Wireshark · Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature

[Jim Young <jyoung@xxxxxxx>]

From: Yang Luo <hsluoyb@xxxxxxxxx>Hi list,
>
>In order not to diverge with WinPcap interfaces, I have made a "WinPcap
>Mode" for Npcap, it uses the same system32 directory to put DLLs and has
>the same "npf" service and driver name. So it can be directly used in
>Wireshark without any patch.

Hello Yang,

I've been testing Npcap 0.01 on a Windows 8.1 Enterprise workstation.  The
workstation is not connected to Active Directory.

I have only attempted to use Npcap in WinPcap Mode.  As expected when I
first attempted the install, Npcap detected that WinPcap was already
installed.  I canceled the Npcap install, uninstalled WinPcap 4.1.3 and
then successfully installed Npcap using the WinPcap Mode option.  The
Windows Device Manager showed the "Npcap Loopback Adapter" in the list of
Network Adapters.

I started up a development version of Wireshark, selected the Ncpap
loopback adapter and from a cmd shell started pinging 127.0.0.1.  The ping
requests and replies to the loopback interface were seen and captured
using the Npcap loopback interface.

I used MS ping's -l option to send minimum  (-l 0) and maximum (-l 65500)
sized ping requests to see what the Npcap interface would capture.  When
pinging the ipv4 loopback address of 127.0.0.1 the packets were 42 (min)
and 65542 (max) bytes respectively.  Pinging the ipv6 loopback address of
::0 the min and max sized packets were 62 and 65552 bytes respectively.

I opted to leave Wireshark up capturing on the loopback interface for
several hours.  In these captures I occasionally saw that TCP sessions
were successfully setup and then torn down via a RST packet usually about
19 seconds later.  The TCP RST packets were sent with Sequence numbers of
4-8 to Sequence numbers like 98 implying that perhaps some data packet was
sent but not captured.

When I later attempted to install a new version of Wireshark, Wireshark's
installer assumed there was no WinPcap installed; Wireshark's install
process can not detect that Npcap has been installed in WinPcap mode.  In
this case I opted skip the install of WinPcap but allowed the newer
Wireshark to install.  I opted to leave the Qt based Wireshark now using
Npcap in WinPcap mode up and running overnight at the Welcome screen.

The following morning I noticed that the Cisco AnyConnect VPN Client
installed on this workstation had failed.   This was a new behavior. I
rebooted the workstation to see if it would resolve the Cisco AnyConnect
issue.   But shortly after the system had rebooted the AnyConnect would
again fail.  I opted to uninstall Npcap 0.01 and rebooted the system.
Once Npcap was removed and the system no longer reported and any problems
for the Cisco AnyConnect Client.

I then opted to re-install Npcap 0.01 to see if the AnyConnect problem
would reappear.  But this time the installation failed with the message
"Failed to create the npcap service for Win7 and Win8.  Please try
installing Npcap again, or use the official Npcap installer from
www.nmap.org".  I retried the Npcap installation which appeared to be
successful.   But after starting Wireshark I had the message "No
interfaces found".  I uninstalled Npcap and reinstalled WinPcap.   I could
now see interfaces.  I then uninstalled WinPcap.  Wireshark reported "No
interface found" (I expected Wireshark to report that WinPcap was not
installed).

I then opted to reinstall Npcap yet again.  This time the Npcap
installation failed spectacularly with a message of BAD_POOL_CALLER and
Windows subsequently crashed and rebooted.  After the system was up I
attempted to load Wireshark but was presented with an error dialog with
the title "Wireshark.exe - Bad Image".  Here was the message text.

> C:\Windows\system32\wpcap.dll is either not designed to run on Windows
>or it contains an error.  Try installing the program again using the
>original installation media or contact your system administrator or the
>software vendor for support.  Error status 0xc00012f.

This error was followed by the same dialog but for for packet.dll, and
then a similar pair of messages except this time it was dumpcap.exe that
was listed in the dialog's title.  Wireshark subsequently display a
message in the interface section of the Welcome screen that said:

"Unable to load WinPcap (wpcap.dll); you will not be able to capture
packets. Š"

I opted to try the Npcap installation yet again.  This time the "Npcap
0.01 for Nmap (beta) Setup" dialog displayed the message "Npcap version
0.1.0.710 exists on this system.  Replace with version 0.01?"  I clicked
[Yes].  But On the Security and API Options page the "Install Npcap in
Winpcap AP compatible mode" was disabled.  Since I could not install Npcap
in WinPcap mode I choose to abort [Cancel] this install.

I then tried to re-install WinPcap.  The WinPcap 4.1.3 Setup displayed
the message "A previous version of WinPcap has been detected on this
system.  Unfortunately, this installer is not able to remove it.  Do you
want to continue with the installation?"  I choose [Yes] and WinPcap
was successfully installed.

After several Wireshark tests I removed WinPcap and attempted yet another
install Npcap.  This time I was presented with the message:

> Npcap 0.1.710 exists on this system.  Replace with version 0.01?"

I choose [Yes].

This time I could choose the Install Npcap in WinPcap API-compatiable mode
option.   The Npcap loopback was again available to use.   Similar to my
previous tests, a few hours after installing Npcap in WinPcap mode I was
presented with a Cisco AnyConnect Client error.

For the time being I have uninstalled Npcap 0.01 and reinstalled WinPcap
4.1.3.  But I look forward to testing future versions of Npcap.

I hope you find this info useful.

Best regards,

Jim Y.