Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Mon, 20 Jul 2015 07:39:33 +0800
Hi Tyson,

On Sun, Jul 19, 2015 at 10:37 PM, Tyson Key <tyson.key@xxxxxxxxx> wrote:
Hi Yang,

Just downloaded your latest package, and here's my experience, so far:

After uninstalling the old WinPCap 4.1.3, and installing your new package (without rebooting), I get as far as "NPFInstall.exe - il" (which stalls for a while, but then continues, on my machine), and then continue to "NPFInstall.exe -iw". 

At this stage, it appears that some driver files from the old version are still present, and Windows Explorer asks me if I want to replace them with "older" (i.e. the latest?) versions, for some reason (maybe the uninstaller isn't cleaning things up properly, on x86-64 machines?); before the correctly-named "Npcap Loopback Adaptor" gets installed (and then does a quick vanishing act (guessing that it tried to rename one of the myriad KM-TEST interfaces from earlier), before reappearing). Afterwards, I receive "The npf service for Win7 and Win8 was successfully created" - but starting Wireshark results in "The NPF driver isn't running.  You may have trouble
capturing or listing interfaces".

Do you receive the Windows dialog asking you to replace old driver files every time installing?  In fact I have set my installer to replace existed files silently, I don't know how Windows works on this part, but it shouldn't happen for a second time. 


I'll follow up with my results of rebooting, shortly - but in the meantime, it might be a good idea to have the installer (and uninstaller) be smarter about removing older copies of the drivers, and try to automatically purge old instances of the loopback adaptor, if they exist.

I have considered removing all loopback adapters when uninstalling Npcap before, but I don't think it's a good idea. Because there are loopback adapters for other use. It's not suitable for Npcap to removed those ones. Npcap will only try to remove the loopback adapter itself installed (exactly speaking, is the latest loopback adapter you use NPFInstall.exe -il to have installed). So if you use NPFInstall.exe -il multiple times, Npcap only remembered to uninstall the latest loopback adapter. However, NPFInstall.exe -il is not what Npcap wants normal user to run manually, so it's not an issue here.

Cheers,
Yang