npcap 1.10 pcap_findalldevs memory leak

[BruceBeanSun]

I installed npcap 1.10 on Windows 10 and called pcap_findalldevs every 5 minutes gets the network device information and sends it to the server. After running for a weekend, the memory usage increased from 2M to 50M. The same problem exists in Windows Server 2008R2 and npcap1.20. Npcap0.92 used before is normal, and there is no memory leak on Windows 10 and windows server 2008R2. I hope to be able to modify this issue.

[dmiller-nmap]

Thanks for reporting this. Please answer a few questions so we can better diagnose the issue:

1. Can you confirm that the previous version you were using was Npcap 0.92, released June 2017? Is there a more recent version that you can confirm is not affected?
2. Is your code calling pcap_freealldevs() after each call to pcap_findalldevs()?
3. Can you confirm (using pcap_lib_version()) that you are loading the correct DLLs for Npcap 1.20? Mixing installations, broken installations, and not using WinPcap API Compatibility mode at install can lead to mismatches that make debugging difficult.

[BruceBeanSun]

Thank you for your reply. Here is the answer to the question:

1. My last version was npcap-0.92 released in June 2017. I just started to develop my program and downloaded the latest version on the official website. There is no problem when installing npcap0.99-r6, and there is a problem when installing npcap1.00.
2. My code calls pcap_freealldevs() after pcap_findalldevs() is called every time。I'm pretty sure about this.
3. When npcap-0.92 is installed, the result of pcap_lib_version() is "npcap version 0.92, based on Libpcap version 1.8.1". When npcap-0.99-r6 is installed, the result of pcap_lib_version() is "npcap version 0.99-r6, based on Libpcap version 1.8.1". When npcap-1.00 is installed, the result of pcap_lib_version() is "npcap version 0.92, based on Libpcap version 1.9.1". When npcap-1.20 is installed, the result of pcap_lib_version() is "npcap version 1.20, based on Libpcap version 1.10.1-pre-git". When I install npcap, I will ensure that the installation is successful, and I will check "install npcap in WinPcap API compatible mode" when installing, otherwise I will report an error.

[guyharris]

and there is a problem when installing npcap1.00.

So were you able to resolve the problem? You say that

When npcap-1.00 is installed, the result of pcap_lib_version() is "npcap version 0.92, based on Libpcap version 1.9.1".

so it sounds as if you were able to install it.

If so, does the leak occur with 1.00?

[BruceBeanSun]

Yes, ncap1.00 can be successfully installed. There is a memory leak problem after installing ncap1.00.

[guyharris]

So apparently not introduced in 1.10 or 1.20, but possibly introduced in one of the 0.9x releases following 0.92, or in 1.00.

[guyharris]

I tried using the C runtime leak detection with the master-branch pcap.c and pcap-npf.c, and with the findalldevstest test program, but it didn't find any leaks (it found deliberately-introduced leaks in both the pcap DLL and findalldevstest, but reported no leaks when those were removed).

Perhaps this is a leak in packet.dll?

[BruceBeanSun]

I also guess it was introduced in one of the 0.9x releases following 0.92 or 1.00 release. Version 1.00 upgrades Libpcap library from 1.8.1 to 1.9.1.Is it the problem introduced by the Libpcap library version upgrade?

[guyharris]

Is it the problem introduced by the Libpcap library version upgrade?

Probably not, as I couldn't find a leak within the libpcap code with the test I mentioned above. It may, as I suggested, be in packet.dll (there are three layers the libpcap component, wpcap.dll/npcap.dll, uses packet.dll to communicate with the driver, npcap.sys).

[dmiller-nmap]

I can't be sure, but I think it was introduced in this change, which added calls to GlobalReAlloc(): df3c348771b6b5035433afad2

If the reallocation fails, the original memory is leaked because the statement overwrites the original pointer with NULL. I changed this to correctly assign to a temporary pointer and free the original buffer when it fails in 867e3d3609a1e11cb977bec36eba33923ddffb25, so I'm hopeful this will be resolved in the next release.

[BruceBeanSun]

OK. Thank you!

[dmiller-nmap]

@BruceBeanSun Can you confirm whether Npcap 1.31 or 1.30 resolved this issue?

[dmiller-nmap]

I am closing this issue with the assumption that the bug I fixed is the correct one. You are welcome to open a new issue if you see further problems with Npcap 1.50 or later.