Hello Yang,
Similar to Tyson I had quite a bit of difficulty in getting Npcap 0.01.r02
installed and running.
Looking back at a Device Manager Screen Shot I took PRIOR to attempting to
install the 2nd version of Npcap yesterday I realized that I had an orphaned
"Microsoft LM-TEST Loopback Adapter" on this system. After the 2nd version if
Npcap stalled yesterday I ended up simply forcing a reboot. When the system
came back up I noticed I now an additional device "Microsoft LM-TEST Loopback
Adapter #2" listed in Device Manager. Today my first attempt to install the
third version of the beta image (the .r2 version) I ended up with a "Npcap
Loopback Adapter" but Wireshark reported "No interfaces found". The Npcap
uninstaller removed the "Npcap Loopback Adapter" but the two "Microsoft
LM-TEST Loopback Adapter" devices persisted. I manually removed these two
devices by right mouse clicking on them in the Device Manger and selecting
"Uninstall".
I've attempted several uninstall/reinstall sequences sometimes alternating with
WinPcap uninstall/installs. When WinPcap was installed I could see interfaces
and sniff. But with Npcap 0.01.r2 installed I had no luck. Occasionally when
installing Npcap 0.01 .r2 I was presented with the message "Npcap version
0.1.0.710 exists on this system. Replace with version 0.01?" I could
successfully runs the uninstaller and then run the Installer. But one time I
opted to cancel the Npcap install and reboot.
After rebooting and loading Wireshark I was presented with the message "Unable
to load WinPcap ..." instead of the "No interfaces found" message. I guessed
that from Wireshark's (well dumpcap's?) point-of-view, the Npcap uninstall had
sufficiently cleaned up the previous *pcap install that no remnants of any
*Pcap files persisted.
After uninstalling Npcap I opened a cmd shell and entered: dir /s \npf.sys
Two entries were listed in the
C:\Windows\System32\DriverStore\FileRepository\inf_amd62_<hexstring>. One was
dated July 19, 2015 09:09 and had a size of 51920 bytes. The other was dated
Jul 11, 2015 03:46 AM and had a size of 41072 bytes. After re-installing
WinPcap I ended up with a npf.sys in C:\Windows\System32\drivers with a date of
Feb 28, 2013 09:49 PM and a size of 36600 bytes. Interestingly an uninstall
of WinPcap does not immediately appear to delete the npf.sys file in
C:\Windows\System32\drivers nor the wpcap.dll and Packet.dll files in
c:\Windows\System32 folder. But WinPcap's uninstall does delete the wpcap.dll
and Packet.dll files installed in C:\Windows\SysWOW64. After rebooting the
system these three obsolete WinPcap files still persisted. Wireshark will
apparently report the "No interfaces found" messages if one of these obsolete
WinPcap files persists.
A subsequent install of Npcap presented "The target file exists and is newer
than the source." message as follows:
> Source: C:\Program Files\Npcap\npf.sys
> Target: C:\Windows\system32\DRIVERS\npf.sys
>
> The target file exists and is newer than the source.
>
> Overwright the newer file?
Is the specific timestamp that is being checked by the Npcap installer the
"wrong" timestamp (each file has several timestamp values (atime, mtime, etc))?
The obsolete WinPcap npf.sys file in the C:\Windows\System32\drivers file is
in fact older than Npcap's npf.sys file in the Program Files\Npcap folder.
This can be confirmed with the command: dir /s \npf.sys
As Tyson reported, after an install of Npcap 0.01.r2 the npf service did not
start. You can enter the command: "sc queryex npf" to see it is stopped (in
my case with a WIN32_EXIT_CODE of 1077 (0x435)). Compare this to what WinPcap
looks like after installation. I also entered "sc start npf" and npf started
successfully. An "sc queryex npf" now looks similar to what one sees when
WinPcap is installed. I started Wireshark and this time I could see interfaces
including the Npcap Loopback Adapter. I started a second copy of Wireshark so
I could both watch the "spark lines" on one copy while I started a capture on
the Loopback adapter in the second Wireshark instance. I could see and capture
pings to the 127.0.0.1 address.
I then did a netstat -a and noted a number of TCP and UDP ports were in a
LISTENING state.
I used cygwin's "nc" utility to confirm the Npcap loopback interface could see
tcp connections. I first did some "nc -z 127.0.0.1 <PORT>" where <PORT> was
some of the TCP ports listed in the netstat -a report. For each nc -z test I
would see a 7 packet exchange (SYN, SYN/ACK, ACK, FIN/ACK, ACK, FIN/ACK, ACK).
I then created a small text file called hello.txt with 13 bytes of data ("Hello
world<0x0a><0x0a>"). I then entered the command: nc 127.0.0.1 135 <hello.txt.
Wireshark captured the SYN, SYN/ACK, ACK, followed by a FIN/ACK with a Seq
number of 14 and Wireshark reporting [TCP Previous segment not captured]", an
ACK with a [TCP Window Update] followed by a RST/ACK, ACK [TCP Dup Ack] and
finally a [RST].
For the rest of the evening I'm going to leave this instance of Npcap and
Wireshark up and running to see if we have any crashes.
Best regards,
Jim Y.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
