softethervpn / win10pcap Goto Github PK
View Code? Open in Web Editor NEWWin10Pcap: WinPcap for Windows 10 (NDIS 6.x driver model)
License: Other
Win10Pcap: WinPcap for Windows 10 (NDIS 6.x driver model)
License: Other
Hi everyone
I find following error when install it in windows 10 (version 10.0.10240)
Is anyone have fixed.
Thanks
PacketGetStats writes
win10pcap.patch.txt
a field in the structure pcap_stats that should NOT be touched, bs_capt. Due to some bad mojo in pcap_stats and pcap_stats_ex on windows (wpcap.dll), pcap_stats uses a 3-fields version of struct pcap_stats, pcap_stats_ex uses a bigger one. PacketGetStatsEx is the function that can write into bs_capt.
This is clearly written in the original sources for packet.dll from the original WinPcap (winpcap.org).
Patch is attached.
Please change the resource-strings / data inside your wpcap.dll
. I just installed your Win10Pcap-v10.1-5001.msi
alongside my original WinPcap and now I've got what I think are Win10Pcap's version under:
c:\Windows\System32\wpcap.dll
c:\Windows\Sysnative\wpcap.dll (shadow of the above?)
c:\Windows\SysWOW64\wpcap.dll
All with the same resource-data:
CompanyName Riverbed Technology, Inc.
FileDescription wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
I think even though wpcap.dll
is binary-compatible with the original wpcap.dll
, it's very confusing that neither Win10Pcap
nor SoftEtherVPN
is mentioned in the resource-data.
Although I see you have updated the resource data in Packet.dll
:
CompanyName Daiyuu Nobori, University of Tsukuba, Japan
LegalCopyright Copyright (C) 2015 Daiyuu Nobori, University of Tsukuba, Japan.
IMHO both .DLLs should indicate they are part of the same Win10Pcap project.
Anyway, a good job. Good to see WinPcap is alive again.
Please let us know when can we have an ARM64 version for Windows on ARM OS. We can help you test We have Windows on Rasberry Pi setup. Please pursue it we at Windows on Rasberry Pi community will be glad to extend support in testing your drivers and tools for ARM64.
Hi,
We are conducting some tests of Win10Pcap to see if it perfoms better than the original WinPcap in our scenario.
We P/Invoke wpcap.dll from .NET Framework.
We've built a C# application that successfully uses WinPcap (the original) to send packets (pcap_sendpacket function) in Windows Server 2012 R2. Then we've switched to Win10Pcap, and we don't even succeed in invoking pcap_open. It always returns NULL.
On the contrary, pcap_findalldevs works, but we also find a big change in behaviour here: where the original WinPcap reports \Device\NPF_{} as device name now Win10Pcap reports only {}. It is relevant, because the device name reported by the driver is expected to work intact as source in the call to pcap_open. Neither combination (prefixed or not by \Device\NPF_) works for us with Win10Pcap.
But, interestingly, Wireshark (after ignoring its complaint about NPF not being found) works with Win10Pcap (we've tested interface listing and also capturing; can't test sending packets with Wireshark).
That's why we are wondering what might be the cause of the problem with our (otherwise, very simple) usage of the driver and its API. Problem that Wireshark seems not to be facing.
Any help would be appreciated.
Regards,
J.M.
If this software is no longer going to be maintained, updated, secured, it would be better to put up a notice of this on the website as well as here on Github for clarity.
I use Win10pcap component as a packet sniffer in my Windows10 PC.
peridocially(say every 5 min) , I open all the NICs connected with my PC and sniff the packets and then close all the NICs.
But sometimes my exe which uses Win10Pcap crashes and all the time it points to pcap_open() call or
pcap_findalldevs_ex()..i need some help on fixing this issue.
I have give below the way the above calls made.
static pcap_t * OpenDevice(string nicName)
{
pcap_t descr = NULL; / Network interface handler /
char errbuf[PCAP_ERRBUF_SIZE]; / Error buffer /
memset(errbuf,0,PCAP_ERRBUF_SIZE);
if ((descr = pcap_open(nicName.c_str(),
1024 /snaplen/,
0 /flags/, //PCAP_OPENFLAG_PROMISCUOUS mode is disabled
20 /read timeout/,
NULL / remote authentication */,
errbuf))==NULL)
{
return NULL;
}
return descr;
}
static pcap_if_t * FindAllDevices()
{
pcap_if_t * alldevs = NULL;
char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */
memset(errbuf,0,PCAP_ERRBUF_SIZE);
if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL , &alldevs, errbuf) == -1)
{
alldevs = NULL;
}
return alldevs;
}
There are some gcc errors when building with TDM-gcc:
win_bpf_filter.c: In function 'bpf_filter':
win_bpf_filter.c:419:11: error: lvalue required as left operand of assignment
(int)A = -((int)A);
^
win_bpf_filter.c: In function 'bpf_filter_with_2_buffers':
win_bpf_filter.c:920:11: error: lvalue required as left operand of assignment
(int)A = -((int)A);
Not to speak about all the warnings :-)
This was my gcc 5.1 compile command:
gcc -m32 -O2 -g -O0 -ggdb -D_NTLSA_IFS_ -DMINGW_HAS_SECURE_API
When trying to use Win10Pcap with Softperfect Netscan I get an error with the "find duplicate IP" function. Softperfect has narrowed it down to Win10Pcap not returning a correct interface mask.
