Closed markpizz closed 3 years ago
Hi Markpizz,
I'm unable to reproduce this issue on my Win7 x86 VM. I want to know the below information:
Npcap Loopback Adapter
renaming failure. Npcap is supposed to create a Microsoft Loopback Adapter (akia the Ethernet adapter Local Area Connection 2
) and rename it to Npcap Loopback Adapter
.KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
. Is there a REG_SZ
value named Loopback
? Its value should be something like \Device\{499847BE-F7E6-4F04-89D1-D5C9CDE5E92C}
. This is the actual name of the Npcap Loopback Adapter
. Without this value, Npcap can't uninstall Npcap Loopback Adapter
correctly. Notice: Everytime you install Npcap again, this value changes.value in the registry exists. Run
NPFInstall.exe -ulcommand in the
C:\Program Files\Npcappath. This is the command to uninstall
Npcap Loopback Adapter. You can check if
Npcap Loopback Adapter`` is successfully uninstalled after running this command.About the DLT_EN10MB
for Npcap Loopback Adapter
issue, I have replied in comment of https://github.com/nmap/nmap/issues/298.
Cheers, Yang
Hi Yang,
1) x64. 2) English 3) I was logged into the only account on this system which is an admin. I get a UAC prompt when I invoked the installer. This system is a Virtual Box VM that was explicitly setup to test this so I didn't put any system I cared about in a strange and hard to untangle state. 4) The last condition the system was in was with the npcap package uninstalled and there is no npf service registry entry existing anymore. I restored to a snapshot prior to the initial installation of npcap. IPconfig shows everything clean again. After installing the R14 package, there is indeed a Loopback entry in the npf service registry key. The value of that key is NOT the value returned by pcap_findalldevs when I enumerate the available pcap devices. 5) I invoked NPFInstall -ul from an elevated command prompt window and the command prompt window disappeared the instant I invoked the command. IPCONFIG shows no change in what is displayed (the extra interface is still there) and the npf service Registry key doesn't seem to have any changed information.
Regarding DLT_EN10MB, I wasn't describing a problem or asking a question I was just describing the what I observed. I'm gathering info to continue the nmap/nmap#298 discussion in that issue.
Hi Markpizz,
It's weird that your Loopback
entry in registry doesn't match an item in the adapter list returned by pcap_findalldevs
.
I also tried on a Win7 x64 VMware VM without any issues. Since you are also using a VM of VirtualBox. Could you just provide me the VM image? So I can directly try on it. Thanks!
Cheers, Yang
Hmmm...
I just did a new install on a fresh VirtualBox VM with Win7-Pro-SP1-x64. ncpap install worked as expected.
The original VM I was testing with was one I had hacked around with using earlier npcap installers which had problems with signing issues. I somehow managed to get the network interface set looking clean again as shown in the original ipconfig output that I quoted at the beginning of this issue. I don't remember exactly what I did, but it seemed OK. Using that configuration, following the steps I mentioned originally I saw the tangled mess I described.
Doing this with VMs which can easily take snapshots is nice for the developer testing, but for folks in the field with real systems which will lose time and/or data if their systems get tangled up they don't really have a good way to unwind what a npcap install has done to their system. Does the install technology you are using provide a way to force the creation of a Windows Restore Point at the beginning of an installation? If so, can this be added or at least an option provided to do that?
After writing the last comment here I did some basic testing of the WinPcap API on this Win7-Pro-SP1-x64 system. It appeared that I could not get pcap_datatype to return DLT_EN10MB for the loopback adapter (I did not check anything extra during the npcap install). I didn't test this case the first time I installed. I had installed and uninstalled and installed again before I checked this. So, I used the VirtualBox VM interface to restore the snapshot I took just prior to the first attempt to install npcap. I then performed the install of npcap and the original tangled mess I started this issue with had returned. It appears that maybe the messing with the network interface set is triggering something in the VirtualBox Windows support functionality to convey something about the network configuration into the VirtualBox environment and that is subsequently being projected back into the VM after a Snapshot restore and that info is messing up the install of npcap. This might be a VirtualBox problem, but the mess is now there and without a Windows Restore point I'm back to creating a new VM and starting over.
I was able to short circuit a complete windows install again by saving the virtual disk created earlier just prior to the snapshot I mentioned and using that disk in a newly created VM. I then took another snapshot (to protect this VM disk image) and was able to install npcap normally as expected. I have now confirmed that the Npcap Loopback Adapter interface doesn't not show up in the pcap_findalldevs -> pcap_datalink with a DLT_EN10MB type.
Hi Markpizz,
I just did a new install on a fresh VirtualBox VM with Win7-Pro-SP1-x64. ncpap install worked as expected.``
``The original VM I was testing with was one I had hacked around with using earlier npcap installers which had problems with signing issues. I somehow managed to get the network interface set looking clean again as shown in the original ipconfig output that I quoted at the beginning of this issue. I don't remember exactly what I did, but it seemed OK. Using that configuration, following the steps I mentioned originally I saw the tangled mess I described.
I think so it means that you have made Npcap work on your VM. So I don't need to reproduce it for now
Doing this with VMs which can easily take snapshots is nice for the developer testing, but for folks in the field with real systems which will lose time and/or data if their systems get tangled up they don't really have a good way to unwind what a npcap install has done to their system. Does the install technology you are using provide a way to force the creation of a Windows Restore Point at the beginning of an installation? If so, can this be added or at least an option provided to do that?
Good idea, I will try to add one as an option.
After writing the last comment here I did some basic testing of the WinPcap API on this Win7-Pro-SP1-x64 system. It appeared that I could not get pcap_datatype to return DLT_EN10MB for the loopback adapter (I did not check anything extra during the npcap install).
As the DLT_NULL
option is not checked by default, you probably are not checking it. Then you should get DLT_EN10MB
for Npcap Loopback Adapter
. What did you get then? You can take a look at the DltNull
entry in KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
. If DltNull
==1, it means DLT_NULL
option is enabled. What's your value?
