________________________________ From: wireshark-dev-boun...@wireshark.org <wireshark-dev-boun...@wireshark.org> on behalf of Pascal Quantin <pascal.quan...@gmail.com> Sent: Monday, August 3, 2015 12:48 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] Npcap 0.03 call for test Hello Yang, Since my last comments I've been (quietly) testing the various updated Npcap releases. I've really had nothing new to add to Tyson's and Pascal's comments until now. I'm currently testing with Npcap 0.03-r3. But unlike Pascal I do not crash when starting Wireshark. Up until this version I could reliably blue screen my Windows 8.1 machine simply by loading a Buildbot development version of Wireshark (I had been testing with 1.99.9-7-g23ca456) and simply leaving the Wireshark's Qt based Welcome screen up. The Qt version of Wireshark will display spark lines of traffic through the various interfaces. I would simply walk away and leave the system alone. Prior to Npcap 0.03-r3 the system would generally bluescreen within 10 to 20 minutes (but sometimes more than an hour would pass before Windows would crash). Most of these crashes were with the bug check string BAD_POOL_CALLER, but two times since last Thursday morning the crashes had the bug check string BAD_POOL_HEADER. I have mini-dumps for those crashes but not a full dump. (I've switched to collecting full dumps now). >From my point-of-view Npcap 0.03-r3 so far appears to be the most stable of >the Npcap versions I've been testing with. I did have the Npcap installation stall problem that I have reported in my earlier comments. I have a theory (which I will be testing later today) regarding how to replicate the Npcap installer stall. I have VirtualBox 5.0 installed on the Windows 8.1 machine but at this point I am not currently running any VMs. Since you released the first Npcap 0.03 version (I believe) I have not seen any more dialog pop-ups about the Cisco AnyConnect VPN adapter (but I also have not attempted to use same in the last week or so either). (FWIW: The Device Manager's Device Description for this adapter is "Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64" with a Driver Date of Friday, August 30, 2013 and Driver Version of 3.1.4065.0). I did just find this particular Network adapter disabled so I have re-enabled and will wait and see if any new Cisco AnyConnect VPN error dialogs pop up. Since you resolved the TCP payload issues I can see the TCP payload packets that traverse the loopback interface (for example the payload packets when Firefox is running). Over the next week I hope to be able to leverage some other tools to more extensively push the limits of sniffing on the loopback interface and also perhaps compare capture performance of Npcap version WinPcap on standard interfaces. Best regards, Jim Y. 2015-08-03 17:57 GMT+02:00 Yang Luo <hslu...@gmail.com<mailto:hslu...@gmail.com>>: Hi Pascal, Thanks for testing. The output of your dump is pasted below. It seems that NdisFOidRequest call fails in Npcap's NPF_GetDeviceMTU routine. It is in the same position with the previous SYSTEM_SERVICE_EXCEPTION BSoD. So I think they may belong to the same bug. However, I didn't find what's wrong with this code (go to this link if anyone is interested with the code: https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/Openclos.c, Line: 570). WinDbg said "An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high." But actually all arguments of NdisFOidRequest are from the OPEN_INSTANCE struct and this struct is allocated in a NonPaged pool, so it's hard to understand its reason. Another way is to reproduce this BSoD. I didn't encounter this BSoD before, from the dump I only recognized that you installed VirtualBox. It will be very helpful if you can provide the reproduce steps. Yes I have Virtualbox 5.0 installed (which allows me to run a Windows 10 RTM machine on which Npcap does not crash (I could even capture some loopbak traffic and find - and fix - a bug in Wireshark: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11412). To reproduce the crash on this machine, it is as simple as: - installing Npcap - rebooting the laptop (I did not try without rebooting) - Launching Wireshark 1.99.9 development build (you can find some nightly installers here: https://www.wireshark.org/download/automated/ ) - And bang it crashes immediately during Wireshark initialization (presumably when dumpcap tries to retrieve interfaces, but I could not confirm this as my PC reboots immediately) <SNIP> On Mon, Aug 3, 2015 at 6:35 PM, Pascal Quantin <pascal.quan...@gmail.com<mailto:pascal.quan...@gmail.com>> wrote: Hi Yang 2015-08-03 9:33 GMT+02:00 Yang Luo <hslu...@gmail.com<mailto:hslu...@gmail.com>>: > > Hi list, > > I think have fixed the BAD_POOL_CALLER BSoD in Npcap 0.03 r3 version, it > turns out to be a memory double-free bug in WFP classifyFn function used for > loopback packet capturing. The lastest installer is: > https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r3.exe > > I have tested it under Win 8.1 x64 with VMware Workstation 11 installed and > Win10 x64, if you encounter any BSoDs with this version, please let me know. I just gave it a try on the Windows 7 x64 laptop that was crashing last week: - like Tyson my Wifi is no more working when installing Npcap. No issue when using shutting down Wifi and using Ethernet - I still get a BSoD when launching Wireshark. The full and mini memory dumps are available here: https://www.dropbox.com/sh/2oz00ox20kv3oe0/AACFQC83vyKS2dY7bI7hnZBOa?dl=0 Cheers, Pascal. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org<mailto:wireshark-dev@wireshark.org>> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org<mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org<mailto:wireshark-dev@wireshark.org>> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org<mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