Hi there,
Since installing Win10PCap back in February, I have had the BSOD on several occasions with an error message "DRIVER_IRQL_NOT_LESS_OR_EQUAL at Win10PCap.sys". A MEMORY.DMP file was generated in the C:\Windows directory, and I've managed to get as far as using the WINDBG debugging utility to generate the attached file. The one thing I did notice in the file are the following few lines:
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00196078, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000002, value 0 = read operation, 1 = write operation
Arg4: 8ade1260, address which referenced memory
You will notice that Arg3 has a reported value of 2, but the valid values are only 0 and 1 !!!
I am running Windows 10 Home 32-bit, on a Dell Inspiron 530. I am only using Win10PCap to support the TP-Link PowerLine utility, so don't really need it, and will be uninstalling it the next time a BSOD occurs.
Regards.
John.
Are there any plans to add /S silent switch again in win10pcap. Like there was in old versions of winpcap.
After use the packet.dll and win10pcap.sys, the I/O read bytes is very high, and increases fastly
I have installed and used this win10pcap driver but it seems to me that the frame timestamp does not match the time of the machine. Now I have a ~30 min delay already.
Any idea how to sync or resync the frame timestamps?
In NDisDriver.c, line 1531 the following code will always evaluate to 0:
tag_us = (qinfo.TagHeader.UserPriority & 0x07 << 13) |
(qinfo.TagHeader.CanonicalFormatId & 0x01 << 12) |
(qinfo.TagHeader.VlanId & 0x0FFF);
This is because the shift operations take precedence over the and operations. To correct this, add parenthesis as such:
tag_us = ((qinfo.TagHeader.UserPriority & 0x07) << 13) |
((qinfo.TagHeader.CanonicalFormatId & 0x01) << 12) |
(qinfo.TagHeader.VlanId & 0x0FFF);
In addition, anywhere there is a ProbeForRead or ProbeForWrite, these should be surrounded by a _try / _except block (and so should any additional access to the buffers). See https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-probeforread for more information.
Does this have RPCAP support as referred in https://www.winpcap.org/docs/docs_40_2/html/group__remote.html
The implementation of SeIsLittleEndian appears to be incorrect. It tests an address of a variable instead of testing the contents. Since the address isn't 0, the function always returns true. I've submitted a proposed fix.
他们的官网:
https://nmap.org/npcap/
源码仓库:
https://github.com/nmap/npcap
以及:WinPcap官网的NEWS推荐用户使用Npcap。
希望阁下可以直接向他们贡献代码,把力量集中而不是把力气分开。
很抱歉,但还是希望阁下三思。
希望您不要因为我的话而生气,我的建议是真诚的、不分国界的。
pcap_open_live is thread safe in winpcap 4.1.3 but not in win10pcap.
Ohayo Dr-Nobori san
There is a bit of apparent duplication in the SDK WpcapSrc_4_1_3\ when attempting to bind an application to current download Win10Pcap binaries
Which are the correct include paths in the SDK?
Is there somewhere a link-time .lib to attach the application to the .dll ?
I am aware of the recommendation not to call BPF directly, but is Packet.dll unlike the original work of Turin Polytechnical School? I suppose it must be if it interfaces to new NDIS in a new way
Greetings from Switzerland
Tim Cox
République et Canton de Neuchâtel, Switzerland
[email protected]
When static lib coming with SDK is used for linking it fails with
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/10.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: CMakeFiles/app.dir/objects.a(main.cpp.obj):main.cpp:(.text.startup+0x97c): undefined reference to `pcap_findalldevs'
Linking command:
/C/msys64/mingw64/bin/g++.exe -O3 -DNDEBUG -static-libgcc -static -Wl,--whole-archive CMakeFiles/app.dir/objects.a -Wl,--no-whole-archive -o app.exe -Wl,--major-image-version,0,--minor-image-version,0 /C/msys64/zoo/WpdPack/Lib/wpcap.lib -lws2_32 ...
Probably here is the explanation:
# nm /C/msys64/zoo/WpdPack/Lib/x64/wpcap.lib | grep -w pcap_findalldevs
0000000000000000 T pcap_findalldevs
First: Great project!