I didn't test this case the first time I installed. I had installed and uninstalled and installed again before I checked this. So, I used the VirtualBox VM interface to restore the snapshot I took just prior to the first attempt to install npcap. I then performed the install of npcap and the original tangled mess I started this issue with had returned. It appears that maybe the messing with the network interface set is triggering something in VirtualBox VM interface to restore the snapshot I took just prior to the first attempt to install npcap. I then performed the install of npcap and the original tangled mess I started this issue with had returned. It appears that maybe the messing with the network interface set is triggering something in the VirtualBox Windows support functionality to convey something about the network configuration into the VirtualBox environment and that is subsequently being projected back into the VM after a Snapshot restore and that info is messing up the install of npcap. This might be a VirtualBox problem, but the mess is now there and without a Windows Restore point I'm back to creating a new VM and starting over.
This is so complicated.. There shouldn't be any problems if you install Npcap multiple times. You can just test the above steps when Npcap installed.
I was able to short circuit a complete windows install again by saving the virtual disk created earlier just prior to the snapshot I mentioned and using that disk in a newly created VM. I then took another snapshot (to protect this VM disk image) and was able to install npcap normally as expected. I have now confirmed that the Npcap Loopback Adapter interface doesn't not show up in the pcap_findalldevs -> pcap_datalink with a DLT_EN10MB type.
What does the last sentence mean? Does Npcap Loopback Adapter
show up in pcap_findalldevs
? If yes, what does pcap_datalink
return for it? Have you installed Npcap with the DLT_NULL
option checked?
When installing npcap (on Win7 x86 AND x64) i DID NOT check the "Use DLT_NULL" and the registry value HKLM\SYSTEM\CurrentControlSet\Services\npf\DltNull is 00000000.
My app calls pcap_findalldevs and for each device returned it calls pcap_datalink and if the value returned is DLT_EN10MB it displays the the device name and makes it available for a user to use. I'm not sure if pcap_findalldevs did not return the device or not, but if it did then the value returned by pcap_datalink wasn't DLT_EN10MB. I would say that either not returning the npcap loopback adapter would be an error or not returning DLT_EN10MB would be an error. In either case there is an error. This same app returns the expected results on Win10.
Hi Markpizz,
I have testes this issue with a program named UserBridge
and Wireshark. The result turns out that Npcap has no issue about this handling. Here's my proof.
First, there's a simple way to change the DLT_NULL
option in the installer without reinstalling Npcap. The way is to manually modify the HKLM\SYSTEM\CurrentControlSet\Services\npf\DltNull
entry to 1 or 0. Then restart the driver using net stop npf
and net start npf
.
DLT_NULL
mode on, the output of UserBridge is:1. (link type=1) Network adapter 'Microsoft' on local host
2. (link type=1) Network adapter 'Intel(R) PRO/1000 MT Network Connection' on lo
cal host
3. (link type=0) Network adapter 'MS LoopBack Driver' on local host
Specify filter (hit return for no filter):
DLT_NULL
mode off, the output of UserBridge is:1. (link type=1) Network adapter 'Microsoft' on local host
2. (link type=1) Network adapter 'Intel(R) PRO/1000 MT Network Connection' on lo
cal host
3. (link type=1) Network adapter 'MS LoopBack Driver' on local host
Specify filter (hit return for no filter):
#define DLT_NULL 0 /* BSD loopback encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
#define DLT_AX25 3 /* Amateur Radio AX.25 */
#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
#define DLT_CHAOS 5 /* Chaos */
#define DLT_IEEE802 6 /* 802.5 Token Ring */
#define DLT_ARCNET 7 /* ARCNET, with BSD-style header */
#define DLT_SLIP 8 /* Serial Line IP */
#define DLT_PPP 9 /* Point-to-point Protocol */
#define DLT_FDDI 10 /* FDDI */
So you can see Npcap behaves correctly.
DLT_NULL
mode on, the Interface Detail of Npcap Loopback Adapter
is like:DLT_NULL
mode off, the Interface Detail of Npcap Loopback Adapter
is like:UserBridge
is also hosted on GitHub: https://github.com/hsluoyz/UserBridge. So you can see where's wrong with your code compared to UserBridge
.BTW, I found that Npcap installation will automatically create a system restore point named Device Driver Package Install: Nmap Project Network Service
. You can just use it:)
Hi Yang,
I see the system restore point now. Thanks for checking. I'm going to test this later.
OK. I have run my app in debug mode and stepped through the adapter list validation logic (which produces a different list of adapters on Win7 vs Win10).
The datalink value is indeed properly returned based on the registry DltNull value.
However, on Win7 pcap_findalldevs returns an adapter list which has the flags member of the pcap_if_t structure for the Npcap loopback adapter set to PCAP_IF_LOOPBACK while on Win10 that flag value (bit maybe) is NOT set. Is this deliberate?
I tried to restore to the above mentioned restore point. This did NOT unwind the installation of npcap. Maybe the restore point is not being taken at the start of the install, but later somewhere in the middle of the driver install step. The net result is that I now have IPCONFIG which shows multiple interfaces (the Npcap Loopback adapter included), and the Local Area Connection. However "Control Panel->Programs-?Programs and Features" no longer shows npcap installed, BUT the npf service is still defined in the registry: HKLM\SYSTEM\CurrentControlSet\Services\npf.... However, even though the service is defined, the pcap API doesn't work. Attempting to install npcap says that it is already installed and goes through the uninstall/reinstall step. After this it still doesn't work, but now it is listed as an installed program. Uninstalling that now seems to remove the Npcap loopback adapter and the program and the service definition in the registry. Installing npcap again seems to go cleanly and the Npcap Loopback adapter is once again defined, but the pcap API still doesn't work. I then rebooted the system. Things finally worked after that.
In summary, a normal user would expect that restoring from this restore point would actually unwind everything that changed during the npcap package installation. Can you fix this?
Hi Markpizz,
PCAP_IF_LOOPBACK
will be set for pcap_if_t->flags
of Npcap Loopback Adapter
no matter whether DLT_NULL
option is checked in the installer.
