FATAL bad memory block

[apathyuk]

Hello

I am trying to use win10pcap with Powerline tools and I get a "FATAL bad memory block" every time.

I see that this has been reported by a few others:

https://www.google.co.uk/webhp?q=FATAL+bad+memory+block

Wireshark does work fine. Any clues about how to resolve this?

James

[hsluoyz]

You would like to try Npcap: https://github.com/nmap/npcap

[mab0]

I got the same output. I tried to track it down and to me it seems like a defect. In SuPutPacket() there is a call to SeFree(buf). The buffer freed is allocated by my application and given to Win10Pcap in the PacketSendPacket() call. But for some reason SuPutPacket() wants to free it. The magic check in the SeFree() will trigger the log and return without doing anything. Remove the mentioned call to SeFree(buf) and you should be fine.

Npcap didn't work for me since it couldn't catch packets from the host itself. I am trying to run a application that captures all packets on an interface and can send packets to/from other windows applications as well as to/from other hosts on the network.

[hsluoyz]

@mab0

it couldn't catch packets from the host itself

I don't quite understand it. Npcap supports capturing incoming and outgoing packets. It can also send packets to network or inject packets to pretend they are coming from network. The usage is very flexible.

[mab0]

My application can send packets which can be seen by the host. But the host's response, like on a ARP request, is never seen by my application. This works fine if I use Win10Pcap. Npcap seems to never pickup the packet so I prefer Win10Pcap. Seems more predictable to me.

[hsluoyz]

Hi @mab0 ,

But the host's response, like on a ARP request, is never seen by my application.

I think you mean ARP response?

1. If you can't see the response, does the application work normally? I want to differ whether the response is just unseen or doesn't even exist.
2. Have you tried capturing in Wireshark? Let me know if the response shows up in Wireshark.

Thanks!

Cheers, Yang

[mab0]

I checked again with Wireshark. I ran my application twice. One time with Npcap and one time for Win10Pcap.

And it's like I described before. ARP reqest is sent out by my application and seen in Wireshark in both cases. But for Npcap no ARP response can be seen from my host. For other hosts on the network, ARP responses can be seen in both cases.

Win10Pcap has the correct behavior and are consistent with earlier versions of WinPcap. For some unknown reason Npcap breaks the functionality.

I worked around the malloc/free defect I described earlier in Win10Pcap by allocating the buffer to send and appending the expected magic so Win10Pcap can free the buffer correctly. But the fix would be to not free the buffer at all in PacketSendPacket().

[hsluoyz]

Hi @mab0 ,

I have fixed this bug in latest Npcap 0.06 R7.1. Please try it at: https://github.com/nmap/npcap/releases

[mab0]

Hi,

Thanks for your help but I tried Npcap 0.06 r7 and it's still not working. The Vmware interface support is nice though.

[hsluoyz]

Hi @mab0 ,

I can't reproduce your issue.

I used a Win10 x64 VMware VM. It has an Ethernet adapter which is NATed with the host. Then I ping the gateway: 192.168.47.1, and it shows that the ARP request and response are good as this picture:

I think this has something to do with your application. So can I have your application that causes this issue? Better source code, if you don't want to share your source code, providing me the binary is also OK. And another way is giving me a simple example that can trigger this issue with source code. I will fix this issue ASAP.

Thanks!

[mab0]

I can't provide you with any code or binary. The code I run is proprietary.

If I understand your setup correctly it's not like my setup. No virtualization is involved. I have a Windows 10 workstation. I run a application on that machine that has it's own network stack. Everything including layer 2 and up. So I want everything transmitted on the wire of an network adapter to be picked up by my application. Windows 10 and my application should work separately as if they were two different host on the same LAN.

This works for the most part. But there seems to be an exception with packets being sent from Windows 10 to may application. Windows 10 and my application uses different MAC addresses. Windows 10 uses the MAC for the adapter but the application picks a new MAC and IP addresses. When I ping the IP of windows 10 from my application, my application first sends an ARP request for the IP of the Windows 10 adapter. This request can be picked up by Windows 10 (and Wireshark if I run that at the same time) but the response is never seen. It's never picked up by Wireshark or my application.

My application does basically this to open the device: adapter = PacketOpenAdapter(...) PacketSetHwFilter(adapter, NDIS_PACKET_TYPE_PROMISCUOUS) PacketSetBuff(adapter, 512*1024)

When sending packets: packet = PacketAllocatePacket() PacketInitPacket(packet, L2Data, L2DataLen) `PacketSendPacket(adapter, packet, TRUE)

When receiving packets: packet = PacketAllocatePacket() PacketInitPacket(packet, recvBuf, 2048) `PacketReceivePacket(adapter, packet, TRUE)

That is a condensed version of what I am doing. Quite straight forward. Works with Win10Pcap and WinPcap.

I'll try to compile NPcap myself if I find the time for it so I can dig deeper into this.

[ChaosYoda]

I am having the same issue, I tried the latest npcap SDK (downloaded from nmap since I don't have vs 2013 installed to compile.). The code I used is from https://github.com/jquesnelle/ethernet_pause/blob/master/sender.c but for x64. I am compiling on VS 2017 with Window SDK 10.0.15063.0 on the v141 Platform Toolset. Unless Npcap SDK 0.1 (ZIP). is the old SDK?

[FigBug]

I'm getting the same error. "FATAL bad memory block" I get it both with sending single messages or sending using a queue.

[WongJiYong]

@mab0 hello,i get the same error-"FATAL bad memory block". and i saw your answer.but i can't find this function. en i don't know how to remove.could you give me a detail explanation. it's already spend my two days.thank you first.

[chris12342534]

magic

Hello, I am having the same problem and trying to understand how to fix. can you explain what do you mean by magic?

[Jubin2607]

I am facing the same issue , Any solution to fix the problem

[chris12342534]

Actually yes you have two options. The easiest one you can move from Win10Pcap to WinPcap and the error will not be there. The second option is to find Win10Pcap code files and locate the function where they are trying to free the variable magic and remove that code. Then you will need to recompile the Win10Pcap.

[trivalik]

I see this memory issue, too. Why using Win10Pcap? The WinPcap 4.1.2 (with NDIS 5) works as expected on Windows 10/11. Win10Pcap sometimes swallow packets.