Hi Jim, Pascal,
I have added loopback packet sending support in 0.03-r5 using several
commits. As you said, it should be one commit in 0.03-r5 that leads to
this IRQL_NOT_LESS_OR_EQUAL BSoD, but I couldn't reproduce it. So I have
separated 0.03-r5 version into 6 sub-versions in:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap_history_versions/. Maybe
you would like to test from which sub-version this BSoD starts to happen.
This 6 sub-version installers corresponds to
https://github.com/nmap/npcap/commits/master as below, so it will be easier
for me to locate the position. Thanks!
9132448
npcap-nmap-0.03-r5.exe
1a99e71
npcap-nmap-0.03-r5-2.exe
a70d4eb
npcap-nmap-0.03-r5-3.exe
fdaaa13
npcap-nmap-0.03-r5-4.exe
38ab966
npcap-nmap-0.03-r5-5.exe
beb669e
npcap-nmap-0.03-r5-6.exe
Cheers,
Yang
On Tue, Aug 11, 2015 at 11:43 AM, Jim Young <jyo...@gsu.edu> wrote:
> Hello Yang,
>
>
> I installed npcap-nmap-0.03-r6.exe but am still getting the
> IRQL_NOT_LESS_OR_EQUAL
> (a) BSoD on my Windows 8.1. system immediately when I start Wireshark.
>
>
> I went back retested 0.03-r3, 0.03-r4 and 0.03-r5 to confirm that its only
> r5 and r6 that trigger the immediate BSoD on my system.
>
>
> Here's the last BSoD WinDbg output when using Npcap 0.03-r6.
>
>
> ---------
>
>
> 2: kd> .symfix C:\Symbols
>
> 2: kd> .reload
>
> Loading Kernel Symbols
>
> ...............................................................
>
> ................................................................
>
> ........................................
>
> Loading User Symbols
>
> .....................................
>
> Loading unloaded module list
>
> ........
>
> 2: kd> !analyze -v
>
>
> *******************************************************************************
>
> *
> *
>
> * Bugcheck Analysis
> *
>
> *
> *
>
>
> *******************************************************************************
>
>
> IRQL_NOT_LESS_OR_EQUAL (a)
>
> An attempt was made to access a pageable (or completely invalid) address
> at an
>
> interrupt request level (IRQL) that is too high. This is usually
>
> caused by drivers using improper addresses.
>
> If a kernel debugger is available get the stack backtrace.
>
> Arguments:
>
> Arg1: 000000000000a620, memory referenced
>
> Arg2: 0000000000000002, IRQL
>
> Arg3: 0000000000000001, bitfield :
>
> bit 0 : value 0 = read operation, 1 = write operation
>
> bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
> chips which support this level of status)
>
> Arg4: fffff8013ff660cc, address which referenced memory
>
>
> Debugging Details:
>
> ------------------
>
>
> *** ERROR: Module load completed but symbols could not be loaded for
> npf.sys
>
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for packet.dll -
>
>
> WRITE_ADDRESS: unable to get nt!MmNonPagedPoolStart
>
> unable to get nt!MmSizeOfNonPagedPoolInBytes
>
> 000000000000a620
>
>
> CURRENT_IRQL: 2
>
>
> FAULTING_IP:
>
> nt!KeAcquireSpinLockRaiseToDpc+1c
>
> fffff801`3ff660cc f0480fba2900 lock bts qword ptr [rcx],0
>
>
> DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
>
>
> BUGCHECK_STR: AV
>
>
> PROCESS_NAME: dumpcap.exe
>
>
> ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
>
>
> TRAP_FRAME: ffffd00035417600 -- (.trap 0xffffd00035417600)
>
> NOTE: The trap frame does not contain all registers.
>
> Some register values may be zeroed or incorrect.
>
> rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620
>
> rdx=ffffe001230a2900 rsi=0000000000000000 rdi=0000000000000000
>
> rip=fffff8013ff660cc rsp=ffffd00035417790 rbp=ffffd00035417b80
>
> r8=ffffe0011fed41a0 r9=000000000000000e r10=0000000000000801
>
> r11=ffffe00122517440 r12=0000000000000000 r13=0000000000000000
>
> r14=0000000000000000 r15=0000000000000000
>
> iopl=0 nv up ei pl zr na po nc
>
> nt!KeAcquireSpinLockRaiseToDpc+0x1c:
>
> fffff801`3ff660cc f0480fba2900 lock bts qword ptr [rcx],0
> ds:00000000`0000a620=????????????????
