

Le 24 août 2015 12:19 PM, "Yang Luo" a écrit : > > Hi Pascal, > > On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin wrote: >> >> >> >> Hi Yang, >> >> any reason for not using NdisMediumLoopback that is defined since Vista according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff5659

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, On Mon, Aug 24, 2015 at 5:46 PM, Pascal Quantin wrote: > > >> I personally think data returned by OID_GEN_MEDIA_IN_USE should be >> identical with the one returned by OID_GEN_MEDIA_SUPPORTED for our loopback >> condition based on MSDN explanation, and it's "media" instead of "medium",

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, On Mon, Aug 24, 2015 at 4:19 PM, Pascal Quantin wrote: > > > Hi Yang, > > any reason for not using NdisMediumLoopback that is defined since Vista > according to > https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx > ? Maybe it would make sense to swit

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 11:39 GMT+02:00 Yang Luo : > Hi Pascal, > > "Medium in use" value corresponds to OID_GEN_MEDIA_IN_USE, not > OID_GEN_PHYSICAL_MEDIUM, Just below "Medium in use" text, you can see > "Physical medium" line, this one is related to OID_GEN_PHYSICAL_MEDIUM, > and it's a "Unspecified" for Npc

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, "Medium in use" value corresponds to OID_GEN_MEDIA_IN_USE, not OID_GEN_PHYSICAL_MEDIUM, Just below "Medium in use" text, you can see "Physical medium" line, this one is related to OID_GEN_PHYSICAL_MEDIUM, and it's a "Unspecified" for Npcap Loopback Adapter, which I think is a suitable v

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 10:29 GMT+02:00 Pascal Quantin : > > > 2015-08-24 10:19 GMT+02:00 Pascal Quantin : > >> 2015-08-24 3:38 GMT+02:00 Yang Luo : >> >>> Hi list, >>> >>> In latest 0.04 r6 version, I have used 0x02, 0x00, 0x00, 0x00 for an >>> IPv4 packet and 0x18, 0x00, 0x00, 0x00 for an IPv6 packet (tell m

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 24, 2015, at 1:32 AM, Pascal Quantin wrote: > 2015-08-24 10:28 GMT+02:00 Guy Harris : > >> Note that, if all packets are IPv4 or IPv6 packets, you could also use >> NdisMediumIP, if that means "received and transmitted packets begin with an >> IP header and have no link-layer header",

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 10:28 GMT+02:00 Guy Harris : > > On Aug 24, 2015, at 1:19 AM, Pascal Quantin > wrote: > > > any reason for not using NdisMediumLoopback that is defined since Vista > according to > https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx > ? Maybe it would m

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 10:19 GMT+02:00 Pascal Quantin : > 2015-08-24 3:38 GMT+02:00 Yang Luo : > >> Hi list, >> >> In latest 0.04 r6 version, I have used 0x02, 0x00, 0x00, 0x00 for an >> IPv4 packet and 0x18, 0x00, 0x00, 0x00 for an IPv6 packet (tell me if >> you have better value for IPv6). The driver can re

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 24, 2015, at 1:19 AM, Pascal Quantin wrote: > any reason for not using NdisMediumLoopback that is defined since Vista > according to > https://msdn.microsoft.com/en-us/library/windows/hardware/ff565910%28v=vs.85%29.aspx > ? Maybe it would make sense to switch to DLT_LOOPBACK You mean

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-24 3:38 GMT+02:00 Yang Luo : > Hi list, > > In latest 0.04 r6 version, I have used 0x02, 0x00, 0x00, 0x00 for an IPv4 > packet and 0x18, 0x00, 0x00, 0x00 for an IPv6 packet (tell me if you have > better value for IPv6). The driver can return NdisMediumNull now for > loopback interface. Wir

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi list, In latest 0.04 r6 version, I have used 0x02, 0x00, 0x00, 0x00 for an IPv4 packet and 0x18, 0x00, 0x00, 0x00 for an IPv6 packet (tell me if you have better value for IPv6). The driver can return NdisMediumNull now for loopback interface. Wireshark seems to work now, one little issue is tha

