npcap malforms the ipv4 header when capturing from loopback interface

[sindy39]

Hello,

I've given a try to npcap-nmap-0.06-r7 downloaded from here as an installer (I am unable to compile from source) as a replacement (i.e. no coexistence mode) to WinPcap 4.1.3 which came along with Wireshark 2.0.2. My OS is a 64-bit Win10 (Czech language version and a result of upgrade from Win 7 if that may matter).

Issue number 2 is that when capturing on the loopback interface, npcap adds two extra octets somewhere at the beginning of the IPv4 header, causing already the IP addresses to be corrupt. In detail, a packet actually sent from 192.168.5.158 to 239.255.255.250 looks as if it was sent from 0.0.192.168 to 5.158.239.255 and its IPv4's payload was beginnig with 0xff 0xfa, as can be seen in the attached file.

The frame truncation problem as described in another Issue exists on the loopback interface too.

Do you need any additional information from me to help identify the issue?

npcap_loopback_issue.zip

[hsluoyz]

Hi Pavel,

I saw your capture file. It only contains two packets. Personally I wish you could have captured more. It's not hard at all because Windows usually sends lots of loopback packets by itself.

My test environment is also the same like you: Win10 x64 10586, fresh install, English, Wireshark 2.0.2 x64. I haven't encountered this issue. So I doubt you have installed some incompatible softwares, most likely some network drivers which are the same type with Npcap.

Or you can test Npcap on a fresh Win10. It will run good. Then add your software one by one. To see which one is disturbing Npcap.

[sindy39]

Or you can test Npcap on a fresh Win10. It will run good. Then add your software one by one. To see which one is disturbing Npcap.

Unfortunately this is something I cannot do - I have a single notebook and no virtual machines under my command and I cannot be offline for too long.

What I can tell you is that I am using the Cisco VPN client which has been discontinued, so I had to use the procedure described here to make it work. I. e. the installed network-related software includes the Deterministic Network Enhancer which I assume handles all interfaces, not just the virtual adapter created & used by Cisco VPN Client. But even if I only enable Npcap and IPv4 on the physical Ethernet interface, i.e. if the DNE is disabled, the issue is still there (also on the wired Ethernet after I've removed it from the bridge and started using it separately). On top of that, I am using the AVG anti-virus software.

But the above is just guessing, do you know any attribute I could look for in the registry to find network drivers "of the same type like Npcap" as you suggest?

Initially, I've intentionally attached a short file of just two representative frames to limit the amount of noise; attaching a larger one.

And you are right that the packets are malformed in various ways and it is not related just to the loopback interface. See packet 975 in npcap_gigE_malformed_packets_reduced.zip, it's pure mess, this time bytes are missing at the beginning of the frame so the udp payoad occurs where IP addresses are expected.

A capture from loopback is this one: npcap_loopback_issue.zip

[hsluoyz]

You can use this software to see all the installed drivers: http://www.nirsoft.net/utils/installed_drivers_list.html.

The NDIS group should be the same type of Npcap. (you may notice that Npcap itself has empty group, this is because Npcap is a mixture of NDIS and WFP driver, so maybe the software doesn't know how to show it, no worry about this).

So you have the names of all NDIS group drivers. Another restriction is that the File Company is not Microsoft. We only focus on third-party drivers for now.

Then stop them one by one using net stop <Driver Name> command. Npcap should work normally after a certain disturbing driver is stopped.

[sindy39]

Hi Yang,

not much success actually.

first - in contrary to your expectation, NPcap is shown in group NDIS only (if I sort the drivers by their short name, it is in the list once and the group indicated is NDIS). Just to remind the context, I have installed it instead of WinPcap so "driver name" is npf.

Below is the list of all drivers of the NDIS group together with the results of my efforts.

On top of that, I've also disabled the anti-virus software (AVG). From some Questions at Wireshark Q&A it seems that if WinPcap is occasionally unable to see some (types of) packets, firewall/anti-virus software which is guilty needs to be uninstalled, not just disabled. I guess the actual reason is that disabling such software leaves its network drivers in place and active, but I may be wrong. I haven't seen any of the NDIS drivers to be related to AVG, though.

Out of the drivers listed below, I was unable to effectively disable two of the non-Microsoft ones: e1cexpress and NETwNe64. Neither of them should affect non-related hardware, though.

Any further ideas?

