[Npcap] NIC >10s disconnect on logon due to disabling "automatic start" on install

[ltguillaume]

If I install Npcap (v0.99-r7) on Windows 10 x64 1709 and deselect the option "Automatically start the Npcap driver at boot time", my NIC disconnects on logon for well over 10 seconds, then reconnects. I've found that sitting there, staring at the network connection tray icon waiting for it to change isn't really my thing, especially because I only use Wireshark with Npcap only a few times a month.

[ltguillaume]

As a comparison, I have checked if www.win10pcap.org behaved similarly when its driver startup is set to manual: no such thing.

[dmiller-nmap]

Thanks for this bug report! Npcap installs itself as a filter driver. If the service is not started at the time the network stack starts, it pauses to see if the service will start. Obviously, this is not ideal, but most of our users install with auto-start enabled. I will check to see if there is a cleaner way to support on-demand starting of the driver without interrupting the network stack.

Win10Pcap doesn't do this because it is an intermediate driver, not a filter driver. This is a more direct translation of the old WinPcap way of doing things, but fails to take advantage of the speed benefits of Ndis 6 filter drivers like Npcap.

[ltguillaume]

Yeah, it took me a while to find out it was Npcap, too, as I had made a whole batch of changes to my system in one go. Since it's a setting in the setup, I figured it couldn't do such harm. I recommend taking it out of the setup procedure, until it's fixed, if it can be.

Thanks for the explanation. If you have the time to explain, I'd like to know if there are downsides/side effects of leaving the filter driver running, even though I rarely use it (so it doesn't feel right, that's for sure). As such, speed is not really an issue for me, and I'm inclined to keep using Win10Pcap until Npcap can actually be started on demand, too.

[dmiller-nmap]

After further review, I am unable to duplicate this issue. There may be something wrong with your Npcap installation, so here's a procedure to make the cleanest installation possible:

1. Uninstall WinPcap and Win10pcap if they are installed.
2. Run the FixInstall.bat script from C:\Program Files\Npcap\ as Administrator (right click -> Run as Administrator).
3. Uninstall Npcap.
4. Reboot.
5. Install Npcap with your chosen options. See below for recommended installation options.

Here are my recommendations for installation options to limit any performance impact. We test Npcap on very limited-resource virtual machines and have not noticed any measurable impact, but your situation may be different:

1. Allow Npcap to automatically start at boot time. NDIS 6 LWF filter drivers are very lightweight (hence the name) and unless something is actively using it to capture traffic, it has negligible performance impact. All network packets are passed through immediately without delay.
2. Install Npcap without the WinPcap API-compatible mode option. This will reduce the number of filter drivers and services running, and compatibility mode is unnecessary for Wireshark or Nmap.
3. Install Npcap without raw 802.11 WiFi frame capture if you do not need it. This also reduces the number of filter drivers required to be installed.

[ltguillaume]

Then I'm guessing it's got something to do with the specific version of Windows I'm running, or the hardware combination. Either way, it's reproducible for me.