I have observed the pcap_if_t->flags
of Npcap Loopback Adapter
on both Win7 x64 and Win10 x64 VMs. The output of the UserBridge
tool on Win10 (Win7 is the same) is shown below:
DLT_NULL
option OFF:
1. (link type=1, flags=0) Network adapter 'Microsoft' on local host
2. (link type=1, flags=0) Network adapter 'Intel(R) 82574L Gigabit Network Connection' on local host
3. (link type=1, flags=1) Network adapter 'MS NDIS 6.0 LoopBack Driver' on local host
Specify filter (hit return for no filter):
DLT_NULL
option ON:
1. (link type=1, flags=0) Network adapter 'Microsoft' on local host
2. (link type=1, flags=0) Network adapter 'Intel(R) 82574L Gigabit Network Connection' on local host
3. (link type=0, flags=1) Network adapter 'MS NDIS 6.0 LoopBack Driver' on local host
Specify filter (hit return for no filter):
The definition of PCAP_IF_LOOPBACK
is:
#define PCAP_IF_LOOPBACK 0x00000001 /* interface is loopback */
So Npcap handles this correctly. So in order to troubleshoot your issue, I want to ask it again about the registry thing: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
. Is there a REG_SZ
value named Loopback
? Its value should be something like \Device\{499847BE-F7E6-4F04-89D1-D5C9CDE5E92C}
. This should match your name of Npcap Loopback Adapter
. I assume you know how to obtain the name of Npcap Loopback Adapter
.
Hi, the system restore feature is finished.
See Npcap 0.05 r16: https://github.com/nmap/npcap/releases
Yang,
I'm sorry to have misdirected your efforts regarding the datalink type of the loopback adapter and the details of the loopback flag. I was confused by the tangled set of network interfaces which were created after the failed install/uninstall. All of the interfaces "Local Area" interfaces were returned by pcap_findalldevs and the second one (which corresponded to the Npcap loopback adapter) was indicated as NON Loopback with DLT_EN10MB. I was working from incorrect data.
My application can't make use of a loopback adapter and as such loopback adapters are excluded from the list of devices which the application lists for a user to select. I would suggest that installing the Npcap Loopback Adapter be an option since it may not be useful for some folks/applications. Personally I'd prefer that it not be installed by default (WinPcap didn't do this, so that is the only argument to justify the non-default install), but as long as it is an option I'm ok with either choice.
Thanks for implementing the Restore Point functionality. I think it needs a little adjustment though: 1) I installed npcap (06) and it seemed to work (selecting the option to create a restore point). I then did a system restore and selected the appropriate restore point. After the system rebooted, IPCONFIG returned absolutely nothing but "Windows IP Configuration". I was concerned. I rebooted again and still saw the same behavior. As it turns out after 1 minute I finally see the original network configuration again. I don't recall having this delay before, but maybe I never looked. 2) If the restore point is optional, but not the default, then a user could easily tangle things up and not be able to benefit from the restore point since they are most likely to take default install options. It therefore should be the default (and probably not even an option). This adds a couple of seconds to the install, however that can easily be mitigated. See point 2. 3) It seems that installing a driver causes an automatic restore point to be created and as such if the Npcap restore point is created there are two from this install. Many other applications do installs (including driver installs) and only produce a single restore point during that installation. There should be a way to suppress the automatic driver install restore point given one has just been created. Additionally, the driver created restore point is really a broken restore point as I demonstrated earlier when I tried to restore from it, so suppressing it would seem important. If that can be done, and the Npcap one is automatic only one restore point will be created and the install time should be the same.
Thanks.
Hi Markpizz,
I'm sorry to have misdirected your efforts regarding the datalink type of the loopback adapter and the details of the loopback flag. I was confused by the tangled set of network interfaces which were created after the failed install/uninstall. All of the interfaces "Local Area" interfaces were returned by pcap_findalldevs and the second one (which corresponded to the Npcap loopback adapter) was indicated as NON Loopback with DLT_EN10MB. I was working from incorrect data.
OK, I have made the loopback support an option in the installer. See: https://github.com/nmap/npcap/commit/66846a9390ffd811e5ac88e7ff995321e21a534a
1) I installed npcap (06) and it seemed to work (selecting the option to create a restore point). I then did a system restore and selected the appropriate restore point. After the system rebooted, IPCONFIG returned absolutely nothing but "Windows IP Configuration". I was concerned. I rebooted again and still saw the same behavior. As it turns out after 1 minute I finally see the original network configuration again. I don't recall having this delay before, but maybe I never looked.
I never encountered this in my VMware VM.
In fact, Npcap calls standard Windows APIs to create a system restore point. The only parameter Npcap can control in this process is the time for the snapshot. So this issue is probably not caused by Npcap.
I want you to make an experiment. You manually create a system restore point before you run the Npcap installer, then install. Then manually roll back to that point. If your IPCONFIG still returns nothing for 1 minute. Then it is not Npcap's problem. I personally doubt it's the issue of VirtualBox VM.
3) It seems that installing a driver causes an automatic restore point to be created and as such if the Npcap restore point is created there are two from this install. Many other applications do installs (including driver installs) and only produce a single restore point during that installation. There should be a way to suppress the automatic driver install restore point given one has just been created. Additionally, the driver created restore point is really a broken restore point as I demonstrated earlier when I tried to restore from it, so suppressing it would seem important. If that can be done, and the Npcap one is automatic only one restore point will be created and the install time should be the same.
You are right. The reason I didn't make creating restore point an default option is just as you said, it needs seconds to perform the action, which is slow. And it's also true that sometimes the driver installation triggers an automatic restore point too. But sometimes not. Maybe I need to google about how to surpress the automatic point as you said.