AMPPALP Protokol Intel(r) Centrino(r) Wireless Bluetooth(r) + High Speed Protokol Intel(r) Centrino(r) Wireless Bluetooth(r) + High Speed Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\amppal.sys Network Driver 29.7.2013 5:01:24 29.7.2013 5:01:24 164 832 Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter 16.5.0.0 Windows (R) Win 7 DDK provider Intel® Centrino® Wireless Bluetooth® High Speed 0 net stop says it is not running

BthPan Bluetooth Device (Personal Area Network) Bluetooth Device (Personal Area Network) Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\bthpan.sys System Driver 30.10.2015 8:17:21 30.10.2015 8:17:21 128 512 Bluetooth Personal Area Networking 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff80008130000 fffff80008155000 0x00025000 1 stop says that it cannot be paused, stopped nor restarted. I haven't tried to disable it in registry.

BTWDPAN Bluetooth Personal Area Network Bluetooth Personal Area Network Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\btwdpan.sys Network Driver 11.6.2012 11:32:07 2.2.2012 4:07:18 89 640 Bluetooth LAN Access Server Driver 6.5.1.300 Broadcom Corporation. Bluetooth Software 0 net stop says it is not running

CVirtA Cisco Systems VPN Adapter for 64-bit Windows Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\CVirtA64.sys Network Driver 8.2.2010 8:32:00 8.2.2010 8:32:00 14 992 Cisco Systems VPN Adapter 5.0.0.1 Cisco Systems, Inc. Cisco Systems VPN Client 0 net stop says it is not running

DNE DNE LightWeight Filter DNE LightWeight Filter System Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\dnelwf64.sys Application 2.9.2014 17:16:26 2.9.2014 17:16:26 164 664 Deterministic Network Enhancer for NDIS 6 4.18.9.18809 Citrix Systems, Inc. DNE fffff80008730000 fffff8000875e000 0x0002e000 1 net stop attempts to stop the service for a couple of seconds but then says it cannot be stopped. Changing the start mode in registry to Manual(3) from previous System(1) and reboot did not prevent the Npcap from capturing malformed packets (while it has prevented the Cisco VPN Client from working properly but that was expected)

e1cexpress Intel(R) PRO/1000 PCI Express Network Connection Driver C Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\e1c62x64.sys Network Driver 18.5.2012 0:54:19 22.2.2012 21:54:08 360 624 Intel(R) Gigabit Adapter NDIS 6.x driver 11.15.16.2001 built by: WinDDK Intel Corporation Intel(R) Gigabit Adapter fffff8000c8a0000 fffff8000c8fb000 0x0005b000 1 net stop says that it cannot be paused, stopped nor restarted. I don't know the proper value of Start item to disable it in registry - the normal value is Manual(3).

kdnic Microsoft Kernel Debug Network Miniport (NDIS 6.20) Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\kdnic.sys System Driver 30.10.2015 8:17:22 30.10.2015 8:17:22 23 040 Microsoft Kernel Debugger Network Miniport 6.01.00.0000 (th2_release.151029-1700) Microsoft Corporation Microsoft Kernel Debugger Network Adapter (NDIS 6.20 Miniport) fffff80008aa0000 fffff80008aad000 0x0000d000 1 net stop says that it cannot be paused, stopped nor restarted; as it is Microsoft, I don't attempt to disable it in the registry.

kmloop Microsoft KM-TEST Loopback Adapter Driver Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\loop.sys Network Driver 30.10.2015 8:17:23 30.10.2015 8:17:23 16 384 Loopback Network Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff8000c900000 fffff8000c90c000 0x0000c000 1 net stop says that it cannot be paused, stopped nor restarted; would it be worth it to try to disable it as it actually represents the local loop virtual adaptor you use?

lltdio Vstupně-výstupní ovladač mapovače zjišťování topologie linkové vrstvy Vstupně-výstupní ovladač mapovače zjišťování topologie linkové vrstvy Automatic Kernel Normal NDIS C:\WINDOWS\system32\drivers\lltdio.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 64 000 Link-Layer Topology Mapper I/O Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff80009590000 fffff800095a6000 0x00016000 1 net stop reports it has been successfully stopped. However, npcap continues to capture malformed frames.

mlx4_bus Mellanox ConnectX Bus Enumerator Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\mlx4_bus.sys Driver 30.10.2015 8:17:23 30.10.2015 8:17:23 705 376 MLX4 Bus Driver 4.91.10730 Mellanox OpenFabrics Windows 0 net stop says that it is not running

