RE: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3
It's a bug of WinPcap 3.0a. We're going to update everything in the next few days. Cheers, fulvio -Original Message- From: Denis Bujoreanu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 12:55 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Ok, I switched to 3.0a, it works well so far. I haven't expereienced anymore BSD but I saw that if I take the incoming packet, change something in its structure(namely set the RST and FIN flags in the TCP header) and write it back, the packet I see as originating from my machine has a different length and content. Maybe I'm doing something wrong, I'll keep checking. - Original Message - From: Denis Bujoreanu To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 5:02 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Well I saw that the export section, which interests me the most, of the 2.3 version differes from that of the 3.0a - obviously it has some more functions exported, but to my surprise some functions are also missing !!! Namely PacketResetAdapter and PacketWaitPacket which kinda renders the backward compatibility null. But still, this doesn't bother me cause I don't use the missing functions, what bothers me is that now the PacketGetAdapterNames is different, I mean I get different info from the driver when calling for the adapter names which doesn't scale well in my app and I don't quite get it why. After all the adapter name doesn't change, right? I'll take a closer look at the examples. My card is a plain ethernet (Accton EN2242 100Mbps) which works flawlessly with ver 2.3 on capture, but if I try to send packets I get the BSD. I'm using the packet API cause the pcap API is too simple and too high up in the stack and from the pcap source I saw that what I do in my app is the same as pcap does, of course not as efficient but performance is not a big concern now, I need functionality first and then speed. One other reason I use the packet API is that in order for me to use the pcap API I'd have to port a lot of data structures and types. I know there's Lars's translation to Delphi for the pcap headers and types but I started using WinPcap before I knew about Lars's work and is too much hassle to switch to pcap now, especially since I get what I need from packet API. - Original Message - From: Gianluca Varenni To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 04:39 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Well, WinPcap 3.0 is backward compatible with 2.3. I suggested you to wpdpack 3.0a since we have corrected some bugs in the examples, and we have added a brand new HTML documentation and tutorial. Regarding the crashes, on which network adapter are you using winpcap to send packets? Is it ethernet or PPP? Or anything else? GV PS. Why are you using the packet API? We usually suggest users to use the pcap API, which we think is much more simple, and yet powerful. - Original Message - From: Denis Bujoreanu To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 3:12 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 well, I don't use the wpcap library (u know... pcap_open_live and stuff), I use only the functions exported by the packet.dll I have both 2.3 and 3.0a but the packet.dll doesn't seem to know about all the functions from ver. 2.3...how come? isn't there a backward compatibility? what do you mean by upgrading the wdpack? I've donwloaded both versions couple of weeks ago... - Original Message - From: Gianluca Varenni To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 04:03 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Try winpcap 3.0alpha (remember to upgrade the developers' pack, too). GV PS. What do you mean by I use Packet.dll and packet.sys and do not go through the API? - Original Message - From: Denis Bujoreanu To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 2:18 PM Subject: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Hi, I wrote an app that uses WinPacap ver. 2.3 (I use Packet.dll and Packet.sys and do not go through the API) to capture packets and if the TCP port matches a certain value than it writes a new packet that closes the connection (it's not a DoS tool, it's ment to be a intrusion prevention and access control tool so don't bite my head off yet). Form time to time I get a STOP fatal error on my W2K Server, the message error was that the irq was less or not equal to...or something like that, it was acompanied by a blue screen and a memory dump). I read in a previous post that this problem is not a singularity and that it has been fixed. Could it be that I am doing something
RE: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3
-Original Message- From: Denis Bujoreanu [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 13:42 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 so we should expect a change in the way we use PacketReceivePacket? The call to this function will remain the same? Hopefully yes. Howver, please not tht we *stronly* suggest not to use packet.dll api; please use wpcap api instead. There's plenty of examples in the new documentation. fulvio ok...I won't bother you with stupid questions andymore and let you go by your work 10x and keep up the good work!! :) - Original Message - From: Fulvio Risso [EMAIL PROTECTED] To: Denis Bujoreanu [EMAIL PROTECTED] Sent: Thursday, September 12, 2002 2:26 PM Subject: RE: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 The problem is the the receive process. fulvio -Original Message- From: Denis Bujoreanu [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 12, 2002 12:06 To: Fulvio Risso Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 10x F. Just one more question: will the changes affect the way PacketReceivePacket behaves or they will only focus on the write operations? I'm askin' cause when I went from 2.3 to 3.0a I had a little trouble importing the functions exported by the packet.dll library. - Original Message - From: Fulvio Risso [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 12, 2002 1:01 PM Subject: RE: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 It's a bug of WinPcap 3.0a. We're going to update everything in the next few days. Cheers, fulvio -Original Message- From: Denis Bujoreanu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 12:55 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Ok, I switched to 3.0a, it works well so far. I haven't expereienced anymore BSD but I saw that if I take the incoming packet, change something in its structure(namely set the RST and FIN flags in the TCP header) and write it back, the packet I see as originating from my machine has a different length and content. Maybe I'm doing something wrong, I'll keep checking. - Original Message - From: Denis Bujoreanu To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 5:02 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Well I saw that the export section, which interests me the most, of the 2.3 version differes from that of the 3.0a - obviously it has some more functions exported, but to my surprise some functions are also missing !!! Namely PacketResetAdapter and PacketWaitPacket which kinda renders the backward compatibility null. But still, this doesn't bother me cause I don't use the missing functions, what bothers me is that now the PacketGetAdapterNames is different, I mean I get different info from the driver when calling for the adapter names which doesn't scale well in my app and I don't quite get it why. After all the adapter name doesn't change, right? I'll take a closer look at the examples. My card is a plain ethernet (Accton EN2242 100Mbps) which works flawlessly with ver 2.3 on capture, but if I try to send packets I get the BSD. I'm using the packet API cause the pcap API is too simple and too high up in the stack and from the pcap source I saw that what I do in my app is the same as pcap does, of course not as efficient but performance is not a big concern now, I need functionality first and then speed. One other reason I use the packet API is that in order for me to use the pcap API I'd have to port a lot of data structures and types. I know there's Lars's translation to Delphi for the pcap headers and types but I started using WinPcap before I knew about Lars's work and is too much hassle to switch to pcap now, especially since I get what I need from packet API. - Original Message - From: Gianluca Varenni To: [EMAIL PROTECTED] Sent: Monday, September 09, 2002 04:39 PM Subject: Re: [WinPcap-users] I got a Blue Screen of Death on my W2K Server while using WinPcap ver 2.3 Well, WinPcap 3.0 is backward compatible with 2.3. I suggested you to wpdpack 3.0a since we have corrected some bugs in the examples, and we have added a brand new HTML documentation and tutorial
RE: [WinPcap-users] Licensing question
-Original Message- From: Jim Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, September 13, 2002 00:55 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Licensing question Hello, I have a question regarding licensing that I'm sure will get me brutalized, but I need to ask. A friend of mine and I wish to develop a tool for network analysis. We would very much like to use winpcap as a basis for this tool, but we eventually want to sell it. I read the BSD license and it basically says that this is OK, so long as you get it in writing from UCB. No, not UCB, but the authors of the software (in this case the Netgroup at Politecnico di Torino). Is this correct? Anybody here happen to know who to contact at UCB? In any case, you do not need to contact anyone, provided that you (i.e. your software) clearly states that this software includes portion of code developet by the Netgroup at Politecnico di Torino... in the licence terms and in any advertising materials. Cheers, fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] Licensing question
-Original Message- From: Denis Bujoreanu [mailto:[EMAIL PROTECTED]] Sent: Friday, September 13, 2002 13:02 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Licensing question 10x Fulvio I was a little worried you're going to say that we can't use WinPcap for commercial apps :). So if my app has, let's say in the about box, a note stating that it uses WinPcap developed by Politecnico di Torino it will suffice? Yes. Although a little present from who is using also our work to make money could be a good thing. fulvio - Original Message - From: Fulvio Risso [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 13, 2002 11:51 AM Subject: RE: [WinPcap-users] Licensing question -Original Message- From: Jim Jones [mailto:[EMAIL PROTECTED]] Sent: Friday, September 13, 2002 00:55 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Licensing question Hello, I have a question regarding licensing that I'm sure will get me brutalized, but I need to ask. A friend of mine and I wish to develop a tool for network analysis. We would very much like to use winpcap as a basis for this tool, but we eventually want to sell it. I read the BSD license and it basically says that this is OK, so long as you get it in writing from UCB. No, not UCB, but the authors of the software (in this case the Netgroup at Politecnico di Torino). Is this correct? Anybody here happen to know who to contact at UCB? In any case, you do not need to contact anyone, provided that you (i.e. your software) clearly states that this software includes portion of code developet by the Netgroup at Politecnico di Torino... in the licence terms and in any advertising materials. Cheers, fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] WinPcap on NT4sp6/ALPHA ?
