BSOD after X hours of listening/sending

[Zeelize]

Hi,

I wrote simple program using sharppcap to replicate incomming udp packets to another port. Lets say, I have incomming packets on port 25000, I will receive them using sharppcap, create new Ethernet packet identical to prevoius one and only change the Destination port to 27000 and then send the packet.

Program is working exactly how I wanted to, I am receiving same UDP packet on port 25000 and port 27000.

But after some time, sometimes is 1 hour, sometimes 2 hours, sometimes 12 hours I will get BSOD. I have no idea, what exactly is causing the BSOD (in minidump I just know its kernel and hal.dll) and in address tree, the first if "ipnat.sys".

Here is my code:

device.OnPacketArrival += new PacketArrivalEventHandler(device_OnPacketArrival);
            // Open the device for capturing
            device.Open();
            device.Filter = $"udp dst port {_portIncomming} and ip src not {_ipSource}";
            // Start capture 'INFINTE' number of packets
            device.Capture();
            // Close the pcap device
            // (Note: this line will never be called since
            //  we're capturing infinite number of packets
            device.Close();

And receive:

private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
        {
            var device = e.Device;
            var packet = Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
            if (packet is EthernetPacket)
            {
                var eth = packet.Extract<EthernetPacket>();
                var ip = eth.Extract<IPPacket>();
                if (ip != null)
                {
                    var udp = packet.Extract<UdpPacket>();
                    device.SendPacket(CreateDuplicate(eth.SourceHardwareAddress, eth.DestinationHardwareAddress, udp.PayloadData, ip.SourceAddress, ip.DestinationAddress));                                        
                }                                
            }
        }

And CreateDuplicate:

private static EthernetPacket CreateDuplicate(PhysicalAddress source, PhysicalAddress dest, byte[] data, IPAddress ipSource, IPAddress ipDest)
        {
            ushort udpSourcePort = _portIncomming;
            ushort udpDestinationPort = _newDestPort;
            var udpPacket = new UdpPacket(udpSourcePort, udpDestinationPort);

            var ipSourceAddress = ipSource;
            var ipDestinationAddress = ipDest;
            var ipPacket = new IPv4Packet(ipSourceAddress, ipDestinationAddress);                       

            var ethernetSourceHwAddress = source;
            var ethernetDestinationHwAddress = dest;

            // NOTE: using EthernetPacketType.None to illustrate that the Ethernet
            //       protocol type is updated based on the packet payload that is
            //       assigned to that particular Ethernet packet
            var ethernetPacket = new EthernetPacket(ethernetSourceHwAddress,
                ethernetDestinationHwAddress,
                EthernetType.None);

            // Now stitch all of the packets together
            udpPacket.PayloadData = data;
            udpPacket.ParentPacket = ipPacket;
            ipPacket.PayloadPacket = udpPacket;
            ethernetPacket.PayloadPacket = ipPacket;

            ipPacket.UpdateIPChecksum();
            udpPacket.Checksum = udpPacket.CalculateUdpChecksum();
            ethernetPacket.UpdateCalculatedValues();

            //byte[] packetBytes = ethernetPacket.Bytes;
            return ethernetPacket;
        }

Do you have some idea or some tip or already written program which is solving my problem. Running OS: Windows Server 2012 R2

[kayoub5]

@Zeelize Usually a .NET library can not cause a BSOD crash. What causes the crash is the underlining driver.

• What version of Npcap / WinPcap are you using? Npcap fixed at least 2 BSOD crashes in this month releases.

• Using the same device instance for sending and receiving (at the same time) is not safe. It causes problems more frequently in Linux, so I would not be surprised if it causes problems in Windows as well.

[Zeelize]

@kayoub5 I am using WinPCap 4.1.3, unfortunately I have a problem using NPCap, because I cannot retrieve sent packets later via UdpClient() even when I see them in Wireshark correctly sent. Do you have some tip in this area?

So you are recommending me to try sent data on with second device? What if I have only one network device?

Thanks a lot for your help

[kayoub5]

@Zeelize

• You can as many device objects on the same network device as you need:

  var sender = new WinPcapDevice(device.Interface);

• Consider using WinDivertDevice (it's based on a different driver), however the current wrapper is only capable of receiving packets.

[Zeelize]

@kayoub5 Thanks for advise according to Device.. I implemented it in, but my main problem is still there, I can see sent/injected packets in the Wireshark but cannot capture them later in the application via UdpClient().

I will have a look on WinDivertDevice, but ufortunately I need to duplicate incomming packets on another port, that means only receiving is not helping me.

If you have some ideas,I will be glad to hear them out.

Cheers!

[flacman]

On Windows you cant do that, like sending packets to your self because of the way Windows works. This requierement should be Sent to npcap/winpcap. This is just a wrapper.

On Wed, Jun 17, 2020, 7:09 PM Vojtěch Mráz notifications@github.com wrote:

@kayoub5 https://github.com/kayoub5 Thanks for advise according to Device.. I implemented it in, but my main problem is still there, I can see sent/injected packets in the Wireshark but cannot capture them later in the application via UdpClient().

I will have a look on WinDivertDevice, but ufortunately I need to duplicate incomming packets on another port, that means only receiving is not helping me.

If you have some ideas,I will be glad to hear them out.

Cheers!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/chmorgan/sharppcap/issues/140#issuecomment-645690578, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEWDH7RJHR4PKJINBU2S7FLRXFLLNANCNFSM4OARVJIQ .

[chmorgan]

@Zeelize I can confirm what @kayoub5 says, there is NO way sharppcap can be responsible for a BSOD. OSes are explicitly designed to prevent user level applications from doing this.

Wireshark is using the same capture approach sharppcap so we should be able to do whatever its doing.

Have you tried opening another sharppcap capture device, or depending on traffic you could use the Example3, at the same time as your application that is sending? It may be that npcap is intentionally not sending the transmitted packet back through the device its being sent on.

[Zeelize]

@chmorgan Thanks a lot, I do not know If I shuould close this issue, when BSOD is not problem of this library but proble with driver.

I tried all of your ideas, but still no luck with the receiving of packets in applications.

[Zeelize]

I update current library from github and didnt use Nuget package anymore, also I am using npcap 0.9994 the newest one and everything looks so far so good.