softethervpn / win10pcap Goto Github PK

If this software is no longer going to be maintained, updated, secured, it would be better to put up a notice of this on the website as well as here on Github for clarity.

On line 1662 you're freeing buf, when it's obvious you mean to free tmp.

Compiling the Packet_dll sources in debug-mode and with the switch -RTCs and using them in a simple program, I get a crash as show here:

Seems the definition of bool is to blame. Looking at the CPP output, I see

 typedef _Bool __crt_bool;
 ...
_Bool IsWow64()
{
       _Bool b = 0;

       if (Is64BitCode())
       {
              return 0;
      }
      if (IsWow64Process(GetCurrentProcess(), &b) == 0)
      {
              return 0;
      }

I had to build using WIN32COM_CPP with the latest WindowsKit. Bottom line seems to be, sizeof(bool) != sizeof(BOOL). I suggest you rewrite that since IsWow64Process() clearly should take a PBOOL.

-RTCs is Stack Frame runtime checking, a real handy switch in MSVC.

BTW, here is the stack backtrace:

enum_adapters!failwithmessage(void * retaddr = 0x012de50e, int crttype = 0n1, int errnum = 0n2, char * msg = 0x00b9f910 "Stack around the variable 'b' was corrupted.")+0x1ec
enum_adapters!_RTC_StackFailure(void * retaddr = 0x012de50e, char * varname = 0x00000002 "--- memory read error at address 0x00000002 ---")+0xee
enum_adapters!_RTC_CheckStackVars(void * frame = 0x00b9fd58, struct _RTC_framedesc * v = 0x012de520)+0x46
enum_adapters!IsWow64(void)+0x6e
...

Hi everyone

I find following error when install it in windows 10 (version 10.0.10240)

1. detect window 10 as windows 8
   When I hard code the result from windows version detect.
2. run installer on windows 10, always return permission denied, I had debug the installer, the error return from this statement 'hr = pSetup->Install(id, &token, 0, 0, NULL, NULL, &pComponent);'

Is anyone have fixed.

Thanks

on the search for an alternative to winpcap i came across win10pcap, installation works and the driver is also displayed in my network card. But an attempt to connect to Wireshark fails like if no WinPcap compatible software is installed. For my special application i use the command:

int pcap_findalldevs(pcap_if_t **, char *);

In the direct comparison with WinPcap and Npcap my existing devices are listed differently:

Npcap/WinPcap:

adapter 0
\Device\NPF_{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
Intel(R) Ethernet Connection (3) I218-LM

Win10Pcap:

adapter 0
{XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX}
Intel(R) Ethernet Connection (3) I218-LM

Am I missing something during installation?

Any access to the device with Win10Pcap fails. I have no connection with the comparable drivers Npcap & WinPcap.

Are there any plans to add /S silent switch again in win10pcap. Like there was in old versions of winpcap.

pcap_open_live is thread safe in winpcap 4.1.3 but not in win10pcap.

他们的官网：
https://nmap.org/npcap/
源码仓库：
https://github.com/nmap/npcap

以及：WinPcap官网的NEWS推荐用户使用Npcap。

希望阁下可以直接向他们贡献代码，把力量集中而不是把力气分开。
很抱歉，但还是希望阁下三思。

希望您不要因为我的话而生气，我的建议是真诚的、不分国界的。

The implementation of SeIsLittleEndian appears to be incorrect. It tests an address of a variable instead of testing the contents. Since the address isn't 0, the function always returns true. I've submitted a proposed fix.

When trying to use Win10Pcap with Softperfect Netscan I get an error with the "find duplicate IP" function. Softperfect has narrowed it down to Win10Pcap not returning a correct interface mask.

When static lib coming with SDK is used for linking it fails with

C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: CMakeFiles/app.dir/objects.a(main.cpp.obj):main.cpp:(.text.startup+0x97c): undefined reference to `pcap_findalldevs'

Linking command:

/C/msys64/mingw64/bin/g++.exe -O3 -DNDEBUG -static-libgcc -static -Wl,--whole-archive CMakeFiles/app.dir/objects.a -Wl,--no-whole-archive -o app.exe -Wl,--major-image-version,0,--minor-image-version,0 /C/msys64/zoo/WpdPack/Lib/wpcap.lib -lws2_32 ...

Probably here is the explanation:

# nm /C/msys64/zoo/WpdPack/Lib/x64/wpcap.lib | grep -w pcap_findalldevs
0000000000000000 T pcap_findalldevs

Does this have RPCAP support as referred in https://www.winpcap.org/docs/docs_40_2/html/group__remote.html

Hi there,

In the 802.1Q header (where the VLAN is located), the other field PRI is always captured as zero (=Best Effort). I've reproduced the issue easily by using a router confirmed to output PRI = 5 (=Voice) including VLAN tag.