-Original Message- From: Luke Brennan [mailto:lukeb;microsoft.com] Sent: Wednesday, October 30, 2002 11:13 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [WinPcap-users] WinPcap on NT4sp6/ALPHA ? OK, so what support is required from Microsoft? oh, for example an Alpha in order to test it properly, plus money to pay someone to do the porting :-) Let me know what that is and I'll ask about it... I'll reverse the process from x86 into C or alpha-assembler I suppose. I was just hoping that I didn't have to :-) I believe you have to start learning Alpha assembler :-)) fulvio Luke. -Original Message- From: Fulvio Risso [mailto:risso;polito.it] Sent: Wednesday, 30 October 2002 8:57 PM To: [EMAIL PROTECTED] Cc: Luke Brennan Subject: RE: [WinPcap-users] WinPcap on NT4sp6/ALPHA ? It could be, if Microsoft provide us support for the porting. fulvio -Original Message- From: Luke Brennan [mailto:lukeb;microsoft.com] Sent: Wednesday, October 30, 2002 00:24 To: [EMAIL PROTECTED] Subject: [WinPcap-users] WinPcap on NT4sp6/ALPHA ? I've just started into this to get the SIMH VAX emulator running on my XL366/ALPHA (NT4sp6 / Linux 7.2). I downloaded WinPcap 3.0alpha4 sources along with the DDK, SDK and VC++ 6.0, and to my dismay it's got inline _ASM intel assembler. Is there a non-assembler version for NT/ALPHA available? Luke == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users;winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=subscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users;winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] Announce: WinPcap MP Support
Dear all, the WinPcap team is not willing to loose its time with disputes. However, a lot of false information is circulating on the mailing lists. So, we are forced to point out a couple of things. For who is interested in using WinPcap, we would like to say that: - the proposed patch is a nonsense and it does not solve anything - we're going to release a version of WinPcap with SMP support in a couple of weeks (thanks to a company that donated us a SMP machine) For who is interested just in using WinPcap, he can stop its reading here. For who is interested in technical stuff, here there is why the patch proposed by the ntop guys does not work. The proposed patch basically modifies the 'packet.c' file in two points: - it removes the block that says if your machine has more than one CPU, then stop - it uses a macro (whose definition cannot be found anywhere) during filter initialization. However, the 'packet.c' is user-level code, which is part of the DLL. With SMP, the problems are into the kernel portion of the driver, the .SYS file. The biggest problem is that two tap() can be executed on two CPUs at the same time. Both are going to insert data into the same buffer, updating the same pointers. Both buffers and pointers are not protected (i.e. locked) right now and are still unprotected into the patched version of WinPcap proposed by the ntop guys. A second problem comes out when the user changes the filter at run-time. Here we have more than one CPU, so we cannot say ok, the tap() is not working when we're changing the filter, because we have only one CPU. So, again, we have to protect the change by means of appropriate locks. A third problem is the timestamp management. If a first tap is called with packet A, and a second tap is called with packet B, there is no guarantee that the first tap will finish first. It follows that out of order packets can appears, maybe because the second tap is faster than the second. Please note that the timestamp is assigned by the npf.sys driver, so what happens before calling the methods defined into it is completely out of our control. All these problems require modifications to the 'read.c' file, which contains the code of the tap() and related stuff, not 'packet.c'. We cannot enter in too many details, since you (reader) are probably not interested in WinPcap internals. However, we would like to point out that SMP is not an easy stuff and that you cannot say now it works on SMP just disabling the initial block we placed time ago, when we recognized the existence of such these problems. It works, yes, but are the result correct? End of the technical discussion. Just a note on the http://www.ntop.org/winpcap.html page: it's true that the ntop guys offered us an access to their SMP machine (on Jan 17, 2003). However, is there anyone that develops kernel drivers on a remote machine? What happens when a BSOD occur (quite often, during kernel development)? Do we have to take the phone every half an hour (or less) to say please reboot the machine? And what happens if the machine doesn't reboot because an error into the driver (maybe during startup) blocks everything forever? Please, be serious. Thanks everyone for the patience in reading this long mail, the WinPcap team. -Original Message- From: Luca Deri [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 09:50 To: [EMAIL PROTECTED]; ntop Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Mike Schwarz Subject: [WinPcap-users] Announce: WinPcap MP Support Dear all, we (Michel Montague and me) have just released a patch for running Winpcap 3.X on multiprocessor (MP) machines. This patch allows users to run winpcap-based applications such as ntop, nProbe, Ethereal and snort on MP machines under Windows. For more information about this topic please visit http://www.ntop.org/winpcap.html. We have tested the patch on Win2K. Please report us about other Windows versions. Have a lot of fun, Luca Michel -- Luca Deri [EMAIL PROTECTED] http://luca.ntop.org/ Hacker: someone who loves to program and enjoys being clever about it - Richard Stallman == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] Announce: WinPcap MP Support
Yes, my mistake. I don't know why I wrote that, since in our internal discussion we said yes, that's kernel code but it does nothing. The fact is that I started the mail on Friday, and I got confused with 'packet32.c'. Then, I finished the main yesterday without reading the initial part... Thanks for pointing out this point, fulvio -Original Message- From: Jason Copeland [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 16:33 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Announce: WinPcap MP Support However, the 'packet.c' is user-level code, which is part of the DLL. With SMP, the problems are into the kernel portion of the driver, the .SYS file. Just for my own clarity, but I thought that packet.c (not packet32.c) is part of the driver. It certainly looks like driver code to me, and if I compile that directory, the .sys file is created. I don't mean to dispute if I'm wrong, just want to make sure. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] Installer silent mode logo
The present release on WinPcap does not support SMP. The SMP beta will come out in a couple of weeks or so. fulvio -Original Message- From: Wayne Berry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 21:11 To: '[EMAIL PROTECTED]' Subject: RE: [WinPcap-users] Installer silent mode logo I would like this also and a silent install for V3.0, which would mean that we start testing out MP machines. -Wayne -Original Message- From: David J. Meltzer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 12:07 PM To: [EMAIL PROTECTED] Subject: [WinPcap-users] Installer silent mode logo Hi, When I run winpcap 2.3 installer in silent mode, it still pops up the Winpcap logo during the install. We are giving proper credit for winpcap in our software, but the logo still seems a bit out of place during the install. I was wondering if there was any way to disable it from popping up or if not if the installer source is available somewhere where I could add that option? Thanks. -Dave == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] Cisco Aironet 350 wireless adapter and Promiscuous mode
Yes, it's the same for Aironet 350. We have these card, and no packets are captured in promiscuous mode. Probably it depends on the Cisco drivers (or the chipset?). By sure it is not a WinPcap problem. Cheers, fulvio -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 04, 2003 23:15 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Cisco Aironet 350 wireless adapter and Promiscuous mode Hi, I've tried to use promicous mode with the aironet 340 card. Anywhere in the specs for this card is written that this card don't support promicous mode. When I switch to p-mode there is no error message, but there are no packets captured. I dont know if this is also the case for the aironet 350. Gruss, Kai O. On Tue, Feb 04, 2003 at 05:07:28PM +0200, Varman Yosef-BYV007 wrote: Hi My name is Yossi and I have a question Does Winpcap support this mode with this adapter??? Or maybe I have to ask this Cisco about this mode. I have this adapter and it does not give me error message when I use Promiscuous mode(I have used Ethereal and Analizer that use your API so I can assume that Promiscuous mode with this adapter is supported ??? Best Regards Yossi Varman Engineer ,Motorola == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == -- -- == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] How to gather STAT without using pcap_loop
Sorry for the delay. The easiest way to solve the problem is to use the pcap_read_ex() (which is no blocking, it does not require to be into a separate thread, it is source-independent), then call the pcap_stats(). We have such this code in Analyzer. Please do not use calls declared into the Packet API. Cheersm fulvio -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 16:09 To: [EMAIL PROTECTED] Subject: [WinPcap-users] How to gather STAT without using pcap_loop Hi guys, please help me to solve the VEXATA QUAESTIO, Is it possible to gather STATS from the adapter without using pcap_loop() and the callback method. byez and tnx Lorenzo == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ==
RE: [WinPcap-users] pcap_freecode() undefined?