I have posted a question at: http://stackoverflow.com/questions/35718798/how-to-disable-windows-to-create-an-automatic-restore-point-when-installing-my-k
Hi Yang,
I'm not familiar with the installer tool you'e using, but the underlying Windows APIs which create restore points have a natural way to avoid the second (driver specific) restore point. See:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378894(v=vs.85).aspx
It would seem that merely calling SRSetRestorePoint(dwEventType=BEGIN_NESTED_SYSTEM_CHANGE, dwRestorePtType=APPLICATION_INSTALL) at the beginning of your installation and at the end either SRSetRestorePoint(dwEventType=END_NESTED_SYSTEM_CHANGE) OR SRSetRestorePoint(dwEventType=END_NESTED_SYSTEM_CHANGE, dwEventType=CANCELLED_OPERATION) if the install is canceled. You would have to retain (and reuse) the sequence number returned on the initial call for the subsequent calls.
Hi Markpizz,
Thanks for the advice!
I have used your way in: https://github.com/hsluoyz/SysRestore. This newly built SysRestore plug-in is used in the installer of Npcap.
Latest 0.06 R2 is released: https://github.com/nmap/npcap/releases
Hi Yang,
It (the newly added restore point creation) does not appear to work. If I select that a restore point is to be created no restore point is actually created (except the one which the driver addition causes to be created), If I select not to create a restore point, the same behavior is observed. Once this is actually working, I don't think creating a restore point should be an option.
Hi Mark,
It (the newly added restore point creation) does not appear to work. If I select that a restore point is to be created no restore point is actually created (except the one which the driver addition causes to be created), If I select not to create a restore point, the same behavior is observed.
Probably it's a bug in SysRestore
plug-in I used. I saw its code, not any wrong evidence. I think its code follows the guide of Microsoft. You can see the code of SysRestore
. I noticed that sometimes the restore point is not created if you already installed Npcap once and created one. I don't know what causes this?
Once this is actually working, I don't think creating a restore point should be an option.
The point is when creating a restore point, the installer doesn't know if the process will work or not (like installing the driver). The steps have to be creating restore point first, then do the work. Right?
Cheers, Yang
It (the newly added restore point creation) does not appear to work. If I select that a restore point is to be created no restore point is actually created (except the one which the driver addition causes to be created), If I select not to create a restore point, the same behavior is observed.
Probably it's a bug in SysRestore plug-in I used. I saw its code, not any wrong evidence. I think its code follows the guide of Microsoft. You can see the code of SysRestore. I noticed that sometimes the restore point is not created if you already installed Npcap once and created one. I don't know what causes this?
It makes no sense that a previous restore point affects a subsequent one. They are known internally by the sequence number which should be generated during the BEGIN step.
Once this is actually working, I don't think creating a restore point should be an option.
The point is when creating a restore point, the installer doesn't know if the process will work or not (like installing the driver). The steps have to be creating restore point first, then do the work. Right?
Right!. You start the restore point (with BEGIN) and if everything during the installation process succeeds and the user hasn't canceled the install then you finish the restore point with END. If the user canceled the install (is this possible?), then you delete the restore point with CANCELED_OPERATION. If something else went wrong, then you complete the restore point normally and the user has the restore point available to unwind any mess that was created.
What I'm suggesting is that the installer GUI should not provide the user an option to create a restore point, one should always be created. The BEGIN step should happen when the user clicks on the "Install" button of the "Installer Options" Dialog. If the install goes well, then the END step should happen before the "Next" button is ungreyed when the "Installation Complete" dialog is displayed.
It makes no sense that a previous restore point affects a subsequent one. They are known internally by the sequence number which should be generated during the BEGIN step.
I retested it under my Win7 x64 and Win10 x64 VM. This function works well. I can see a Before installing Npcap
every time I installed Npcap with that option checked. What test environment are you using?
Right!. You start the restore point (with BEGIN) and if everything during the installation process succeeds and the user hasn't canceled the install then you finish the restore point with END. If the user canceled the install (is this possible?), then you delete the restore point with CANCELED_OPERATION. If something else went wrong, then you complete the restore point normally and the user has the restore point available to unwind any mess that was created.
The user is impossible to cancel the installation after the installer starts the restore point. Because the installer starts the restore point actually when the installation starts (at the start of the progress bar growing). The restore point will always finish at the end of the progress bar.
What I'm suggesting is that the installer GUI should not provide the user an option to create a restore point, one should always be created.
OK. I made this option checked by default. See: https://github.com/nmap/npcap/commit/84eed5dc5d82c7e2363aac36d7dadeaccf2a0108
The BEGIN step should happen when the user clicks on the "Install" button of the "Installer Options" Dialog. If the install goes well, then the END step should happen before the "Next" button is ungreyed when the "Installation Complete" dialog is displayed.
As I said before, this is exactly how Npcap currently behaves.
It makes no sense that a previous restore point affects a subsequent one. They are known internally by the sequence number which should be generated during the BEGIN step.
I retested it under my Win7 x64 VM. This function works well. I can see a Before installing Npcap every time I installed Npcap with that option checked. What test environment are you using?
I am testing using Windows 7 x64 and Windows 7 x86.
It definitely is NOT happening for me since it was I would expect a few seconds of delay when I start the install. I now see a delay (2 minutes) during the "NPFInstall -il" step. On the Win7 x86 the install log is:
Start setting system restore point: Before installing Npcap
Could not load: C:\Users\Admin\AppData\Local\Temp\nsp81AB.tmp\SysRestore.dll
Error occured when starting setting system restore point, return value=|Before installing Npcap|
Output folder: C:\Windows\system32
Extract: pthreadVC.dll
Extract: wpcap.dll
Extract: NPcapHelper.exe
Windows CurrentVersion: 6.1
Extract: Packet.dll
Output folder: C:\Program Files\Npcap
Extract: rpcapd.exe
Extract: LICENSE
Extract: NPFInstall.exe
Extract: npf.sys
Extract: npf.inf
Extract: npf_wfp.inf
Extract: npf.cat
Created uninstaller: C:\Program Files\Npcap\uninstall.exe
Installing NDIS6.x x86 driver for Vista, Win7, Win8 and Win10
Output folder: C:\Windows\system32\drivers
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -il
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -il
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -iw
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -i
The npf service for Vista, Win7, Win8 and Win10 was successfully created
When I invoke System Restore. I don't see any new restore points (since the last windows update from yesterday).