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 23, 2015, at 2:55 AM, Graham Bloice wrote: > As AF_INET6 is defined as 23 on the Windows platform: > ws2def.h(109): #define AF_INET623 // Internetwork > Version 6 > Shouldn't code running on that platform, i.e. Wireshark use the appropriate > value rather than faki

Re: [Wireshark-dev] Npcap 0.04 call for test

On 23 August 2015 at 04:07, Guy Harris wrote: > > On Aug 22, 2015, at 11:07 AM, Pascal Quantin > wrote: > > > DLT_NULL does not work as expected because Npcap is still providing a > linktype of type Ethernet instead of Null. I was able to fix the > encapsulation of a captue by running editcap -T

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 22, 2015, at 11:07 AM, Pascal Quantin wrote: > DLT_NULL does not work as expected because Npcap is still providing a > linktype of type Ethernet instead of Null. I was able to fix the > encapsulation of a captue by running editcap -T null dlt_null.pcapng > dlt_null_fixed.pcapng. OK, t

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 21, 2015, at 10:55 PM, Yang Luo wrote: > Npcap 0.04 r5 has added the DLT_NULL protocol support, you need to check the > "Use DLT_NULL protocol as loopback packets' link layer instead of Ethernet > II" option when installing (default is not checked). The problem is Wireshark > didn't re

Re: [Wireshark-dev] Npcap 0.04 call for test

2015-08-22 7:55 GMT+02:00 Yang Luo : > Hi list, > > Npcap 0.04 r5 has added the DLT_NULL protocol support, you need to check > the *"Use DLT_NULL protocol as loopback packets' link layer instead of > Ethernet II"* option when installing (default is not checked). The > problem is Wireshark didn't r

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi list, Npcap 0.04 r5 has added the DLT_NULL protocol support, you need to check the *"Use DLT_NULL protocol as loopback packets' link layer instead of Ethernet II"* option when installing (default is not checked). The problem is Wireshark didn't recognize these loopback packets correctly, I thin

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi, This issue has been added to list at: https://github.com/nmap/nmap/issues/200. Windows is slightly different for this thing, because Npcap Loopback Adapter is actually based on "Microsoft KM-TEST Loopback Adapter" and Windows makes "Microsoft KM-TEST Loopback Adapter" an Ethernet adapter, it h

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 18, 2015, at 9:50 PM, Yang Luo wrote: > Current fake Ethernet encapsulation of Npcap refers to the Linux > implementation (actually is Ubuntu, as I am only familiar with it for a Linux > system). I don't own a OS X computer now so I can't test or use it. One > question is is NULL/Loopb

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Jim, Current fake Ethernet encapsulation of Npcap refers to the Linux implementation (actually is Ubuntu, as I am only familiar with it for a Linux system). I don't own a OS X computer now so I can't test or use it. One question is is NULL/Loopback encapsulation a widespread protocol standard l

Re: [Wireshark-dev] Npcap 0.04 call for test

k.org> on behalf of Yang Luo < > hslu...@gmail.com> > *Sent:* Tuesday, August 18, 2015 11:08 > *To:* Developer support list for Wireshark > *Subject:* Re: [Wireshark-dev] Npcap 0.04 call for test > > Hi Jim, > > The log points to the sam

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 18, 2015, at 9:22 AM, Jim Young wrote: > Instead of supplying an ethernet header with the mac addresses of all zeros, > would it make more sense to supply a NULL/Loopback encapsulation type to > packets captured in the Npcap LoopBack Interface? It looks as if the loopback interface sup

Re: [Wireshark-dev] Npcap 0.04 call for test

5 11:08 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Npcap 0.04 call for test Hi Jim, The log points to the same issue with Pascal, and please try the latest installer at: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04-r3.exe Cheers, Yang os-x.ping-to-loopb

Re: [Wireshark-dev] Npcap 0.04 call for test

Le 18 août 2015 5:04 PM, "Yang Luo" a écrit : > > Hi Pascal, > > I have analyzed your log and it shows that WSK_CLIENT_DISPATCH::WskSocket function fails with STATUS_ACCESS_DENIED. The result turns out to be a bug: If you launch Wireshark with no Admin right, the WSK code fails to init, so Npcap