Bug, maybe? :-)) Anyway, the WinPcap 3.0 beta code on my machine does have such this export. Are you using WinPcap 3.0 beta? fulvio -Original Message- From: Gutierrez-M04, Gerald [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 06:43 To: [EMAIL PROTECTED] Subject: [WinPcap-users] pcap_freecode() undefined? pcap_freecode() is in pcap.h but not in the library. What's the reason for this? == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] pcap_freecode() undefined?
-Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Sunday, February 23, 2003 03:30 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] pcap_freecode() undefined? On Fri, Feb 21, 2003 at 09:42:41PM -0800, Gutierrez-M04, Gerald wrote: pcap_freecode() is in pcap.h but not in the library. What's the reason for this? It's probably because, when WinPcap was updated to libpcap 0.6.2, the WPCAP.DEF file wasn't updated to include pcap_freecode(). The 3.0 beta WPCAP.DEF does have it. The current libpcap source doesn't have a WPCAP.DEF and doesn't use it; is there a reason for that? The reason is that the tcpdump.org CVS repository contains only the files that are needed to build a Win32 version of libpcap. We do not want to break compatibility among different operating systems, so we put into the CVS only the files that are need to create a Win32 version of libpcap. No more. WinPcap has some more files that are not in the tcpdump.org CVS since they are WinPcap extensions. Since everybody uses the WinPcap _binaries_ instead of the ones that come from the tcpdump.org repository, we avoided the WPCAP.DEF since it is useless (at the moment), and it allows us to maintain only one copy of WPCAP.DEF (i.e. the one that lists all the WinPcap exports). No problems if you want to include a WPCAP.DEF files into the tcpdump.org repository as well. However, we will have to maintain two files, almost identical. Cheers, fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] I am getting socket: Operation not permitted error
-Original Message- From: Jeff Wong [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 23:03 To: [EMAIL PROTECTED] Subject: [WinPcap-users] I am getting socket: Operation not permitted error When I try to execute the following command: pcapHandle = pcap_open_live(pcapDeviceName, BUFSIZ, 0, -1, pcapErrBuf); I am getting the error socket: Operation not permitted. Is this because I'm not executing as root? yes. Is there a way to execute this command without being root? The NPF driver should have been started before by someone else. My device name is eth0. Are you sure that you're using a Win32 machine? If not, are you sure this is the right mlist? fulvio I noticed when I want to execute tcpdump I have to either sudo or run as root to execute this command. Is this the case as well? Thanks. Jeff == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] RE: [tcpdump-workers] WARNING: interface change for pcap_findalldevs_ex()
Hi Michael. -Original Message- From: Michael Richardson [mailto:[EMAIL PROTECTED] Sent: giovedi 5 giugno 2003 15.09 To: Fulvio Risso Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [tcpdump-workers] WARNING: interface change for pcap_findalldevs_ex() Fulvio == Fulvio Risso [EMAIL PROTECTED] writes: Fulvioint pcap_findalldevs_ex(char *source, struct pcap_rmtauth *auth, Fulvio pcap_if_t **alldevs, char *errbuf); Fulvio where 'source' will adopt the same syntax defined for the pcap_open(): Fulvio rpcap:// == lists all local adapters Fulvio rpcap://hostname:port/ == lists all remote adapters Fulvio file://folder/ == lists all files into 'folder' My only concern is why pcap should do this at all. File listing has been discussed some weeks ago in this mlist and nobody complained about that: http://www.tcpdump.org/lists/workers/2003/05/msg00311.html File listing is currently up and running and it will be present in the next version of WinPcap. This feature is currently working on linux and BSD as well (other systems are untested). This feature refers only to local files, so there is no risk at all. It seems that you may be creating new routes for remote attacks on systems. Yes, expecially because the remote capture needs a remote daemon (rpcapd) up and running, which is turned off by default. For instance, this daemon is installed (although disabled) in Win32; in UNIX you have even to install it. Is this really a new threat? In any case, you're asking the wrong question. The point is not: is this a security risk? because we can manage to reduce this risk (that is almost inexistent right now). The point is: has the current libpcap everything what people need? Cheers, fulvio ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian GNU/Linux using, kernel hacking, security guy); [ == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] pcap_compile_nopcap
I'll check at them. fulvio -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: venerdi 11 aprile 2003 9.58 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] pcap_compile_nopcap On Fri, Apr 11, 2003 at 09:33:33AM +0200, Dries Decock wrote: I've a question about the deprecated fuctions The deprecated and discouraged items in the function list have a number of problems, which probably need to be cleaned up: Unless there's a way to open a dead pcap_t with pcap_open(), pcap_open_dead() cannot be deprecated in favor of pcap_open(). If pcap_findalldevs() is deprecated in favor of pcap_findalldevs_ex(), other functions should be deprecated in favor of pcap_findalldevs_ex(), not in favor of pcap_findalldevs(). pcap_dump() cannot be used instead of pcap_file() - pcap_dump() deals with writing savefiles, while pcap_file() deals with getting at the FILE * for the file from which a savefile is being read. pcap_fileno() can't be deprecated in general, as it's still useful on UNIX (and potentially necessary on UNIX, if you're going to use a select()/poll() loop), although it *can* be designated a UNIX-only function (in fact, perhaps it should be removed from WinPcap, by putting #ifndef WIN32/#endif around it). == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Building version 3.0 on Windows 2000
-Original Message- From: Luke Brennan [mailto:[EMAIL PROTECTED] Sent: giovedi 12 giugno 2003 3.46 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Building version 3.0 on Windows 2000 Hello Bruce, Have you installed Visual Studio .NET *and* you have VC6 installed too? I did that and of course, the latest SDK installed all the includes into VC7. When I tried to compile with VC++ 6.0 it complained about these things. VC6 still had the old .H files. Copy the .H files from the platforms\SDK subdir from VC7 into VC98 \include and things now compile. No, please. Do not copy (and overwrite) files. Simply change the VC6 settings (Tools - Options - Directories) in order to use the ones provided with platform SDK *before* the ones of the Visual Studio. This procedure is described when installing the platform SDK. Cheers, fulvio Luke -Original Message- From: Bruce Leidl [mailto:[EMAIL PROTECTED] Sent: Thursday, 1 May 2003 8:36 AM To: [EMAIL PROTECTED] Subject: [WinPcap-users] Building version 3.0 on Windows 2000 Hi there, I've been trying to build the 3.0 release on Windows 2000 but it's not working out for me because there are a lot IPv6 specific structures that don't exist in the networking header files on Win2K, I believe they are only present on XP. I tried removing the INET6 define from the project, but that didn't help at all. Has anyone else got this to work? Is there some simple solution to this problem? thanks, --brl == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0
-Original Message- From: Jaco de Wet [mailto:[EMAIL PROTECTED] Sent: giovedì 12 giugno 2003 9.06 To: Fulvio Risso; [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0 Thanks Fulvio, It appears that ps_capt, ps_sent and ps_netdrop is only compiled in if the REMOTE #define is set. I do not presently have this set, as I do not do any remote capturing. That's a bug. It has already been fixed in our CVS. Tomorro afternoon we'll release an experimental version of WinPcap (which will eb able to compile on linux and BSD as well), which will have this issue solved. Basically, if WIN32 is defined, the REMOTE flag will be turned on by default. Cheers, fulvio Is there any reason why I cannot just set REMOTE, even though I do not use the remote capture stuff ? Regards Jaco -Original Message- From: Fulvio Risso [mailto:[EMAIL PROTECTED] Sent: 12 June 2003 07:02 To: [EMAIL PROTECTED] Cc: Jaco de Wet Subject: RE: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0 Hi. -Original Message- From: Jaco de Wet [mailto:[EMAIL PROTECTED] Sent: mercoledì 11 giugno 2003 18.17 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0 Hi All, I have previously been using pcap_stats_ex() as defined in WinPcap 3.0 alpha4 to collect and display statistics about a capture session. I used the counters ps_recv, ps_drop and bs_capt as defined in PCAP.H (See below) struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop;/* drops by interface XXX not yet supported */ #ifdef WIN32 u_int bs_capt; /* number of packets that reach the application */ #endif /* WIN32 */ }; I could not get this working with the new full release of WinPcap 3.0, and further investigation revealed that the definition of the pcap_stat structure in PCAP.H has been modified, as shown below: struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop;/* drops by interface XXX not yet supported */ #ifdef REMOTE #ifdef WIN32 // u_int bs_capt; /* number of packets that reach the application */ #endif /* WIN32 */ u_int ps_capt; /* number of packets that reach the application; please get rid off the Win32 ifdef */ u_int ps_sent; /* number of packets sent by the server on the network */ u_int ps_netdrop; /* number of packets lost on the network */ #endif }; thus causing the problems with the u_int bs_capt. I cannot find any of these changes in the documentation. Can the developers help ? The fact is that the name bs_capt was wrong, because of a typo. The correct name is ps_capt (all other members begin with ps). WinPcap 3.0 fixed this typo. Chees, fulvio Regards Jaco de Wet == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0