On Win7-x64 I see:
Start setting system restore point: Before installing Npcap
Could not load: C:\Users\Admin\AppData\Local\Temp\nsa6D9A.tmp\SysRestore.dll
Error occured when starting setting system restore point, return value=|Before installing Npcap|
Output folder: C:\Windows\system32
Extract: pthreadVC.dll
Extract: wpcap.dll
Extract: NPcapHelper.exe
Windows CurrentVersion: 6.1
Extract: Packet.dll
Output folder: C:\Program Files\Npcap
Extract: rpcapd.exe
Extract: LICENSE
Extract: NPFInstall.exe
Extract: npf.sys
Extract: npf.inf
Extract: npf_wfp.inf
Extract: npf.cat
Created uninstaller: C:\Program Files\Npcap\uninstall.exe
Installing NDIS6.x x86 driver for Vista, Win7, Win8 and Win10
Output folder: C:\Windows\system32\drivers
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -il
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -iw
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -i
The npf service for Vista, Win7, Win8 and Win10 was successfully created
Completed
This completed very quickly and the only Restore Point listed was the one the driver would normally create.
I suggest that you change the name of the restore point to be "npcap .... something" to distinguish it from the driver install Restore Point which is otherwise created...
What I'm suggesting is that the installer GUI should not provide the user an option to create a restore point, one should always be created.
OK. I will make this option checked by default then.
My point is that this should not be an option. It should just always happen. Recall that before you started working on this restore point stuff, the driver install always created a restore point. Now the npcap install should always create a restore point and the driver install restore point will be suppressed due to the NESTed restore point approach you're using.
Additionally, a restore point should always be created when npcap is uninstalled.
Hi Mark,
It definitely is NOT happening for me since it was I would expect a few seconds of delay when I start the install. I now see a delay (2 minutes) during the "NPFInstall -il" step. On the Win7 x86 the install log is:
There are some reports about the issue that NPFInstall -il
is very slow or even halts. I still don't the specific reasons. But it's usually caused by another application is using the functions related to manipulating Network Connections
. As the function is exclusive, so Npcap halts. So you can check if you have that kinds of softwares running while installing Npcap.
This completed very quickly and the only Restore Point listed was the one the driver would normally create
Maybe this is caused by the messing up with previous Npcap. Sometimes old code or configs just make things wrong. So I suggest you delete all your restore points by disabling and enabling the function. Then install the latest Npcap 0.06 R2.
I suggest that you change the name of the restore point to be "npcap .... something" to distinguish it from the driver install Restore Point which is otherwise created...
What wording do you suggest? I don't see npcap .... something
can express a meaning about before installation?
My point is that this should not be an option. It should just always happen. Recall that before you started working on this restore point stuff, the driver install always created a restore point. Now the npcap install should always create a restore point and the driver install restore point will be suppressed due to the NESTed restore point approach you're using.
Additionally, a restore point should always be created when npcap is uninstalled.
I'm OK with what you said. I can add this after we solved the above not creating restore point issue.
Another question is should the uninstaller remove the restore points created by Npcap installer?
Cheers, Yang
Hi Yang,
I think you missed the error message reported in both of the installation logs which I included. Notice the message:
Start setting system restore point: Before installing Npcap
Could not load: C:\Users\Admin\AppData\Local\Temp\nsa6D9A.tmp\SysRestore.dll
Error occured when starting setting system restore point, return value=|Before installing Npcap|
There was a status which was returned by the attempt to load the dll which is somehow being lost. I don't know if dll's provided (and loaded by your installer) need to be signed, Maybe you've got the SysRestore.dll already located somewhere on your test system, so the install works for yoiu... I', completely guessing here, but this error is the current problem.
I suggest that you change the name of the restore point to be "npcap .... something" to distinguish it from the driver install Restore Point which is otherwise created...
What wording do you suggest? I don't see npcap .... something can express a meaning about before installation?
The install restore point should say: "Before npcap vnn.nn install" The uninstall restore point should say: "Before npcap vnn.nn uninstall"
Maybe you are already using something very close to the first one, I couldn't tell due to the fact that it hasn't worked for me yet. Including the version number would only be more helpful.
My point is that this should not be an option. It should just always happen. Recall that before you started working on this restore point stuff, the driver install always created a restore point. Now the npcap install should always create a restore point and the driver install restore point will be suppressed due to the NESTed restore point approach you're using.
Additionally, a restore point should always be created when npcap is uninstalled.
I'm OK with what you said. I can add this after we solved the above not creating restore point issue.
OK
Another question is should the uninstaller remove the restore points created by Npcap installer?
I'm pretty sure that isn't actually possible, but you definitely don't want to do it anyway. The System Restore capability is a tool the OS provides to a system administrator to capture the system state at particular points in time so that if necessary, the system can be restored to what it looked like when that restore point was taken.
I think you missed the error message reported in both of the installation logs which I included. Notice the message:
Yes, I missed them.. AFAIK, DLLs are not required to be signed to run on any Windows systems.
A possible cause is the dependency issue. In fact I built my SysRestore.dll using VS 2013. So I want to know did you install VS 2013 redist x86
? NOTE you need the x86 version redist package even for x64 systems. Because NSIS and its plug-ins only use x86.
There was a status which was returned by the attempt to load the dll which is somehow being lost. I don't know if dll's provided (and loaded by your installer) need to be signed, Maybe you've got the SysRestore.dll already located somewhere on your test system, so the install works for yoiu... I', completely guessing here, but this error is the current problem.
It shouldn't be the cause. Because I usually test Npcap installer on my VMs. My built machine is the outer host. So the VMs don't have any build environments.
The install restore point should say: "Before npcap vnn.nn install" The uninstall restore point should say: "Before npcap vnn.nn uninstall"
Maybe you are already using something very close to the first one, I couldn't tell due to the fact that it hasn't worked for me yet. Including the version number would only be more helpful.
