Lately while using nmap I've been getting alot of BSOD's from npf.sys (winpcap 3.01 alpha). It used to happen in 3.0.0 to, but not so often I feel. nmap (from www.insecure.org) uses libpcap to send ARP and raw IP on Windows.
I tried to analyse the Minidump with WinDbg and came up with these traces. Hopefully you can make some sene out of them, cause I can't. kd> !analyze -v ******************************************************************************* * * Bugcheck Analysis * ******************************************************************************* Unknown bugcheck code (10000050) Unknown bugcheck description Arguments: Arg1: ff62d000 Arg2: 00000000 Arg3: f8835bcc Arg4: 00000000 Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Database SolnDb not connected READ_ADDRESS: unable to get nt!MmPoolCodeEnd unable to get nt!MmSpecialPoolEnd unable to get nt!MmPagedPoolEnd unable to get nt!MmNonPagedPoolEnd unable to get nt!MmNonPagedPoolStart unable to get nt!MmSpecialPoolStart unable to get nt!MmPagedPoolStart unable to get nt!MiSessionPoolStart unable to get nt!MiSessionPoolEnd unable to get nt!MmNonPagedPoolExpansionStart unable to get nt!MmPoolCodeStart ff62d000 FAULTING_IP: npf+bcc f8835bcc 668139ff00 cmp word ptr [ecx],0xff MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 LAST_CONTROL_TRANSFER: from 804ea221 to f8835bcc STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. ec27bc34 804ea221 fe7e2250 8141dc00 806ad190 npf+0xbcc ec27bc58 8055de46 fe7e2250 8141dc00 81a13cf0 nt!IoBuildPartialMdl+0xe3 ec27bd00 80556cea 00000750 00000000 00000000 nt!NtWriteFile+0x358a ec27bd34 8052d571 00000750 00000000 00000000 nt!NtDeviceIoControlFile+0x28 ec27bd64 823ce9d0 ff8af248 ebb13cec ebb13d98 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0x9fd 00000000 00000000 00000000 00000000 00000000 0x823ce9d0 FOLLOWUP_IP: npf+bcc f8835bcc 668139ff00 cmp word ptr [ecx],0xff FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: npf+bcc DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: kb BUCKET_ID: WRONG_SYMBOLS MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image Followup: MachineOwner --------- f8835ba4 8b4608 mov eax,[esi+0x8] f8835ba7 c1e803 shr eax,0x3 f8835baa 6a00 push 0x0 f8835bac 5e pop esi f8835bad 8975f0 mov [ebp-0x10],esi f8835bb0 7410 jz npf+0xbc2 (f8835bc2) f8835bb2 66813cf2ff00 cmp word ptr [edx+esi*8],0xff f8835bb8 7408 jz npf+0xbc2 (f8835bc2) f8835bba 46 inc esi f8835bbb 3bf0 cmp esi,eax f8835bbd 8975f0 mov [ebp-0x10],esi f8835bc0 72f0 jb npf+0xbb2 (f8835bb2) f8835bc2 8bce mov ecx,esi f8835bc4 c1e103 shl ecx,0x3 f8835bc7 894df8 mov [ebp-0x8],ecx f8835bca 03ca add ecx,edx f8835bcc 668139ff00 cmp word ptr [ecx],0xff ds:0023:ff62d000=???? << !!!!! f8835bd1 752e jnz npf+0xc01 (f8835c01) f8835bd3 2bc6 sub eax,esi f8835bd5 48 dec eax f8835bd6 7429 jz npf+0xc01 (f8835c01) f8835bd8 6860b583f8 push 0xf883b560 f8835bdd 8d83640e0000 lea eax,[ebx+0xe64] f8835be3 50 push eax f8835be4 8d835c0e0000 lea eax,[ebx+0xe5c] f8835bea 50 push eax f8835beb 83c108 add ecx,0x8 f8835bee 51 push ecx f8835bef c645fe01 mov byte ptr [ebp-0x2],0x1 f8835bf3 e8de440000 call npf+0x50d6 (f883a0d6) f8835bf8 83f801 cmp eax,0x1 f8835bfb 0f8574030000 jne npf+0xf75 (f8835f75) >From what I can see this happens in write.c / NPF_Write(). Because tcpdump/Ethereal doesn't use npf.sys to send anything, they seem to work stable. But nmap or any libnet based apps does not. I'm running Win-XP Home SP1 (build 2600) on a 2GHz Pentium 4. --gv ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
