search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
2.92k stars 508 forks source link

After v0.992 monitor mode support seems to be broken on Win10 #210

Closed pjm56 closed 3 years ago

pjm56 commented 4 years ago

Environment

Running Windows 10 with an Intel Centrino Advanced-N 6235

Summary

I find that if I use npcap v0.992 I can get Wireshark to capture Wi-Fi packets in monitor mode. However, if I use 0.9994 or 0.9995, this no longer works (I capture nothing). Also with these later versions I see errors when using WlanHelper.

Steps to Reproduce

1) As admin, uninstall npcap by running: C:\Program Files\Npcap\uninstall.exe

2) Check to make sure it is gone from these locations: C:\Program Files\Npcap C:\WINDOWS\system32\Npcap

3) Reinstall Wireshark by running:
Wireshark-win64-3.2.5.exe

4) Say "yes" to uninstalling existing Wireshark.

5) Follow through steps until prompted about "Packet Capture", then make sure the "Install Npcap 0.9994" box is checked.

6) When prompted during Npcap 0.9994 setup make sure this box is checked: "Support raw 802.11 traffic (and monitor mode) for wireless adaptors"

7) Click through remaining steps to complete the installation.

8) Run Wireshark as admin

9) Go to Capture | Options

10) Double-click the row with your WiFi device - make sure it is the selected adaptor.

11) Un-check and re-check the "monitor" mode box next to your WiFi adaptor

12) Click "Start" to begin capturing

What I expect to see: Raw packets being sniffed off my WiFi network

What I actually see: Nothing being captured at all.

Notes and Observations

I believe there is a related issue in WlanHelper, which you can see with the following steps:

1) I can set the mode of the adaptor via WlanHelper by running the following command as admin:

   C:\Windows\System32\Npcap>WlanHelper.exe WiFi mode managed
   Success

2) When I check the mode of the adaptor by running the following command, I receive an error:

   C:\Windows\System32\Npcap>WlanHelper.exe WiFi mode

   C:\Windows\System32\Npcap>WlanHelper.exe WiFi mode
   Error: makeOIDRequest::My_PacketOpenAdapter error (to use this function, you need to check the "Support raw 802.11 traffic" option when installing Npcap)
   Failure

This is unexpected, as I did check the "Support raw 802.11 traffic" option. This might be a good place to start looking for a bug in these functions.

Trying the latest version

I tried upgrading to Npcap v0.9995, using the following steps:

1) Shut down Wireshark

2) As admin, run: C:\Program Files\Npcap\uninstall.exe

3) Download and run: npcap-0.9995.exe

4) When prompted, check "Support raw 802.11 traffic (and monitor mode) for wireless adaptors" also UN-check "Install Npcap in WinPcap API-compatible Mode"

5) Run wireshark as admin - setup capture as per steps 9-12 above. I get the same result - no captured packets.

6) Run WlanHelper as above - same results "Error: makeOIDRequest::My_PacketOpenAdapter error"

Enabling WinPcap API-compatible Mode

I thought maybe my problem was a missing compatibility option. So follow the steps for "Trying the latest version", but this time, at step 4: CHECK "Install Npcap in WinPcap API-compatible Mode"

Now when I run Wireshark in monitor mode, I do appear to get some kind of packets being captured, but I think they are just local traffic, as they have no source or destination addresses. Screenshot: image

The WlanHelper error remains the same as before.

A successful workaround

I worked around the bug by installing npcap v0.992

1) As admin, uninstall npcap by running: C:\Program Files\Npcap\uninstall.exe

2) Download and run: https://nmap.org/npcap/dist/npcap-0.992.exe

3) When prompted, check the following boxes (leaving the others unchecked): Automatically start the Npcap driver at boot time Support loopback traffic ("Npcap Loopback Adapter" will be created) Support raw 802.11 traffic (and monitor mode) for wireless adaptors

4) Use the steps above (9-12) to run up Wireshark and capture in monitor mode. Now I get proper WiFi packet sniffing! Screenshot: image

Note now I also get WlanHelper behaving as expected:

  C:\Windows\System32\Npcap>WlanHelper.exe Wifi mode managed
  Success

  C:\Windows\System32\Npcap>WlanHelper.exe Wifi mode 
  managed

One final note - I have not tried this on 32-bit versions of Wireshark.

LFriede commented 3 years ago

I've got the same problem here, but with slightly different observations with WlanHelper.exe. On 0.9997 I get the same error.

Error: makeOIDRequest::My_PacketOpenAdapter error (to use this function, you need to check the "Support raw 802.11 traffic" option when installing Npcap)

The error appears on most command line options for example "modes" to get supportet modes or by trying to set a mode or channel. But surprisingly I can set the mode with WlanHelper.exe -i, it says success, SSIDs are dissaperaing in Windows Dialogs and if I call WlanMonitor.exe -i again it shows that the interface is in monitor mode. But Wireshark shows nothing at all.

On version 0.992 all command line options of WlanHelper.exe seem to work. Wireshark only works when I set monitor mode by WlanHelper.exe, it doesn't work if I try to set monitor mode with Wireshark because it only shows the monitoring mode checkbox if it is already enabled by WlanHelper.exe. Capturing in monitoring mode works... sometimes with 0.992 :D

dmiller-nmap commented 3 years ago

Raw WiFi frame capture was broken after Npcap 0.9983. This issue has been fixed in Npcap 1.30.