I have finished these functions. Try the latest Npcap 0.06 R3: https://github.com/nmap/npcap/releases/
I'm pretty sure that isn't actually possible, but you definitely don't want to do it anyway. The System Restore capability is a tool the OS provides to a system administrator to capture the system state at particular points in time so that if necessary, the system can be restored to what it looked like when that restore point was taken.
OK.
Hi Yang,
I think you missed the error message reported in both of the installation logs which I included. Notice the message:
Yes, I missed them.. AFAIK, DLLs are not required to be signed to run on any Windows systems.
A possible cause is the dependency issue. In fact I built my SysRestore.dll using VS 2013. So I want to know did you install VS 2013 redist x86? NOTE you need the x86 version redist package even for x64 systems. Because NSIS and its plug-ins only use x86.
I do not have VS2013 redistributables installed, but creating such a dependency for the installer is definitely not the way to go. You've got a chicken and egg problem here. The goal is to not have a user install external pieces before an installation will work correctly. You should be able to build that DLL without that dependency. See: http://nsis.sourceforge.net/Building_plug-ins_without_Microsoft_Visual_C_Run-Time_(MSVCRT)_dependency
Hi Mark,
I do not have VS2013 redistributables installed, but creating such a dependency for the installer is definitely not the way to go. You've got a chicken and egg problem here. The goal is to not have a user install external pieces before an installation will work correctly. You should be able to build that DLL without that dependency. See: http://nsis.sourceforge.net/Building_plug-ins_without_Microsoft_Visual_C_Run-Time_(MSVCRT)_dependency
I tried all the methods in the link your provided, unfortunately with no luck. I think I will just simply install a VS 2008 and roll back the project files to the 2008 version.
I don't have VS2013 (or later) at my fingertips right now, but if I was creating a project for this in an other VS version, I would go to the project properties C/C++->Code Generation and change Runtime Library to "Multi-threaded (/MT)" for the Release build and "Multi-threaded Debug (/MTd)" for the Debug build.
Hi Mark,
You method works!
Please try the latest Npcap 0.06 R3 at: https://github.com/nmap/npcap/releases/
Hi Yang,
This is much better!
Please remove the option to create the restore point and always silently create one.
Additionally, make sure that a restore point is also created on the uninstall.
Thirdly, please make the uninstall stop when the operation completes. I had the "Details" being displayed and things flashed by too fast for me to read them and I think there might have been a problem.
Thanks.
Hi Mark,
Please remove the option to create the restore point and always silently create one. Additionally, make sure that a restore point is also created on the uninstall.
These two are already implemented in Npcap 0.06 R3.
Thirdly, please make the uninstall stop when the operation completes. I had the "Details" being displayed and things flashed by too fast for me to read them and I think there might have been a problem.
I removed the stop of the uninstaller because of some reasons several weeks ago. I will try to recover it.
Cheers, Yang
Yang,
I do not see a restore point created on the Uninstall...
By the way, I would change the text of the Restore point description to "Before Npcap %VERSION% install" and "Before Npcap %VERSION% uninstall" (removing the trailing 's').
Yang, I tried to install on Win10x64 and the following log info was produced:
Start setting system restore point: Before Npcap 0.06 installs
Error occured when starting setting system restore point, return value=|1058|
Output folder: C:\Windows\system32
Extract: pthreadVC.dll
Extract: wpcap.dll
Extract: NPcapHelper.exe
Windows CurrentVersion: 6.3
Extract: Packet.dll
Output folder: C:\Program Files\Npcap
Extract: rpcapd.exe
Extract: LICENSE
Extract: NPFInstall.exe
Extract: npf.sys
Extract: npf.inf
Extract: npf_wfp.inf
Extract: npf.cat
Created uninstaller: C:\Program Files\Npcap\uninstall.exe
Installing NDIS6.x x64 driver for Vista, Win7, Win8 and Win10
Output folder: C:\Windows\system32\drivers
Output folder: C:\Windows\system32
Extract: NPcapHelper.exe
Extract: wpcap.dll
Extract: Packet.dll
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -il
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -iw
Execute: "C:\Program Files\Npcap\NPFInstall.exe" -i
The npf service for Vista, Win7, Win8 and Win10 was successfully created
Completed
NOTICE the error creating the restore point. Error 1058 is ERROR_SERVICE_DISABLED. This is due to System Protection not being enabled. So, I enabled System Protection and uninstalled. the npcap 0.06r3 package. It uninstalled cleanly and actually created a restore point, After rebooting the system, I installed npcap-0.06r3 again and this time it showed that it was creating a restore point and did not log an error. Meanwhile the Restore Point DID NOT show up. It seems that the first restore point operation works and the subsequent one does not!
Hi Mark,
I do not see a restore point created on the Uninstall...
This may be because you didn't install Npcap 0.06 R3 once. Remember if you install a new version Npcap, when you uninstall the old version, the uninstaller is still the old version one. So your old uninstaller won't have the creating uninstall restore point function.
By the way, I would change the text of the Restore point description to "Before Npcap %VERSION% install" and "Before Npcap %VERSION% uninstall" (removing the trailing 's').
I don't quite understand. Based on my English knowledge, the sentence subject is Npcap %VERSION%
which is third person singular
. So the verb should be installs
instead of install
. Another way is using the noun like Before Npcap %VERSION%'s installation
.
Cheers, Yang
NOTICE the error creating the restore point. Error 1058 is ERROR_SERVICE_DISABLED. This is due to System Protection not being enabled. So, I enabled System Protection and uninstalled. the npcap 0.06r3 package. It uninstalled cleanly and actually created a restore point, After rebooting the system, I installed npcap-0.06r3 again and this time it showed that it was creating a restore point and did not log an error. Meanwhile the Restore Point DID NOT show up. It seems that the first restore point operation works and the subsequent one does not!
Have you tried cleared all your previous restore points? Sometimes they mess things up.
In fact, sometimes I also encounter this. Npcap won't create a restore point sometimes if Npcap already create some ones before. It's weird because we all use standard Windows functions to do this. There's no much space for Npcap to have bugs in its code.