-Original Message- From: Jiang, Wei [mailto:[EMAIL PROTECTED] Sent: giovedì 12 giugno 2003 15.48 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Problems with Usage of pcap_stats_ex() in WinPcap 3.0 Does winpcap support IP V6? Yes. For example I want to set the filter to ICMP with target machine with IP V6 address, does it work? Yes. fulvio = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] pcap_findalldevs_ex pcap_open undeclared identifier
Are you using 3.01 alpha? Please use that version of the libs. fulvio -Original Message- From: Sherif Fanous [mailto:[EMAIL PROTECTED] Sent: lunedì 23 giugno 2003 17.46 To: [EMAIL PROTECTED] Subject: [WinPcap-users] pcap_findalldevs_ex pcap_open undeclared identifier Hi I'm a winpcap newbie and I'm trying to use the pcap_findalldevs_ex and pcap_open. However the compiler keeps complaining that it cannot find those functions. I have only included pcap.h which does not contain a declaration for both these functions. In which header files are they declared or what am I missing to compile my project. I have successfully run programs using the older variants of these functions pcap_findalldevs and pcap_open_live. Thanks for your help Sherif == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Working with remote capturing interface
Hi. For doing something simple, there's nothing to undestand. You have to use the standard calls (pcap_open(), pcap_setfilter(), pcap_findalldevs_ex(), ...). When you're going to open a remote adapter (i..e the source is in the form 'rpcap://host/adaptername'), WinPcap will send the commands to the remote daemon for you. Please note that standard calls are not able to send username and password to the remote machine. So, you have to launch the daemon with the '-n' flag, which will allcept 'NULL' authentication. Cheers, fulvio -Original Message- From: Loftus, Billy [mailto:[EMAIL PROTECTED] Sent: lunedì 23 giugno 2003 22.05 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Working with remote capturing interface Hi Fulvio I am developing a network analyzer project for college and I want to incorporate remote capture. I had a look at the docs on the winpcap site and I see that there is a rpcapd daemon that can be run on the remote machine. I dont understand the client side and how I can send commands to the daemon etc. How do the adapter strings operate and how can I issue commands to the daemon. Any example client side code would be appreciated. Thanks, Billy Loftus Senior Test Engineer Fujitsu Softek [EMAIL PROTECTED] 353-1-813-6921 phone 353-1-813-6321 fax == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] BPF compile w/out using wpcap.dll + Offline setting of the filter
Hi. -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: sabato 12 luglio 2003 3.41 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] BPF compile w/out using wpcap.dll + Offline setting of the filter On Friday, July 11, 2003, at 6:38 PM, Guy Harris wrote: If you want to use it to compile a filter expression into BPF code without using pcap_open_live() to get your capture handle, you could use pcap_open_dead(), Yes, I know, the documentation for it in the WinPcap 3.0 manual says Deprecated: use the pcap_open() instead, but there doesn't seem to be any way to use pcap_open() to get a pcap_t that doesn't refer to a device or a savefile. We're updating docs for 3.01. Some of the info contained into 3.0 (particularly deprecated and discouraged functions) are not up to date. Sorry about that. Note, BTW, that the packet.dll documentation for WinPcap 3.0 says Important note, read carefully! If you are writing a capture application and you do not have particular/low level requrements, you are recommended to use the functions of wpcap (see the section WinPcap user's manual ), that are compatible with the ones of the Unix packet capture library (libpcap), instead of the API described in this chapter. wpcap.dll relies on packet.dll, but provides a more powerful, immediate and easy to use programming environment. With wpcap.dll, operations like capturing a packet, creating a capture filter or saving a dump on a file are safely implemented and intuitive to use. Moreover, the programs written to use libpcap are easily compiled on Unix thanks to the compatibility between Win32 and Unix versions of this library. As a consequence, since the normal and suggested way for an application to use WinPcap is through wpcap.dll, we don't grant that the packet.dll API will not be changed in the future releases. so you use packet.dll functions at your own risk. Yes. I confirm what the docs and Guy say. fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Minimum data for copying kernel user buffer
Hi. Wrong. The PacketReceivePacket() will return either: - when the timeout elapses - when you have at last 16KB waiting whatever comes first. fulvio -Original Message- From: Daniel Frimerman [mailto:[EMAIL PROTECTED] Sent: venerdì 11 luglio 2003 15.21 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Minimum data for copying kernel user buffer Hi, I just saw this in the winpcap manual: The wpcap library includes a couple of system calls that can be used both to set the timeout after which a read expires and the minimum amount of data that can be transferred to the application. By default, the read timeout is 1 second, and the minimum amount of data copied between the kernel and the application is 16K. If I understood correctly, it means that the default settings are such that I can't do PacketReceivePacket and read anything until there's at least 16K of data on kernel? Daniel == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] about ADSL
-Original Message- From: rain [mailto:[EMAIL PROTECTED] Sent: marted 15 luglio 2003 2.30 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] about ADSL So, If ADSL installed, only capture package from \Device\Packet_NdisWanBh ? If you have ADSL on a USB modem or such, the answer is yes. personally, I have ADSL ove Ethernet; in this case I don't have problems at all when capturing packets. how can I capture from \Device\Packet_NdisWanIp and DO NOT stop sending and receiving packets, Then I think do not need to install [Networl moniotor driver] on ADSL, it is easy for a basic user. Support for PPP and such these technologies is very tricky in Win32. If you want better PPP support you can either: - start coding and modifying WinPcap in order to do what you want - give us a generous sponsorship in order to provide the resources to deal with the problem. fulvio - Original Message - From: Loris Degioanni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 14, 2003 4:13 PM Subject: Re: [WinPcap-users] about ADSL \Device\Packet_NdisWanIp is the device that tcpip.sys uses to bind over ndiswan.sys. WinPcap is able to list it and to open it, but capturing on this device causes tcp/ip to stop sending and receiving packets. \Device\Packet_NdisWanBh is used by MS Netmon for the same purpose. You can capture over it, but the device is present only on systems with Netmon. Loris - Original Message - From: rain [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 10:16 AM Subject: [WinPcap-users] about ADSL what different at? \Device\Packet_NdisWanIp \Device\Packet_NdisWanBh Windows2000+ADSL, which adpater I will capture from ADSL? == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] windows xp service pack winpcap doesn't work
We're running WinPcap on a dozen of XP-SP1. fulvio -Original Message- From: Daniel [mailto:[EMAIL PROTECTED] Sent: sabato 19 luglio 2003 20.24 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] windows xp service pack winpcap doesn't work What's with the exclamation marks? I have XP service pack 1. Get Ethereal from www.ethereal.com Check if you can capture packets using that program. Daniel - Original Message - From: airam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 20, 2003 5:59 AM Subject: [WinPcap-users] windows xp service pack winpcap doesn't work windows xp with service pack 1 winpcap doesn't work microsoft change something with service pack and winpcap it's dead no interface nothing in other windows winpcap works smoothly!!! what i can do english is not my native language! == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] GETTING AN ERROR WITH PCAP_NEXT_EX
It could be that the file is corrupt. fulvio -Original Message- From: kiran balagani [mailto:[EMAIL PROTECTED] Sent: venerdì 1 agosto 2003 1.11 To: [EMAIL PROTECTED] Subject: [WinPcap-users] GETTING AN ERROR WITH PCAP_NEXT_EX I have written a program (using winpcap api) to read tcp packets offline from a tcpdump file (MIT DARPA datasets). I am using the functions pcap_open_offline and pcap_next_ex to read the packets from the tcpdump file. The tcpdump file that I am using is around 128MB. After reading some packets (around 6000), the functiion pcap_next_ex terminates with an error truncated dump file. My program seems to work well on another smaller (2.5MB) tcpdump file. I am not able to figure out the problem. Can anyone please help me out with this. _ Nagesh Kukunoor's back! With 3 Deewarein. http://server1.msn.co.in/sp03/3deewarein/index.asp Win tickets here. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Preventing the install of rpcapd.exe?