Thanks in advance!

There are some gcc errors when building with TDM-gcc:

win_bpf_filter.c: In function 'bpf_filter':
win_bpf_filter.c:419:11: error: lvalue required as left operand of assignment
    (int)A = -((int)A);
           ^
win_bpf_filter.c: In function 'bpf_filter_with_2_buffers':
win_bpf_filter.c:920:11: error: lvalue required as left operand of assignment
    (int)A = -((int)A);

Not to speak about all the warnings :-)
This was my gcc 5.1 compile command:

gcc -m32 -O2 -g  -O0 -ggdb -D_NTLSA_IFS_ -DMINGW_HAS_SECURE_API

A question if anybody is listening.

Last time I tried Win10Pcap (back in 2017?), I also had WinPcap ver. 4.1.13 installed. They both worked great!
Now I've uninstalled WinPcap and installed the latest NPcap ver. 1.79 (since AFAICS they have fixed the dreaded BSoD issues).

So my question is if Win10Pcap can operate hand-in-hand with NPcap?

Hi,

We are conducting some tests of Win10Pcap to see if it perfoms better than the original WinPcap in our scenario.
We P/Invoke wpcap.dll from .NET Framework.
We've built a C# application that successfully uses WinPcap (the original) to send packets (pcap_sendpacket function) in Windows Server 2012 R2. Then we've switched to Win10Pcap, and we don't even succeed in invoking pcap_open. It always returns NULL.
On the contrary, pcap_findalldevs works, but we also find a big change in behaviour here: where the original WinPcap reports \Device\NPF_{} as device name now Win10Pcap reports only {}. It is relevant, because the device name reported by the driver is expected to work intact as source in the call to pcap_open. Neither combination (prefixed or not by \Device\NPF_) works for us with Win10Pcap.
But, interestingly, Wireshark (after ignoring its complaint about NPF not being found) works with Win10Pcap (we've tested interface listing and also capturing; can't test sending packets with Wireshark).
That's why we are wondering what might be the cause of the problem with our (otherwise, very simple) usage of the driver and its API. Problem that Wireshark seems not to be facing.

Any help would be appreciated.

Regards,

J.M.

Ohayo Dr-Nobori san

There is a bit of apparent duplication in the SDK WpcapSrc_4_1_3\ when attempting to bind an application to current download Win10Pcap binaries

Which are the correct include paths in the SDK?

Is there somewhere a link-time .lib to attach the application to the .dll ?

I am aware of the recommendation not to call BPF directly, but is Packet.dll unlike the original work of Turin Polytechnical School? I suppose it must be if it interfaces to new NDIS in a new way

Greetings from Switzerland

Tim Cox
République et Canton de Neuchâtel, Switzerland
[email protected]

In NDisDriver.c, line 1531 the following code will always evaluate to 0:

tag_us = (qinfo.TagHeader.UserPriority & 0x07 << 13) |
(qinfo.TagHeader.CanonicalFormatId & 0x01 << 12) |
(qinfo.TagHeader.VlanId & 0x0FFF);

This is because the shift operations take precedence over the and operations. To correct this, add parenthesis as such:

tag_us = ((qinfo.TagHeader.UserPriority & 0x07) << 13) |
((qinfo.TagHeader.CanonicalFormatId & 0x01) << 12) |
(qinfo.TagHeader.VlanId & 0x0FFF);

In addition, anywhere there is a ProbeForRead or ProbeForWrite, these should be surrounded by a _try / _except block (and so should any additional access to the buffers). See https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-probeforread for more information.

Please change the resource-strings / data inside your wpcap.dll. I just installed your Win10Pcap-v10.1-5001.msi alongside my original WinPcap and now I've got what I think are Win10Pcap's version under:

 c:\Windows\System32\wpcap.dll
 c:\Windows\Sysnative\wpcap.dll   (shadow of the above?)
 c:\Windows\SysWOW64\wpcap.dll

All with the same resource-data:

CompanyName     Riverbed Technology, Inc.
FileDescription wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)

I think even though wpcap.dll is binary-compatible with the original wpcap.dll, it's very confusing that neither Win10Pcap nor SoftEtherVPN is mentioned in the resource-data.

Although I see you have updated the resource data in Packet.dll:

CompanyName     Daiyuu Nobori, University of Tsukuba, Japan
LegalCopyright  Copyright (C) 2015 Daiyuu Nobori, University of Tsukuba, Japan.

IMHO both .DLLs should indicate they are part of the same Win10Pcap project.