I've a question: Is it somehow possible to get the process (PID or name) which is the source or target of the network traffic?
E.g.: Process with PID 123 did a UDP request to IP x.x.x.x?
If this is not easily possible, what would be needed to make it possible?
We have few problems with win10pcap. Win10pcap is disabling the recieve side coalescing
of the system.After we install win10pcap and giving the cmdlet get-netadapterrsc * ,we are
observing the following output
Name IPv4Enabled IPv6Enabled IPv4Operational IPv6Operational IPv4FailureReason IPv6FailureR
State State eason
Ethernet 3 True True False False NDISCompatibility NDISCompa...
Operational state of RSC is failed due to NDISCompatibilty which is caused by Win10pcap.
Others problems we are facing with Win10pcap are
1)Win10pcap is not capturing packets with size more than 1514 size.
2)We are also getting npf driver error while launching wireshark.
We are observing this issues on both windows 2012R2 and Windows vnext.
Please kindly help us resolving the issues.
Regards,
Ranjith
Compiling the Packet_dll
sources in debug-mode and with the switch -RTCs
and using them in a simple program, I get a crash as show here:
Seems the definition of bool
is to blame. Looking at the CPP output, I see
typedef _Bool __crt_bool;
...
_Bool IsWow64()
{
_Bool b = 0;
if (Is64BitCode())
{
return 0;
}
if (IsWow64Process(GetCurrentProcess(), &b) == 0)
{
return 0;
}
I had to build using WIN32COM_CPP
with the latest WindowsKit. Bottom line seems to be, sizeof(bool) != sizeof(BOOL)
. I suggest you rewrite that since IsWow64Process()
clearly should take a PBOOL
.
-RTCs
is Stack Frame runtime checking, a real handy switch in MSVC.
BTW, here is the stack backtrace:
enum_adapters!failwithmessage(void * retaddr = 0x012de50e, int crttype = 0n1, int errnum = 0n2, char * msg = 0x00b9f910 "Stack around the variable 'b' was corrupted.")+0x1ec
enum_adapters!_RTC_StackFailure(void * retaddr = 0x012de50e, char * varname = 0x00000002 "--- memory read error at address 0x00000002 ---")+0xee
enum_adapters!_RTC_CheckStackVars(void * frame = 0x00b9fd58, struct _RTC_framedesc * v = 0x012de520)+0x46
enum_adapters!IsWow64(void)+0x6e
...
Hello
I am trying to use win10pcap with Powerline tools and I get a "FATAL bad memory block" every time.
I see that this has been reported by a few others:
https://www.google.co.uk/webhp?q=FATAL+bad+memory+block
Wireshark does work fine. Any clues about how to resolve this?
James
Hi there,
In the 802.1Q header (where the VLAN is located), the other field PRI is always captured as zero (=Best Effort). I've reproduced the issue easily by using a router confirmed to output PRI = 5 (=Voice) including VLAN tag.
Thanks in advance!
on the search for an alternative to winpcap i came across win10pcap, installation works and the driver is also displayed in my network card. But an attempt to connect to Wireshark fails like if no WinPcap compatible software is installed. For my special application i use the command:
int pcap_findalldevs(pcap_if_t **, char *);
In the direct comparison with WinPcap and Npcap my existing devices are listed differently:
Npcap/WinPcap:
adapter 0
\Device\NPF_{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
Intel(R) Ethernet Connection (3) I218-LM
Win10Pcap:
adapter 0
{XXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX}
Intel(R) Ethernet Connection (3) I218-LM
Am I missing something during installation?
Any access to the device with Win10Pcap fails. I have no connection with the comparable drivers Npcap & WinPcap.
Since win10pcap use ndis6 instead of ndis5, the performace of win10pcap should be higher, but why do the test result show lower?
Test scene: window10 OS receive four live RTP streams(every stream is 1.5Gps) through 10G ethernet card.
1. only installing win10pcap, windump capture one of four streams about 10 senconds. wireshark show a lot of drop packets
2. only installing winpcap, windump capture one of four streams about 10 senconds. wireshark show no drop packets
ps: WinDump.exe -i 2 -B 4000000000 -s 54 -w winpcap.cap port 10000
The iflist example included in the original WinPcap Developer's Pack does not return the correct Netmask when using the Win10Pcap driver.
Is there anyone who has the time and knowledge to continue supporting or developing a "Win11Pcap" version for example, or is the project abandoned?
A question if anybody is listening.
Last time I tried Win10Pcap (back in 2017?), I also had WinPcap ver. 4.1.13 installed. They both worked great!
Now I've uninstalled WinPcap and installed the latest NPcap ver. 1.79 (since AFAICS they have fixed the dreaded BSoD issues).
So my question is if Win10Pcap can operate hand-in-hand with NPcap?
On line 1662 you're freeing buf, when it's obvious you mean to free tmp.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.