MsBridge Most MAC společnosti Microsoft Most MAC společnosti Microsoft Manual Kernel Normal NDIS C:\WINDOWS\system32\drivers\bridge.sys Network Driver 12.3.2016 15:46:48 12.3.2016 15:46:48 114 688 MAC Bridge Driver 10.0.10586.122 (th2_release_inmarket.160222-1549) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says that it is not running, plus it's a Microsoft driver, let's ignore it

MsLldp Protokol Microsoft LLDP (Link-Layer Discovery Protocol) Ovladač protokolu Microsoft LLDP (Link-Layer Discovery Protocol) Automatic Kernel Normal NDIS C:\WINDOWS\system32\drivers\mslldp.sys Network Driver 30.10.2015 8:17:39 30.10.2015 8:17:39 81 920 Microsoft Link-Layer Discovery Protocol Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Operační systém Microsoft® Windows® fffff80009570000 fffff8000958a000 0x0001a000 1 net stop reports an error; it's a Microsoft driver, let's ignore it.

NativeWifiP Filtr NativeWiFi Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\nwifi.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 530 432 NativeWiFi Miniport Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Operační systém Microsoft® Windows® fffff80009660000 fffff800096e8000 0x00088000 1 stop asks for confirmation that a dependent service may be stopped as well; after confirming that, stop succeeds. However, that does not prevent npcap from capturing malformed frames.

NdisCap Microsoft NDIS Capture Microsoft NDIS Capture Manual Kernel Normal NDIS C:\WINDOWS\system32\drivers\ndiscap.sys Network Driver 30.10.2015 8:17:41 30.10.2015 8:17:41 50 176 Microsoft NDIS Packet Capture Filter Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says it was not running plus it is Microsoft.

NdisTapi Ovladač Remote Access NDIS TAPI Ovladač Remote Access NDIS TAPI Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\ndistapi.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 25 600 NDIS 3.0 connection wrapper driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff80009f00000 fffff80009f0e000 0x0000e000 2 net stop says it cannot be stopped, paused, nor restarted; it is Microsoft so we ignore it.

Ndisuio NDIS Usermode I/O Protocol Manual Kernel Normal NDIS C:\WINDOWS\system32\drivers\ndisuio.sys Network Driver 30.10.2015 8:17:43 30.10.2015 8:17:43 63 488 NDIS User mode I/O driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Operační systém Microsoft® Windows® fffff80009620000 fffff80009636000 0x00016000 1 net stop asks for confirmation that a dependent service may be stopped as well; after confirming that, stop succeeds. However, that does not prevent npcap from capturing malformed frames.

ndiswanlegacy Starší ovladač vzdáleného přístupu NDIS WAN Starší ovladač vzdáleného přístupu NDIS WAN Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\ndiswan.sys Network Driver 30.10.2015 8:17:37 30.10.2015 8:17:37 188 928 MS PPP Framing Driver (Strong Encryption) 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says it is not running.

NETwNe64 ___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 8 - 64 Bit Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\NETwew01.sys Network Driver 30.10.2015 8:17:19 30.10.2015 8:17:19 3 343 872 Intel® Wireless WiFi Link Driver 15.16.0.2 Intel Corporation Intel® Wireless WiFi Link Adapter fffff8000acc0000 fffff8000b008000 0x00348000 1 net stop says it cannot be stopped, paused nor restarted. I could not find out how to disable it in registry, but change of Start value from from Manual(3) to Boot(0) attempted because as I was expecting that 0 would mean Never has killed my WiFi.

npf Npcap Packet Driver (NPCAP) Npcap Packet Driver (NPCAP) System Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\npf.sys System Driver 10.3.2016 1:41:18 10.3.2016 1:41:18 59 240 npf.sys (NT6 AMD64) Kernel Filter Driver 0.06 Insecure.Com LLC. Npcap fffff8000c930000 fffff8000c943000 0x00013000 1 Psched Plánovač paketů technologie QoS Plánovač paketů technologie QoS System Kernel Normal NDIS C:\WINDOWS\system32\drivers\pacer.sys Network Driver 30.10.2015 8:17:37 30.10.2015 8:17:37 160 608 Plánovač paketů technologie QoS 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Operační systém Microsoft® Windows® fffff800087a0000 fffff800087cb000 0x0002b000 1 _I guess we don't want to stop this one ;-) _

rspndr Respondér zjišťování topologie linkové vrstvy Respondér zjišťování topologie linkové vrstvy Automatic Kernel Normal NDIS C:\WINDOWS\system32\drivers\rspndr.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 80 896 Link-Layer Topology Responder Driver for NDIS 6 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff800095b0000 fffff800095ca000 0x0001a000 1 net stop reports success. However, that does not prevent npcap from capturing malformed frames.