-Original Message- From: Tracy [mailto:[EMAIL PROTECTED] Sent: venerdi 8 agosto 2003 21.47 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Preventing the install of rpcapd.exe? I do not feel that there is much of a security risk, but our clients may be concerned by software, which provides remote captures. Does the WinPcap 3.0 installer also install the rpcapd service on Windows 9x/ME? No. Although rpcapd will run on these systems, it is not installed. By the way, rpcapd can run only in console mode in 9x/ME; it does not run as a service. Cheers, fulvio If so, is the method of removal similar to that described in my original email (i.e. remove the service and then the corresponding executable file)? --- Fulvio Risso [EMAIL PROTECTED] wrote: Hi. -Original Message- From: Tracy [mailto:[EMAIL PROTECTED] Sent: venerdi 8 agosto 2003 0.05 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Preventing the install of rpcapd.exe? The WinPcap 3.0 installer installs a service, Remote Packet Capture Protocol v.0 (experimental), which executes the file rpcapd.exe. The purpose of this service is to provide remote capture. However, our clients are concerned with potential security issues involved with having such a service present on their systems (even if inactive by default). Is there a way to customize the WinPcap installer (e.g. using a script) to prevent the install of this service and corresponding executable? We should do that. The problem is the time (which is always a scarse resource). If not, may our installer simply remove the service entry from the Windows services panel and then delete the file rpcapd.exe? Yes, of course. If our installer does remove the remote capture capability from WinPcap as described, will WinPcap still function correctly? Absolutely yes. However... why an inactive service is seen as a potential security risk? Cheers, fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == __ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] winpcap and C++ - Listing Interface Adapters ...
Please install the latest Platform SDK from Microsoft. Cheers, fulvio -Original Message- From: Boris Sidoruk [mailto:[EMAIL PROTECTED] Sent: venerdi 8 agosto 2003 15.48 To: [EMAIL PROTECTED] Subject: [WinPcap-users] winpcap and C++ - Listing Interface Adapters ... I'm trying to build and run the iflist application example which lists and prints informations related to all the interfaces installed on my PC with WinPcap 3.0 after downloading the wpdpack package and I got the following message from the linker of Visual C++: Deleting intermediate files and output files for project 'iflist - Win32 Debug'. Configuration: iflist - Win32 Debug Compiling... iflist.c Linking... LINK : fatal error LNK1104: cannot open file Iphlpapi.lib Error executing link.exe. iflist.exe - 1 error(s), 0 warning(s) Please could somebody tell me where I can retrieve this library. Thanks in advance -- = Boris Sidoruk ONERA-CERT DTIM/MIB 2, avenue Edouard Belin BP 4025 31055 TOULOUSE CEDEX mail : [EMAIL PROTECTED] tel : +33 (0)5-62-25-26-21 fax : +33 (0)5-62-25-25-93 == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] RE: [WinPcap-bugs] Sorry to disturb you.I'm from China.
Unfortunately, this depends on the NIC card drivers. There's nothing we can do about that. fulvio PS Next time, please avoid cross posting on several mailing lists. -Original Message- From: fengxiuliuziyi [mailto:[EMAIL PROTECTED] Sent: martedì 5 agosto 2003 6.37 To: [EMAIL PROTECTED] Subject: [WinPcap-bugs] Sorry to disturb you.I'm from China. Hi: I have a question,but i don't kown wether it's a bug. I use the packet.dll to send mac frame between two 100M netcards ,I can get packet speed almost 90Mbps,i think it works well,i thank you here. but the same code run between two 1G netcards ,i can just get packet speed almost 40Mbps,i don't kown the reason,this it what i want to ask you for help. Otherwise, I made a test use four nercard in one PC,and send mac frame packets on the same time,but i got very low speed for each card.I wonder how to get alomost 90Mbps speed for each netcard please. I'm urgent for your respence please .thank you . Áø¶¨Ò»¡£ChengDu China. 2003.08.06. __ === ÐÂÀË9Õ×Ãâ·ÑÓÊÏ䣬²»ÊÕ×¢²á·Ñ£¡ (http://mail.sina.com.cn) = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap
-Original Message- From: stefmit [mailto:[EMAIL PROTECTED] Sent: marted 9 settembre 2003 13.45 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap Fulvio - thank you so much for your answer. I understand now that ethereal is hopeless (what a pity!!!). I agree. Unfortunately, Ethereal folks are not very interested in that. They want to add RPCAP support in the future, but it is not in their highest priority queue. As I stated in the original message, then repeated it in my last one: are you saying that windump SHOULD WORK with this syntax? I have initially tried all options suggested in: http://winpcap.polito.it/docs/man/html/group__remote__help.html but none have worked. I have specifically tried the one suggested by Lee, simply because it was the one showing up in the analyzer, when doing a remote trace, thus one having proven workable. When using windump with this specific option - for example - this is what I get: D:\analyzerwindump -i rpcap://[172.16.4.21]/\Device\NPF_{9E34346C-ECB7-4E3E-A3B4-D06437F5C74C} windump: listening on rpcap://[172.16.4.21]/\Device\NPF_{9E34346C-ECB7-4E3E-A3B4-D0643 windump: Error opening adapter: The system cannot find the path specified. I have the WinDump working on my machine: == C:\cvsroot\analyzer\binwindump -i rpcap://127.0.0.1/\Device\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998} windump: listening on rpcap://127.0.0.1/\Device\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998} 14:55:07.458092 arp who-has 192.168.1.1 tell truciolo == Which version are you using? Are you using the latest alpha? while analyzer works just fine with the same syntax ?!? (lines above may be wrapped due to email client setup!) PLEASE - one more question (which may actually eliminate the need for an answer to the above), now that I got your attention: the only reason for fighting this windump/ethereal with rpcap battle was that the analyzer does not seem to read the additional filtering I put in .\conf\data\filter_list.DAT. I have added, for example, a line like: myserver traffic,port 8088 but the GUI on the analyzer does not offer this last option among the ones listed in the Available filters ... do I have to compile somehow that .DAT file into something readable by the analyzer?!? Or what else could cause this behavior? It should work. You do not have to compile anything. Did you insert some line feed at the end (sometimes it helps...). What about using the newest Analyzer 3.0? You may be impressed by it... Cheers, fulvio Thx again, Stef On Tuesday 09 September 2003 03:13 am, Fulvio Risso wrote: Hi. -Original Message- From: stefmit [mailto:[EMAIL PROTECTED] Sent: luned 8 settembre 2003 13.13 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap This is exactly one of the options I have been trying. Please read the original message again. Are you saying that it works for you, as parameter of windump or ethereal (it almost implies you are saying yes to the latter)? Unfortunately, it is not. Ethereal as some very complex (and convoluted) way to start a capture, and this code is not compatible with remote capture. Concerning the sybtax, the one suggested by Lee Kyung Moon is correct. If you have any suggestion about improving the help page, let me know. Cheers, fulvio I am hoping you are not confusing this with the analyzer, whose syntax for rpcap is trully like the one you mentioned ([] included), but which - to me - was of no help for either ethereal or windump. I'll go bcak and check again the versions of these two programs, though I thought I had the latest ... Thx, Stef On Monday 08 September 2003 02:51 am, lee kyung moon wrote: First you have to know remote machine's adaptername. and you set adpatername as follow(example) rpca://[192.168.10.2]/\Device\NPF_{DA1276CF-7FE4=4C0F-8EE1-0EC96DFC6E96 } while \Device.. is remote machine's adpatername. From: Tomas Kukosa [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], stefmit [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap Date: Mon, 08 Sep 2003 07:12:35 +0200 stefmit wrote: - does anybody know if rpcap can be used in conjunction with ethereal (0.14) - and if yes: what is the syntax for remote adapter (rpcap://?). As I know it is not possible now but I am working on it. Regards, Tom
RE: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap
