Hi Jim, Thanks for this detailed test and I have fixed some of the problems. Latest installer is: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r3.exe
See more feedbacks below: On Thu, Jul 23, 2015 at 1:06 PM, Jim Young <jyo...@gsu.edu> wrote: > Hello Yang, > > From: Yang Luo <hslu...@gmail.com>, Date: Wednesday, July 22, 2015 11:12 > PM > > >I tested it against Win10 10240 x64 (French and Chinese), try installer > >at: > >https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.02-r2.exe > > > I've continued to test the various Npcap versions in WinPcap API mode on > Windows 8.1 system. > > Here are some observations. > > 1 - I can not uninstall and then install Npcap successfully without > rebooting the system between the Uninstall and Install. > > If I attempt the install without the reboot then the NPFInstall.exe -i1 > step will stall and I am forced to reboot the system. After rebooting I > can see that the various Npcap components like npf.sys, packet.dll, > wocap.dll will have been placed in the expected locations, but the newly > created loop back interface will not have the expected Npcap name. To > clean this up I manually Uninstall the orphaned loop back adapter and then > rerun the Npcap installer which will detect the files from the previous > install attempt which launch the Npcap uninstaller. After the uninstaller > finishes I [Cancel] the Npcap Install and reboot the system. Upon reboot > I can successfully re-install Npcap. > This is so weird that NPFInstall.exe -il will stall, I encountered this before sometimes several days before, but I can't see it these days. I don't know if you can reproduce it stably and tell me the steps. > I've been using the following set of commands in a cmd shell to get a > quick look-see at the state of the Npcap install and uninstall: > > netsh.exe interface show interface > sc queryex npf > dir /s \npf.sys > dir /s \packet.dll > dir /s \wpcap.dll > > Interestingly when Npcap fails to install (because I didn't reboot after > the last Uninstall), the orphaned "Microsoft KM-TEST Loopback Adapter" > will NOT be listed in the netsh insterface show interface report. I see > this in the Device Manager's Network Adapters list. > This is also so weird. maybe caused by the the problem above. > > 2 - If I attempts to uninstall Npcap while npf is in use (Wireshark is > running), the system will crash with the message: > PAGE_FAULT_IN_NONPAGED_AREA or PAGE_FAULT_IN_NOT_PAGED_AREA(npf.sys). If > I do not have Wireshark running, then the uninstall will complete > successfully (but I still need to reboot to reinstall Npcap successfully). > Interestingly is one tries to stop npf while Wireshark is running, (from > an admin level cmd shell enter: sc stop npf), sc will report the stop > request as "pending". Once Wireshark is shutdown the npf service will > stop. Should the uninstaller detect that the npf service could not > shutdown and abort the uninstall attempt? > > This is a big issue, and I have fixed it in the latest release. First BSoD is fixed, then I forbid the uninstallation in the installer if Npcap is still in use. > 3 - TCP packets captured on the loopback interface do not have payloads. > With long running traces I see various occasional traffic on the LoopBack > interface. It looks like only the TCP packets does not show payload > packets. Interestingly when the Firefox browser is running I see various > short lived TCP sessions on the loopback using adjacent port numbers (for > example SYN src=49225, dstport=49224). > I have reproduced it, I will look into this. > > 4 - With the recent Npcap versions I had not had seen any more issues with > the Cisco AnyConnect VPN client. I had left some of these later Npcap > versions running for hours with Wireshark sniffing on the loopback and > sometimes other adapters. But immediately after I first installed Npcap > 0.02.r2 the Cisco VPN client failed. I've uninstalled, rebooted and > reinstalled Npcap 0.02.r2 a few times and each time I have had the Cisco > AnyConnect VPN fail (sooner or later). > What technique is Cisco AnyConnect VPN client based on? PPTP or L2TP or IPSec? I googled it but I didn't find a link to download it. Also I don't know if I need to buy for an account, is there a way that I could try it? > > 5 - The Npf installer (or uninstaller) is leaving what I assume are > obsolete folders (and files in those folders) in subfolders of > C:\Windows\System32\DriverStore\FileRepository. These subfolders have > names that begin with "npf.inf_amd64_" followed by 16 hexidecimal > characters. Should these be deleted as part of the install or uninstall > process? > This is expected, and not a part for Npcap to uninstall. > > 6 - After the initial install of Npcap 0.02.r1, the npf service is > immediately started, but upon a reboot the npf service is stopped and must > be manually started. (from a admin cmd shell: netsh start npf). Running > Wireshark (as a normal user) does not automatically start the npf service. > I have not attempted to start Wireshark in an admin level cmd shell. > I am looking into it, I think there is a need to automatically start the npf service instead of the current way. It is related to WFP callout and still needs time to be solved. > > Best regards, > > Jim Y. > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