Anyway, a good job. Good to see WinPcap is alive again.

After use the packet.dll and win10pcap.sys, the I/O read bytes is very high, and increases fastly

We have few problems with win10pcap. Win10pcap is disabling the recieve side coalescing
of the system.After we install win10pcap and giving the cmdlet get-netadapterrsc * ,we are
observing the following output

Name IPv4Enabled IPv6Enabled IPv4Operational IPv6Operational IPv4FailureReason IPv6FailureR
State State eason

Ethernet 3 True True False False NDISCompatibility NDISCompa...

Operational state of RSC is failed due to NDISCompatibilty which is caused by Win10pcap.

Others problems we are facing with Win10pcap are

1)Win10pcap is not capturing packets with size more than 1514 size.
2)We are also getting npf driver error while launching wireshark.

We are observing this issues on both windows 2012R2 and Windows vnext.

Please kindly help us resolving the issues.

Regards,
Ranjith

The iflist example included in the original WinPcap Developer's Pack does not return the correct Netmask when using the Win10Pcap driver.
Is there anyone who has the time and knowledge to continue supporting or developing a "Win11Pcap" version for example, or is the project abandoned?

First: Great project!

I've a question: Is it somehow possible to get the process (PID or name) which is the source or target of the network traffic?
E.g.: Process with PID 123 did a UDP request to IP x.x.x.x?

If this is not easily possible, what would be needed to make it possible?

Hi there,

Since installing Win10PCap back in February, I have had the BSOD on several occasions with an error message "DRIVER_IRQL_NOT_LESS_OR_EQUAL at Win10PCap.sys". A MEMORY.DMP file was generated in the C:\Windows directory, and I've managed to get as far as using the WINDBG debugging utility to generate the attached file. The one thing I did notice in the file are the following few lines:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00196078, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000002, value 0 = read operation, 1 = write operation
Arg4: 8ade1260, address which referenced memory

You will notice that Arg3 has a reported value of 2, but the valid values are only 0 and 1 !!!

I am running Windows 10 Home 32-bit, on a Dell Inspiron 530. I am only using Win10PCap to support the TP-Link PowerLine utility, so don't really need it, and will be uninstalling it the next time a BSOD occurs.

Regards.

John.

MEMORY.txt

Hello

I am trying to use win10pcap with Powerline tools and I get a "FATAL bad memory block" every time.

I see that this has been reported by a few others:

https://www.google.co.uk/webhp?q=FATAL+bad+memory+block

Wireshark does work fine. Any clues about how to resolve this?

James

Please let us know when can we have an ARM64 version for Windows on ARM OS. We can help you test We have Windows on Rasberry Pi setup. Please pursue it we at Windows on Rasberry Pi community will be glad to extend support in testing your drivers and tools for ARM64.

I use Win10pcap component as a packet sniffer in my Windows10 PC.
peridocially(say every 5 min) , I open all the NICs connected with my PC and sniff the packets and then close all the NICs.

But sometimes my exe which uses Win10Pcap crashes and all the time it points to pcap_open() call or
pcap_findalldevs_ex()..i need some help on fixing this issue.

I have give below the way the above calls made.

static pcap_t * OpenDevice(string nicName)
{
pcap_t descr = NULL; / Network interface handler /
char errbuf[PCAP_ERRBUF_SIZE]; / Error buffer /
memset(errbuf,0,PCAP_ERRBUF_SIZE);
if ((descr = pcap_open(nicName.c_str(),
1024 /snaplen/,
0 /flags/, //PCAP_OPENFLAG_PROMISCUOUS mode is disabled
20 /read timeout/,
NULL / remote authentication */,
errbuf))==NULL)
{
return NULL;
}

 return descr;

}

static pcap_if_t * FindAllDevices()
{
pcap_if_t * alldevs = NULL;
char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */
memset(errbuf,0,PCAP_ERRBUF_SIZE);
if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL , &alldevs, errbuf) == -1)
{
alldevs = NULL;
}
return alldevs;
}

I have installed and used this win10pcap driver but it seems to me that the frame timestamp does not match the time of the machine. Now I have a ~30 min delay already.
Any idea how to sync or resync the frame timestamps?

PacketGetStats writes
win10pcap.patch.txt

a field in the structure pcap_stats that should NOT be touched, bs_capt. Due to some bad mojo in pcap_stats and pcap_stats_ex on windows (wpcap.dll), pcap_stats uses a 3-fields version of struct pcap_stats, pcap_stats_ex uses a bigger one. PacketGetStatsEx is the function that can write into bs_capt.

This is clearly written in the original sources for packet.dll from the original WinPcap (winpcap.org).

Patch is attached.