Hi. -Original Message- From: stefmit [mailto:[EMAIL PROTECTED] Sent: marted 9 settembre 2003 17.14 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Syntax for adaptername using windump (ethereal?!?) and rpcap On Tuesday 09 September 2003 08:13 am, Fulvio Risso wrote: snip I have the WinDump working on my machine: == = = == C:\cvsroot\analyzer\binwindump -i rpcap://127.0.0.1/\Device\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998} windump: listening on rpcap://127.0.0.1/\Device\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998} 14:55:07.458092 arp who-has 192.168.1.1 tell truciolo == = = == Which version are you using? Are you using the latest alpha? snip On both ends: winpcap latest alpha 3.01, and windump 3.6.2 on the machine I am trying to do the monitoring from. I have used your syntax (with 'plain IP), or within [] (as it appears on the analyzer), to no avail. My windump still complains about error opening adapter, while - as I said - the analyzer has no problems running it ... I am at a loss here ... What about WinDump 3.8 alpha? http://windump.polito.it/install/bin/alpha/WinDump.exe The latest stable (3.6.2) doesn't work with remote capture. fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] 802.11 NDIS support
If Microsoft really wants this, it could give us more assistance. So far, we got some small grants from Microsoft Research, but you cannot access MS internal technical resources with money. And this is what we need to improve some details. Furthermore, most of the problems referred to 802.11 are due to NDIS drivers (so HW manifacturers) and not to Microsoft. Cheers, fulvio -Original Message- From: Dale Cabell [mailto:[EMAIL PROTECTED] Sent: sabato 13 settembre 2003 3.12 To: [EMAIL PROTECTED] Subject: [WinPcap-users] 802.11 NDIS support Everyone: If Miscrosoft wants to make points with the Linux crowd they need to make it possible to get 802.11 packets from NDIS. Any updates anyone?. Thanks, Dale Cabell [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] 802.11 NDIS support
-Original Message- From: Dale Cabell [mailto:[EMAIL PROTECTED] Sent: lunedì 15 settembre 2003 17.14 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] 802.11 NDIS support Do you know anyone at Microsoft you can forward this message to? Obviously not. If so please do so. Excellent suggestion ;-)) fulvio Thanks, Dale Cabell [EMAIL PROTECTED] (714)448-8670 -Original Message- From: Fulvio Risso [mailto:[EMAIL PROTECTED] Sent: Monday, September 15, 2003 12:25 AM To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] 802.11 NDIS support If Microsoft really wants this, it could give us more assistance. So far, we got some small grants from Microsoft Research, but you cannot access MS internal technical resources with money. And this is what we need to improve some details. Furthermore, most of the problems referred to 802.11 are due to NDIS drivers (so HW manifacturers) and not to Microsoft. Cheers, fulvio -Original Message- From: Dale Cabell [mailto:[EMAIL PROTECTED] Sent: sabato 13 settembre 2003 3.12 To: [EMAIL PROTECTED] Subject: [WinPcap-users] 802.11 NDIS support Everyone: If Miscrosoft wants to make points with the Linux crowd they need to make it possible to get 802.11 packets from NDIS. Any updates anyone?. Thanks, Dale Cabell [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Winpcap and LibnetNT
This is an English-based mailing list. Please, avoid the posting of non-English messages on it. fulvio -Original Message- From: Michael Vergoz [mailto:[EMAIL PROTECTED] Sent: giovedì 25 settembre 2003 17.39 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Winpcap and LibnetNT Franchement j'ai regarder les sources, les fonctions a utilisé dans la derniere libnet sont completement different pour winpcap 3.0 Si tu me fais un resumer des fonctions libnet_* que tu utilise c'est asser simple de faire faire un dll special qui regroupe tout ce qu'il faut. @+ Michael - Original Message - From: Boris Sidoruk [EMAIL PROTECTED] To: winpcap users [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 9:16 AM Subject: [WinPcap-users] Winpcap and LibnetNT I'm working with winpcap 3.0 on a win2k machine and develop some applications under the Visual C++ IDE and I guess to use LibnetNT to process the packets captured with winpcap. Could any one tell me what is the latest release of LibnetNT compatible with winpcap 3.0 and where I can get it for download. Also some guide lines for the installation would be appreciate. Thanks. -- = Boris Sidoruk ONERA-CERT DTIM/MIB 2, avenue Edouard Belin BP 4025 31055 TOULOUSE CEDEX mail : [EMAIL PROTECTED] tel : +33 (0)5-62-25-26-21 fax : +33 (0)5-62-25-25-93 == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Strange traffic with RPCAP (was: stoppin the mindless chatter between source and destination)
Hi. The packts you're capturing are related to the RPCAP protocol itself. I woulr like to add a filter so that the RPCAP daemon does not capture its own packets. I hope to be able to do that in a couple of weeks, before releasing Winpcap 3.01 beta. Thanks for the several guys that pointed us this problem. Cheers, fulvio -Original Message- From: Jang Choe [mailto:[EMAIL PROTECTED] Sent: venerdì 26 settembre 2003 19.11 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] stoppin the mindless chatter between source and destination I did some more extensive searching and found this in the archive that told me why the chatter is being generated. http://www.mail-archive.com/[EMAIL PROTECTED]/msg01300.html But I would I fix it so it will only capture the 'norma' traffic? Should I make a filter, or is there a better way to do this? Thank you. - Original Message - From: Jang Choe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 3:40 PM Subject: [WinPcap-users] stoppin the mindless chatter between source and destination I just created a small, simple program that will capture packets remotely from a machine running rpcapd. I am able to create a connection between my program and rpcapd using active mode, but I get tons of empty packet data between the host and client. The packets consist of PSH ACK and ACK packets being sent from rpcapd and my program. I am using function pcap_remoteact_accept() to create my connection with the active rpcapd. With function pcap_next_ex(), I am capturing the packets. I save the captured file with pcap_dump(). When I view the file I saved on Ethereal, I see that I am capturing those PSH ACK and ACK packets. They are empty and those empty packet data is being sent from the source (rpcapd) to my program. And my program is sending the similar empty packets back to the source (rpcapd). This is happening every 0.20 seconds, back and forth. The packet len from the source (rpcapd) to my program is 270. And my program seems to be replying with packet size len 60. But I think these values are arbitrary. How can I get this empty chatter to stop? Is this normal? Thank you. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Usage-counting Uninstaller
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: martedi 7 ottobre 2003 1.06 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Usage-counting Uninstaller We are having a problem with this scenario: 1. A user installs WinPcap using the WinPcap installer, maybe as part of another product installer. 2. The user then installs our product. It installs WinPcap silently, using the WinPcap installer. Just to know, what is going to do your product? 3. The user then uninstalls WinPcap, maybe by uninstalling the first product. At this point, WinPcap is now no longer on the computer. Our product can no longer operate. Windows installers can use the DLL usage counting scheme to prevent this problem. The WinPcap installer does not seem to do this. Is there any workaround for this? Do you plan to add usage counting or some other scheme to address this issue in the near future? Not really. Please take in mind that WinPcap is a prototype, although is being used from many companies. So, we cannot spend time for this kind of issues for free. If your company really need this feature, the sources are there, so please do it yourself ;-)) fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] WinPcap 3.0.1 beta
The problem is that we have to update WinPcap in order to use the lastes libpcap source tree. At the moment (and for the next 3-4 weeks) I'll handly find the time for that. Sorry for that, fulvio -Original Message- From: Hai Nguyen [mailto:[EMAIL PROTECTED] Sent: martedi 7 ottobre 2003 6.51 To: [EMAIL PROTECTED] Subject: [WinPcap-users] WinPcap 3.0.1 beta Hi, When will the next release of WinPcap be available? Hopefully, it will come out soon with the fix to the blue screen problem that exists in the current release. Thanks, -Hai __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] Due to the improper use of this mailing list, CORE Security Technologies has been removed from winpcap-users@winpcap.polito.it
Sorry about that. fulvio risso == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] I need help using the rpcap functionality with Ethereal
Title: I need help using the rpcap functionality with Ethereal Hi. The problem is that these functions must not be used and are not exported by WinPcap. Please use the pcap_open() instead. fulvio -Original Message-From: Palmer Thomas J Civ HQ SSG/ENEM [mailto:[EMAIL PROTECTED]Sent: lunedì 8 marzo 2004 16.13To: [EMAIL PROTECTED]Subject: RE: [WinPcap-users] I need help using the rpcap functionality with Ethereal Hi, I get errors when trying to link against the lib files in the 3.1 beta version of the developers pack. Was the developers pack compiled with remote capability? error LNK2001: unresolved external symbol _pcap_startcapture_remoteerror LNK2001: unresolved external symbol _pcap_opensource_remoteThanks in advance for your help.