tunnel Microsoft Tunnel Miniport Adapter Driver Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\tunnel.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 153 600 Ovladač rozhraní tunelového propojení Microsoft 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Operační systém Microsoft® Windows® fffff80009e40000 fffff80009e6f000 0x0002f000 1 Microsoft, I didn't touch it.

vpnva Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64 Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\vpnva64-6.sys Network Driver 30.8.2013 23:53:13 30.8.2013 23:53:13 52 080 Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows 3, 1, 04058 Cisco Systems, Inc. Cisco AnyConnect Secure Mobility Client 0 _net stop says it is not running. _

vwififlt Virtual WiFi Filter Driver Virtual WiFi Filter Driver System Kernel Normal NDIS C:\WINDOWS\system32\drivers\vwififlt.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 74 240 Virtual WiFi Filter Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff80008780000 fffff80008799000 0x00019000 2 net stop reports success. However, that does not prevent npcap from capturing malformed frames.

vwifimp Virtual WiFi Miniport Service Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\vwifimp.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 39 936 Virtual WiFi Miniport Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff8000c960000 fffff8000c971000 0x00011000 1 net stop says it is not running.

wanarp Ovladač pro vzdálený přístup IP ARP Ovladač pro vzdálený přístup IP ARP Automatic Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\wanarp.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 79 872 MS Remote Access and Routing ARP Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System fffff800095d0000 fffff800095eb000 0x0001b000 1 net stop reports success. However, that does not prevent npcap from capturing malformed frames.

wanarpv6 Ovladač pro vzdálený přístup IPv6 ARP Ovladač pro vzdálený přístup IPv6 ARP Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\wanarp.sys Network Driver 30.10.2015 8:17:40 30.10.2015 8:17:40 79 872 MS Remote Access and Routing ARP Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says it is not running.

wpcfltr Family Safety Filter Driver Manual Kernel Normal NDIS C:\WINDOWS\system32\DRIVERS\wpcfltr.sys Driver 30.10.2015 8:18:42 30.10.2015 8:18:42 52 768 Family Safety Filter Driver 10.0.10586.0 (th2_release.151029-1700) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says it is not running.

xboxgip Xbox Game Input Protocol Driver Xbox Game Input Protocol Driver Manual Kernel Normal NDIS C:\WINDOWS\System32\drivers\xboxgip.sys Network Driver 12.3.2016 15:46:45 12.3.2016 15:46:45 238 592 Game Input Protocol Driver 10.0.10586.122 (th2_release_inmarket.160222-1549) Microsoft Corporation Microsoft® Windows® Operating System 0 net stop says it is not running.

[hsluoyz]

Hi @sindy39 ,

Please try latest Npcap 0.06 R7.1: https://github.com/nmap/npcap/releases

I think I have introduced a bug starting from 0.06 R5, which causes the malformed packets you encountered. And this bug influences 0.06 R5, R6 and R7.

[sindy39]

Yes, that was it. I've read the notification e-mail first so I've installed the 0.06R4, and only then found that you've created R7.1 and edited the comment accordingly. So as a consequence, I've successfully tested that both 0.06R4 and 0.06R7.1 do capture correctly, on loopback, WiFi, and the USB GigE.

Just a minor remark, when I install a new version, it says that the old "0.06.something.301" has to be uninstalled first, and it seems that the string was the same for R7 when replacing it with R4 and for R4 when replacing it with R7.1.

Thank you for the quick reaction!

[hsluoyz]

Just a minor remark, when I install a new version, it says that the old "0.06.something.301" has to be uninstalled first, and it seems that the string was the same for R7 when replacing it with R4 and for R4 when replacing it with R7.1.

Yeah. There are actually two version numbers for Npcap. One is the release version like 0.06 R7. The other is the PE file version like 0.6.0.301. R7 is actually just a part of the installer name. And I don't want to update the version in the code for every release. So it's hard to give out a solution.