Re: [Wireshark-dev] Npcap 0.04 call for test

wireshark-dev-boun...@wireshark.org> on behalf of Yang Luo < > hslu...@gmail.com> > *Sent:* Sunday, August 16, 2015 23:12 > *To:* Developer support list for Wireshark > *Subject:* Re: [Wireshark-dev] Npcap 0.04 call for test > > Hi Jim, > > Did you also use a VirtualB

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, I have analyzed your log and it shows that WSK_CLIENT_DISPATCH::WskSocket function fails with STATUS_ACCESS_DENIED. The result turns out to be a bug: If you launch Wireshark with no Admin right, the WSK code fails to init, so Npcap loopback adapter can't be opened. I think you launched

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, Sorry that 0.04 r2 lacks some message, I added some extra trace in latest version, please try this and give me the log, https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.04-r2-debug-2.exe Also it's we

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Guy, On Mon, Aug 17, 2015 at 11:02 AM, Guy Harris wrote: > > On Aug 16, 2015, at 7:39 PM, Jim Young wrote: > > > But unlike the earlier versions, the NPcap Loopback Adapter does no > longer shows up in the list of interfaces available to Wireshark. > > I suspect the most likely reason for th

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Jim, Did you also use a VirtualBox guest to test Npcap 0.04? I think the cause is the same with Pascal: I added Winsock Kernel init code to loopback interface's OpenAdapter op, if the init fails, the adapter fails to be opened. There're also two ways, first provide me the reproduce steps if you

Re: [Wireshark-dev] Npcap 0.04 call for test

On Aug 16, 2015, at 7:39 PM, Jim Young wrote: > But unlike the earlier versions, the NPcap Loopback Adapter does no longer > shows up in the list of interfaces available to Wireshark. I suspect the most likely reason for this would either be that 1) PacketGetAdapterNames() doesn't lis

Re: [Wireshark-dev] Npcap 0.04 call for test

Hello Yang, I have attempted to test Npcap 0.04 on my primary Windows 8.1 machine. After uninstalling any previous WinPCap or Npcap I rebooted and then successfully installed Npcap 0.04. The Npcap Loopback Adapter shows up in the list from the Device Manager's Network adapter. The good ne

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, Thanks for test. It's my typo mistake for the BSoD word, what I meant is the loopback interface didn't show problem, in fact they share the same cause. Because I didn't handle the error correctly in 0.03 r5 and r6, so it turns to a BSoD. On Sun, Aug 16, 2015 at 11:55 PM, Pascal Quanti

Re: [Wireshark-dev] Npcap 0.04 call for test

Le 16 août 2015 3:39 PM, "Pascal Quantin" a écrit : > > Hi Yang, > > 2015-08-16 14:18 GMT+02:00 Yang Luo : >> >> Hi Pascal, >> >> I think this BSoD is caused by the Winsock Kernel init code in Npcap driver (NPF_WSKStartup call or NPF_WSKInitSockets call failed). I can't reproduce it on my Win8.1 V

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Pascal, I think this BSoD is caused by the Winsock Kernel init code in Npcap driver (*NPF_WSKStartup* call or *NPF_WSKInitSockets* call failed). I can't reproduce it on my Win8.1 VM, Win10 VM and Win10 physical host. I used VMware Workstation 11.1.2 for my VMs. I don't know which type your VM i

Re: [Wireshark-dev] Npcap 0.04 call for test

Hi Yang, 2015-08-15 14:38 GMT+02:00 Yang Luo : > Hi list, > > Thanks for your tests for the first 3 versions of Npcap, with your tests I > am able to release Npcap 0.04 version as below: > 1) Fixed the BAD_POOL_CALLER BSoD. > 2) Updated Packet, NPFInstall, NPcapHelper projects to MSVC 2010, updat

[Wireshark-dev] Npcap 0.04 call for test

Hi list, Thanks for your tests for the first 3 versions of Npcap, with your tests I am able to release Npcap 0.04 version as below: 1) Fixed the BAD_POOL_CALLER BSoD. 2) Updated Packet, NPFInstall, NPcapHelper projects to MSVC 2010, updated driver to MSVC 2015. 3) Fixed the "Malformed Packet" bug