RE: [WinPcap-users] Odd behavior (sort of a bug)
-Original Message- From: Rob Henningsgard [mailto:[EMAIL PROTECTED] Sent: giovedi 13 maggio 2004 14.52 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Odd behavior (sort of a bug) Gianluca, It is not true! WinPcap runs perfectly with no TCP-IP driver You are right, there's a bug in packet.dll under NTx that causes winpcap 3.1beta2 to show that message if TCP/IP is removed Oh good! I'm really glad to hear that it's a bug, and not that I was doing something dumb (which happens often enough). I've corrected that bug in our source tree, and it be available in winpcap beta3, that will be released in a week. That is just super! You and your colleagues are the greatest. What about a gift? http://winpcap.polito.it/misc/wlist.htm ;-) Cheers, fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Why is pcap_loop deprecated?
Hi. -Original Message- From: Rob Henningsgard [mailto:[EMAIL PROTECTED] Sent: venerdi 14 maggio 2004 20.32 To: [EMAIL PROTECTED] Subject: [WinPcap-users] Why is pcap_loop deprecated? Hello all, Can anyone tell me why pcap_loop() is deprecated? I am writing a multi-threaded application in which I want to use (or simulate) overlapped IO, and pcap_loop() looks like exactly what I'd want to use. The idea of a polling approach, looping on the call to pcap_next_ex() just doesn't seem like the right way to go. We (WinPcap maintainers) believe that a polling mechanism is much cleaner to understand and to use. We can see that most of the people that are going to start coding with libpcap/WinPcap have problems to understand the pcap_loop() (and the corresponding callback function) mechanism. So, we believe the pcap_next_ex() is much better. Feel free to use pcap_loop() if you prefer that one. fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] GNUMake is not working for 3.1
You need to have the #define HAVE_REMOTE switch enabled for compiling the pcap_open(). Sorry for this pain, but it is just to keep compatibility with libpcap. fulvio -Original Message- From: Andrea Talucci [mailto:[EMAIL PROTECTED] Sent: mercoledi 5 maggio 2004 14.26 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] GNUMake is not working for 3.1 Hi all, I also noted that pcap_open is missing in pcap.h, resulting in a warning while compiling (with VS6); have I missed some include / define ? Andrea Gianluca Varenni wrote: - Original Message - From: Alex Narinsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:01 PM Subject: [WinPcap-users] GNUMake is not working for 3.1 The directories inside examples contain the workspace file for VC++ and GNUMake for gcc. VC++ compiles projects fine. GNUMake results in errors. For example, even if I additionally specify -DWPCAP -DHAVE_REMOTE in the gcc flags I am still getting: /cygdrive/c/wpdpack_3_1/WpdPack/Examples/pcap_filter/pcap_filter.c:95: undefined reference to `_pcap_open' GNU Make in 3.0 works fine Hi. This is a known problem with the examples and cygwin: the lib file for cygwin (libwpcap.a) does not export pcap_open (together with all the stuff related to remote capture, i.e. code under #define HAVE_REMOTE), because cygwin does not support some new socket APIs used by the wpcap.dll code (getnameinfo and gai_strerror)I don't know if they have added it in the last month or so, I haven't checked. As a consequence, gcc fails to link those examples (the examples do compile under VC6). WinPcap 3.0 did not have such problems because the example did not make use of pcap_open. Have a nice day GV Thank you for feedback Alex Narinsky == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Linux and Wine
-Original Message- From: Loris Degioanni [mailto:[EMAIL PROTECTED] Sent: giovedì 29 luglio 2004 19.01 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Linux and Wine I hardly believe that the NPF device driver, one of the main components of WinPcap, will be able to run in an operating system different from Windows. Actually, I'd consider it a software miracle. Loris, I know of users thar were able to capture on a wmware Win2k machine, hosted on Linux. BTW, why do you need WinPcap on Linux? For running Analyzer? ;-) fulvio There's already native support for libpcap on that platform. Loris Has anyone been able to get WinPCap to run properly on wine for linux? Josh Austin == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Linux and Wine
Hi Guy. -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: venerdi 30 luglio 2004 10.00 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Linux and Wine On Fri, Jul 30, 2004 at 09:48:15AM +0200, Fulvio Risso wrote: From: Loris Degioanni [mailto:[EMAIL PROTECTED] I hardly believe that the NPF device driver, one of the main components of WinPcap, will be able to run in an operating system different from Windows. Actually, I'd consider it a software miracle. Loris, I know of users thar were able to capture on a wmware Win2k machine, hosted on Linux. Yes, that'd work - but it's not running in an operating system different from Windows, it's running on W2K. W2K happens to be running on a simulated PC inside VMWare on Windows, No: in my case WinPcap was running on W2k which was running on wmware which was running on Linux. but that's different from running WinPcap and a WinPcap application directly on Linux - Yes, this is different from running an app on Wine, I agree. But this demonstrates that, at least for wmware developers, they did a pretty nice job. for one thing, it can only capture on the simulated network devices, but I don't know whether that'd let you get traffic from the real network interface. I was able to capture all the traffic on the net, on the 'bridged' adapter (if I remember well). fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] missing packets at high speed
Hi. The capture speed depends on many things and it is not so easy to suggest a trick to improve it. Furthermore, what you're saying is that your app is missing packets, but there is no indication whether WinPcap is the problem, your application is the problem, or whatever. WinPcap does its best; what you can do is probably decrease the amount of load on your system (e.g. creating a faster capture application, switching off any app/service that is not required; using a PC for capturing and another for serving your requests...). From the WinPcap side, you can increase the kernel buffer (there's a specific API for this) but you need to recompile your application. In any case, this is not really a solution: this works in case your network has network bursts (the kernel buffer stores packets suring the burst and it delives to your app later). However, it does nothing in case of sustained load. Cheers, fulvio -Original Message- From: Alex Narinsky [mailto:[EMAIL PROTECTED] Sent: martedi 2 novembre 2004 17.45 To: [EMAIL PROTECTED] Subject: [WinPcap-users] missing packets at high speed I run winpcap application that starts missing packets at high speed, for example more than 100 requests/sec to a service. Is it possible to increase the speed of capturing? Thank you Alex == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] setfilter
Hi. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: giovedi 11 novembre 2004 21.18 To: [EMAIL PROTECTED] Subject: [WinPcap-users] setfilter Hello... Can I set a new filter on an ongoing capture without missing a packet? Discription: I set a 'port ' filter expression and listen to the traffic. Now I want to extend the filter to 'port or port ' by using pcap_setfilter(). Is it possible that winpcap misses a packet on port during the filter exchange? I would say yes. If I remember well, when you change the filter the kernel buffer is cleaned, so all data in it is discarded. If you had some packets that were captured but not yet delivered to the application, these are lost. This beaviour is needed, otherwise you may receive packets satifying the old filter after setting the new one. Cheers, fulvio (Additional question: what is the filter expression for a port range? 'port or port 1112 or port 1113 or ... or port ') Thanks... Marc == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Comparing packet lengths and data transfer
-Original Message- From: Rob Henningsgard [mailto:[EMAIL PROTECTED] Sent: lunedi 15 novembre 2004 15.22 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Comparing packet lengths and data transfer Hi Cary, WinPCap returns 47 bytes compared to EtherPeeks 64 bytes I ran into this when I was first learning about WinPCap. Turns out that for packets transmitted from the machine on which you're running WinPCap, the padding bytes needed to bring packets up to the minimum Ethernet frame of sixty bytes (less the hardware-generated 4-byte CRC) are not logged. So, for example, if you run WinPCap and try doing a ping from the machine on which you're running WinPCap, the captured ARP request packets will show up in Ethereal as being 42 bytes long. Go to another machine on the same network and try a ping, and the captured ARP request packets will show up as being 60 bytes long. Although I'm not intimately acquainted with the innards of WinPCap, I've been told this effect is caused by the layer at which the NDIS miniport driver intercepts the Ethernet packet sending calls. I confirm. fulvio == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] winpcap and the new Intel 2200BG drivers (Win XP Pro SP1)