NOTICE the error creating the restore point. Error 1058 is ERROR_SERVICE_DISABLED. This is due to System Protection not being enabled. So, I enabled System Protection and uninstalled. the npcap 0.06r3 package. It uninstalled cleanly and actually created a restore point, After rebooting the system, I installed npcap-0.06r3 again and this time it showed that it was creating a restore point and did not log an error. Meanwhile the Restore Point DID NOT show up. It seems that the first restore point operation works and the subsequent one does not!
Have you tried cleared all your previous restore points? Sometimes they mess things up.
Well, since I'd just enabled "System Protection", there were no previous restore points.
Is there any path through the installer's restore point code which might BEGIN but not END a restore point creation?
The fact that on one system I only see the Install restore points and on another I only see the Uninstall restore points is very odd AND the fact that I can manually create a restore point suggests that the fragile behavior I'm seeing is somehow related to the npcap installer...
Well, since I'd just enabled "System Protection", there were no previous restore points.
So strange..
Is there any path through the installer's restore point code which might BEGIN but not END a restore point creation?
In the uninstallation code, only uninstallation failure would cause no END. But in my test the uninstallations all succeed. So I don't know why.. I have just disabled the uninstallation restore point. Because it' so slow and doesn't have much meaning as the installation restore point.
The fact that on one system I only see the Install restore points and on another I only see the Uninstall restore points is very odd AND the fact that I can manually create a restore point suggests that the fragile behavior I'm seeing is somehow related to the npcap installer...
I don't have a clue either..
By the way, I would change the text of the Restore point description to "Before Npcap %VERSION% install" and "Before Npcap %VERSION% uninstall" (removing the trailing 's').
I don't quite understand. Based on my English knowledge, the sentence subject is Npcap %VERSION% which is third person singular. So the verb should be installs instead of install. Another way is using the noun like Before Npcap %VERSION%'s installation.
Well, in this context, what we're looking I don't see as a sentence. It is a singular event description. Another way to phrase the same thing would be: "Before the Npcap %VERSION% installation" Leaving out "the" removes no useful info. Having "'s" after %VERSION% is adding possessive to a number or to a product name (Npcap 0.062) which isn't natural to me. Ending the description with "installs" looks like something plural, which, again isn't natural.
Is there any path through the installer's restore point code which might BEGIN but not END a restore point creation?
In the uninstallation code, only uninstallation failure would cause no END. But in my test the uninstallations all succeed. So I don't know why.. I have just disabled the uninstallation restore point. Because it' so slow and doesn't have much meaning as the installation restore point.
If the Restore Points were only missing for the uninstall case then I wouldn't argue against disabling them for the uninstall, However, since the same problem seems to be happening in both the install and uninstall case, it seems that you're side stepping whatever the real underlying problem actually is.
Well, in this context, what we're looking I don't see as a sentence. It is a singular event description. Another way to phrase the same thing would be: "Before the Npcap %VERSION% installation" Leaving out "the" removes no useful info. Having "'s" after %VERSION% is adding possessive to a number or to a product name (Npcap 0.062) which isn't natural to me. Ending the description with "installs" looks like something plural, which, again isn't natural.
Sounds reasonable. I have improved it. See: https://github.com/nmap/npcap/commit/daa83a9ffb96a8c6a738e2f4baabbea0bc95acf5
If the Restore Points were only missing for the uninstall case then I wouldn't argue against disabling them for the uninstall, However, since the same problem seems to be happening in both the install and uninstall case, it seems that you're side stepping whatever the real underlying problem actually is.
Since the code of creating system restore point is so easy, just a few calls. If it still fails sometimes, I believe it's Microsoft's problem. I have asked a question here: http://stackoverflow.com/questions/35718798/how-to-disable-windows-to-create-an-automatic-restore-point-when-installing-my-k
Hope anyone could reply to it.
Yang,
The most recent version looks good. Some my observations about Restore Points not being made seem to be related to the "System Restore" application not actually displaying newly created restore points immediately (I started it by typing "System Restore" (no quotes) in the Search Box and clicked on the Application results.). I then, using Explorer, Right-Clicked on "Computer" and select Properties. I then click on "System Protection" and in that interface I see restore point. I'm pretty sure that this was not what I was seeing last night since then I either saw multiple "install" or multiple "uninstall" restore points depending on the system I was testing with. The most recent tests on the Win7-x86 and Win7-x64 both seem to do what is expected now. I just saw the same problem which started this mess happen on the Win7-x64. The system was in a clean state. I did a npcap install (r4), It went cleanly. I confirmed the Restore Point existed. I did an uninstall and after that uninstall I was left with 2 Ethernet interfaces as shown in IPCONFIG. The output looks like the IPCONFIG from the beginning of this issue. Fortunately there was a Restore Point which I could now try to restore from. That actually worked correctly. The odd thing is the initial failure.
Meanwhile, there definitely is a problem which leaves the system in a broken state, I tried another install, which went well (including creating a new restore point) and the did an uninstall. EXACT same issue. This is happening on Win7-x64 while I was able to successfully install and uninstall Npcap several times on Win7-x86 without issue. I was able to clean up this mess by using the Device Manager to remove BOTH the native LAN driver AND the Microsoft Loopback driver as described in the next paragraph.
Separate from these problems with a mangled network configuration on the uninstall, I previously mentioned to you the 1 minute "delay" for the network to come up after uninstalling npcap on a system which had no delay after a boot before npcap was installed. This problem is 100% repeatable. I can remove the delay by going to Device Manager and navigating to my LAN adapter in Network Adapters and Right-Clicking on the LAN adapter and selecting "Uninstall". After doing this, I can Right-Click on the system name at the top of the Device Manager tree and select "Scan for Hardware Changes", Once the hardware is recognized again and is back to the condition it looked like previously, there is no 1 minute delay after a cold boot before the network comes online. This issue happens on BOTH the Win7-x86 and Win7-x64 systems.
Is it possible that the delay we're seeing is related to some service dependency which gets defined when the npf service is installed and which is not properly reversed by the uninstall?