>
> Resetting default scope
>
>
> LAST_CONTROL_TRANSFER: from fffff8013ffea7e9 to fffff8013ffdeca0
>
>
> STACK_TEXT:
>
> ffffd000`354174b8 fffff801`3ffea7e9 : 00000000`0000000a 00000000`0000a620
> 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
>
> ffffd000`354174c0 fffff801`3ffe903a : 00000000`00000001 00000000`00000000
> 00000000`00000000 ffffd000`35417730 : nt!KiBugCheckDispatch+0x69
>
> ffffd000`35417600 fffff801`3ff660cc : 00000000`00000001 ffffc002`00000000
> ffffc002`018bf601 00000000`00000000 : nt!KiPageFault+0x23a
>
> ffffd000`35417790 fffff801`688d7186 : 00000000`00000000 ffffe001`230474c0
> 00000000`00000001 ffffd000`35417b80 : nt!KeAcquireSpinLockRaiseToDpc+0x1c
>
> ffffd000`354177c0 fffff801`688d7a24 : 00000000`00001ef0 ffffe001`230a2900
> 00000000`00000000 ffffd000`00000000 : npf+0x3186
>
> ffffd000`354177f0 fffff801`402b377f : 00000000`00000001 ffffe001`230a2900
> ffffe001`230a2900 00000000`00000001 : npf+0x3a24
>
> ffffd000`35417880 fffff801`402b2d22 : ffffd000`35417a38 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
>
> ffffd000`35417a20 fffff801`3ffea4b3 : ffffe001`21d2c080 ffffd000`001f0003
> 00000017`cb91ca98 00000017`00000000 : nt!NtDeviceIoControlFile+0x56
>
> ffffd000`35417a90 00007ffe`449c123a : 00007ffe`41b65fe3 0000da4a`605d0f0d
> 00000000`00000003 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
>
> 00000017`cb91ca48 00007ffe`41b65fe3 : 0000da4a`605d0f0d 00000000`00000003
> 00000000`00000000 00000000`00000013 : ntdll!NtDeviceIoControlFile+0xa
>
> 00000017`cb91ca50 00007ffe`42151bb0 : 00000000`00001ef0 00007ffe`4496713a
> 00000000`00000020 00000000`00000000 : KERNELBASE!DeviceIoControl+0x121
>
> 00000017`cb91cac0 00007ffe`399f3d65 : 00000017`cba14960 00000017`cb91cdb0
> ffffffff`ffffffff 00000017`cb91cdb0 :
> KERNEL32!DeviceIoControlImplementation+0x80
>
> 00000017`cb91cb10 00000017`cba14960 : 00000017`cb91cdb0 ffffffff`ffffffff
> 00000017`cb91cdb0 00000000`00000000 : packet+0x3d65
>
> 00000017`cb91cb18 00000017`cb91cdb0 : ffffffff`ffffffff 00000017`cb91cdb0
> 00000000`00000000 00000000`00000000 : 0x00000017`cba14960
>
> 00000017`cb91cb20 ffffffff`ffffffff : 00000017`cb91cdb0 00000000`00000000
> 00000000`00000000 00000017`cb91cb60 : 0x00000017`cb91cdb0
>
> 00000017`cb91cb28 00000017`cb91cdb0 : 00000000`00000000 00000000`00000000
> 00000017`cb91cb60 00000000`00000000 : 0xffffffff`ffffffff
>
> 00000017`cb91cb30 00000000`00000000 : 00000000`00000000 00000017`cb91cb60
> 00000000`00000000 00000017`cba14960 : 0x00000017`cb91cdb0
>
>
>
> STACK_COMMAND: kb
>
>
> FOLLOWUP_IP:
>
> npf+3186
>
> fffff801`688d7186 4032ff xor dil,dil
>
>
> SYMBOL_STACK_INDEX: 4
>
>
> SYMBOL_NAME: npf+3186
>
>
> FOLLOWUP_NAME: MachineOwner
>
>
> MODULE_NAME: npf
>
>
> IMAGE_NAME: npf.sys
>
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 55c878a8
>
>
> FAILURE_BUCKET_ID: AV_npf+3186
>
>
> BUCKET_ID: AV_npf+3186
>
>
> ANALYSIS_SOURCE: KM
>
>
> FAILURE_ID_HASH_STRING: km:av_npf+3186
>
>
> FAILURE_ID_HASH: {cd892a8a-243d-2266-f935-8db54b10ab51}
>
>
> Followup: MachineOwner
>
> ---------
>
>
> Best regards,
>
>
> Jim Y.
>
>
>
> ------------------------------
> *From:* wireshark-dev-boun...@wireshark.org <
> wireshark-dev-boun...@wireshark.org> on behalf of Yang Luo <
> hslu...@gmail.com>
> *Sent:* Monday, August 10, 2015 06:40
> *To:* Developer support list for Wireshark
> *Subject:* Re: [Wireshark-dev] Npcap 0.03 call for test
>
> Hi Jim, Pascal,
>
> This IRQL_NOT_LESS_OR_EQUAL (a) BSoD seems to be caused by
> NdisAcquireSpinLock call in function NPF_StartUsingOpenInstance has
> referred to freed Open struct memory, I have tried to fix it in latest
> installer, you may try it at:
> https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r6.exe
>
> Cheers,
> Yang
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