I can see this happening visibly as the system finishes booting. The test system I'm using only has one account which is an administrator account and it doesn't have a password. This lets windows automatically perform the login with the boot. As the screen comes up the lower right hand corner of the Task Bar (the Notification area) has a network symbol which changes while the adapter is coming online and acquiring an IP address via DHCP. I can watch this change which seems to fail and the icon has a red X in it for that 1 minute period while the network is unavailable, then some sort of retry kicks in and it comes online. With a 'clean' system (one that hasn't had npcap installed and subsequently uninstalled), I can watch the icon quickly get an IP address and the network is up in a couple of seconds (usually before I can type ipconfig in a command prompt).
The most recent version looks good. Some my observations about Restore Points not being made seem to be related to the "System Restore" application not actually displaying newly created restore points immediately (I started it by typing "System Restore" (no quotes) in the Search Box and clicked on the Application results.). I then, using Explorer, Right-Clicked on "Computer" and select Properties. I then click on "System Protection" and in that interface I see restore point.
I have a better way to launch System Protection
quickly.
Win+R
to open a Run
window.control sysdm.cpl,,4
and press Enter
. (The 2nd time the window will remember this command)Separate from these problems with a mangled network configuration on the uninstall, I previously mentioned to you the 1 minute "delay" for the network to come up after uninstalling npcap on a system which had no delay after a boot before npcap was installed. This problem is 100% repeatable. I can remove the delay by going to Device Manager and navigating to my LAN adapter in Network Adapters and Right-Clicking on the LAN adapter and selecting "Uninstall". After doing this, I can Right-Click on the system name at the top of the Device Manager tree and select "Scan for Hardware Changes", Once the hardware is recognized again and is back to the condition it looked like previously, there is no 1 minute delay after a cold boot before the network comes online. This issue happens on BOTH the Win7-x86 and Win7-x64 systems.
My Win7 x64 VMware VM and my Win10 x64 VirtualBox VM are both without the delay issue you said. The ipconfig
command just show normally.
So I guess have you installed any network software with LWF drivers? They can conflict sometimes.
Maybe you could provide a complete reproduce process.
I have privately sent you a link to a VirtualBox VM Export (.ova file).
This system is a basic install of Win7-SP1-x86. Windows Updates have been performed, but the problem was 100% there before any Windows Updates. 2 other installations have also been performed: 1) Chrome - the problem existed before Chrome, 2) VirtualBox Guest Additions - I did not test before installing this.
To reproduce the problem:
1) Import this VM to some virtual environment which supports it (VirtualBox certainly, VMWare - maybe) and connect the network interface to a bridged LAN network (do not use NAT)
2) start the imported VM.
3) It will boot and login automatically and bring up a Command Prompt window. Type "ipconfig" in the command prompt window. Normal results should be expected,
4) Run the npcap installer (C:\Users\Admin\Downloads\npcap-nmap-0.06-r4,exe) and install npcap accepting all defaults.
5) Shutdown the VM
6) Start the VM
7) It will boot and login automatically and bring up a Command Prompt window. Type "ipconfig" in the command prompt window. Normal results should be expected,
8) Uninstall the npcap package,
9) Shutdown the VM
10) Start the VM
7) It will boot and login automatically and bring up a Command Prompt window. Type "ipconfig" in the command prompt window. The following results will be produced:
C:\Users\Admin>ipconfig
Windows IP Configuration
C:\Users\Admin>
8) Wait 1 minute 9) Type "ipconfig" in the command prompt window, Normal results will be produced
This network startup delay can be fixed in one of two ways: 1) Use System Restore to roll the system back to "Before installation of npcap 0.06" 2) Open Device Manager and navigate to Network Adapters and Right-Click on the "Intel Pro1000 MT Desktop Adapter" and select Uninstall. At the top of the Device Tree, Right-Click on the Win7-SP1-x86 node and select "scan for hardware changes". The "Intel Pro1000 MT Desktop Adapter" driver will be reinstalled. 3) Shutdown the VM 4) Start the VM and when it boots the network will be functional immediately after boot.
NOTES:
1) The above network startup delay issue happens if Npcap is installed WITH or WITHOUT also installing the Npcap loopback adapter, and the fix is the same (System Restore or Uninstall LAN interface).
2) The above network startup delay issue DOES NOT happen when WinPcap 4.1.3 is installed and then uninstalled.
Hi Mark,
I tried several times, but the download always got broken when downloading for nearly 1GB. I don't know if it's my country's restriction or what. Could you split your .ova file into every 500MB size? Thanks.
Hi Yang,
I've split the file into 500MB pieces and they are uploading now. I've shared them with you along with a md5 and sha1 values of the pieces which you can use to verify a successful transfer.
Hi Mark,
Thanks! I have confirmed this issue. I will see what's gong wrong there.
Hi.
I have fixed this issue in Npcap 0.06 R6, try it at: https://github.com/nmap/npcap/releases
Cheers, Yang
With a clean Windows 7 system.
The initial network config (prior to any npcap install) looks like:
I install the latest (r14) npcap package. I take defaults for all questions, and the resulting IP configuration looks like:
So far, so good. EXCEPT that the interface name of the npcap Loopback adapter is "Local Area Connection 2" instead of a more useful description.
I run my application which uses WinPcap and I verify that the I see both network interfaces and, in fact pcap_datalink returns DLT_EN10MB for both interfaces.
I exit my application cleanly.
I uninstall the npcap package using the WIndows Control panel. After the uninstall the npcap package is no longer visible in the control panel. However, the network configuration has NOT been restored to what it looked like before the npcap install. It currently looks like:
After rebooting the system, the network configuration is in WORSE shape:
I open Control Panel->Network and Internet->Network and Sharing Center and I see some networks and click on "Change adapter settings" which brings me to Control Panel->Network and Internet->Network Connections. I see what looks like the network coming online and IP addresses being acquired. This is very strange since before installing npcap the network had come fully up prior to me being able to login. After the adapters get IP addresses ipconfig now shows:
which is what it looked like before the reboot.
So, there are 2 issues here:
1) The remaining network setup which hasn't been restored, 2) The delay while the network starts. I don't know how to better describe this.