Hi. -Original Message- From: Adam Steiner [mailto:[EMAIL PROTECTED] Sent: lunedì 22 novembre 2004 2.47 To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] winpcap and the new Intel 2200BG drivers (Win XP Pro SP1) Interesting. I had tried it before (or thought I did) and it didn't work either. Now it does work. The next question is how to get it to operate in promiscuous mode. Before I upgraded my drivers it worked fine in promiscuous mode (that much I remember) and I'd like to get it to work that way here too. Any thoughts? It seems to me that there are chipsets that do not support promiscuous mode at all. In other cases, the chipset can capture in promiscuous mode but the driver disables it. I remember that there was a discussion about these problems in the Ethereal mlist. In any case, this is something WinPcap cannot solve. Cheers, fulvio Thanks, -Adam dw wrote: I have found that with wireless drivers, I needed to disable promiscuous mode to get things to work. Could that be your problem? dw -Original Message- From: Adam Steiner [mailto:[EMAIL PROTECTED] Sent: Sunday, November 21, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [WinPcap-users] winpcap and the new Intel 2200BG drivers (Win XP Pro SP1) Hi all, I just upgraded my Intel 2200BG wireless drivers to the newest version (8.1.0.28). Once I upgraded, winpcap stopped working. It detects the interface, but won't capture packets. I tried upgrading to the beta version of winpcap, but still no go. I also tried both the generic Intel drivers and the IBM wireless drivers (I have a T42). Has anyone managed to get it to work? It was working before I upgraded, and alas, I can't find the old drivers. I've submitted this as a bug as I couldn't find anything in the archive about it. Thanks, Adam == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Pcap file format
-Original Message- From: Zemer Margolin [mailto:[EMAIL PROTECTED] Sent: luned 29 novembre 2004 13.06 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] Pcap file format Gui, Thanks for your help and quick response. I believe the information at http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm Would help us develop the converter. 2 more question if I may: 1. The new PCAP format allows additional private fields in a TLV format, is there a way to do so in the existing format? 2. Are there any more specification documents you can send me their links? Please note that the doc you're referring to is related to an old version of Analyzer, which is going to be discontinued. And Analyzer 3.0 does not plan to have a format converter. Please follow Guy's suggestion, if possible. Cheers, fulvio zemer Margolin Tel: +972-3765-7571 RADCOM -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Monday, November 29, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Pcap file format Zemer Margolin wrote: I am currently working on a converter that converts captured packets from one format to another. One way to do that might be to contribute to Ethereal: http://www.ethereal.com/ code to read the format from which you're converting - Ethereal has a limited ability to read from some RADCOM captures, but it's very far from complete. Unfortunately, I wasn't able to find any document describing the PCAP file format. Not a structure in a programming language, but a specification document. The only document I found is http://custom.lab.unb.br/pub/net/libpcap/doc/pcap.html But it isn't fully compatible. Well, the page at http://analyzer.polito.it/docs/advanced_man/how_to/add_new_lff.htm gives libpcap format as an example, although there are a few errors: 1) File Length is actually nominally Significant Figures, which would, in theory, be the accuracy of time stamps, but, in practice, it's always zero and gives no information; 2) Future Applications is actually Snapshot Length, which is the maximum number of packet data in any of the records of the file - or a value greater than or equal to that maximum, and is often 65535 (some software might use it to allocate a buffer into which to copy the packet data); and also: 1) Time Zone is often 0, so it can't be relied on to contain the offset of the time zone, at the location of the capture, from UTC in seconds; 2) Link Type shouldn't use the values 11, 12, 13, or 14 - there are other values that should be used for those purposes - and has some other values that are available. Note, however, that the not fully compatible format described in the page you found - or, in a more up-to-date form, at http://www.tcpdump.org/pcap/pcap.html will be used at some point in the future, so code that reads the current libpcap format won't be able to read all libpcap files in the future. Note that if you implement code to read the files in question in Ethereal, code to write libpcap format already exists, and code to write the new libpcap format will be added in the future, so you won't have to worry about that. Also, if it's OK if the application in question uses libpcap/WinPcap, it could use the libpcap/WinPcap routines to write the capture file. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] error in net/mask windump specification
Hi Alex. -Original Message- From: Alex Narinsky [mailto:[EMAIL PROTECTED] Sent: venerdi 10 dicembre 2004 22.04 To: [EMAIL PROTECTED] Subject: [WinPcap-users] error in net/mask windump specification From the Cisco tutorial (http://www.cisco.com/warp/public/701/3.html) the net mask combination 172.16.50.1 255.255.255.0 is valid. However, when I apply this combination to windump - windump net 172.16.50.1 mask 255.255.255.0 I am getting the error: windump: non-network bits set in 172.16.50.1 mask 255.255.255.0 What about 172.16.50.0 mask 255.255.255.0 ? This is due to the way in use time ago to specify network/mask. In any case, this should be reported to the tcpdump mailing list (since WinDump is just the recompilation of tcpdump in Windows). Cheers, fuvlio Why windump rejects this net/mask? By the way tcpdump works in the same way. Regards, Alex == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Re: Windows / Visual C: unresolved external symbol pcap_open
-Original Message- From: Massimo Sala [mailto:[EMAIL PROTECTED] Sent: mercoledì 29 dicembre 2004 10.56 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] Re: Windows / Visual C: unresolved external symbol pcap_open From: Vasily Borovyak [EMAIL PROTECTED] You forgot to link wpcap.lib probably. In VC6 Press Alt+F7. Choose Link tab. Add wpcap.lib to the Object/library modules edit box. Vasily, thanks for your answer. I check the reference, it is fine. It is a weird behaviour. The deprecated functions work fine (line pcap_open_live, pcap_findalldevs, ...). When I try to use the new wpcap functions, like pcap_open, pcap_findalldevs_ex, ... I still get unresolved externals symbol. To be sure, I download again the latest wpcapsrc_3_1_beta4.zip and wpdpack_3_1_beta4.zip. I note this: some of the new APIs are inside the file pcap-new.c. This file hasn't an header and the APIs aren't listed inside pcap.h ... yes, this is true. It is because of the need to minimize differences between libpcap and WinPcap. In order to use the new functions, you must define the HAVE_REMOTE constant in your program. This choice has been made after several discussions within the WinPcap team, because earlier version of WinPcap defined this constant automatically. However there were some issue related to libpcap compatibility, therefore we decided to switch this on manually. fulvio = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1
Hi. Unfortunately, there are some spyware (cain, if I remember well) which are using WinPcap for performing their job. Hence, the alarm that comes from Microsoft is not so wrong. However, I feel there's nothing to do against this problem. Unless convincing who is developing spyware not to use WinPcap, but I fee this a bit tricky... fulvio -Original Message- From: Philip Stoev [mailto:[EMAIL PROTECTED] Sent: gioved 6 gennaio 2005 19.30 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1 Hello, WinPcap is identified as follows: WinPCap Type: Enabler Threat Level: Low Author: WinPCap Team including = Loris Degioanni Description: WinPCap is an Open Source Windows Packet Filtering Library. It provides low level internet system traffic data to other applications that leverage its utilities. Advice: This software is not necessarily hazardous unless it is used by a particular spyware threat. If you quarantine or remove all of the spyware threats from your computer you do not necessarily need to remove this program. Please note: if a legitimate application is using functionality contained in an enabler application, removing the enabler may cause that application to cease functioning properly. This application is okay to have running on your computer, as they are only dangerous if a Spyware application is also installed on your machine and exploiting it. However if you did not install this, or know of a legitimate application that did, you may consider quarantining or removing it. Please note: if a legitimate application is using functionality contained in an enabler application, it may cause that application to cease functioning properly. About Enabler: While not spyware, it provides functionality that spyware products have been known to exploit. Normally, these applications are okay to have running on your machine, as they are only dangerous if a Spyware application is also installed on your machine and exploiting it. However if you did not install this, or know of a legitimate application that did, you may consider quarantining or removing it. Please note: if a legitimate application is using functionality contained in an enabler application, removing the enabler may cause that application to cease functioning properly. = Is it true that WinPcap is being exploted by spyware? If so, can that be prevented? Philip == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1
It makes sense to me as well ;-) fulvio -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: venerdì 7 gennaio 2005 20.48 To: winpcap-users@winpcap.polito.it Subject: RE: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1 Well... but let's look at the logic of Microsoft's statement: Some spyware developers utilize features provided by WinPcap in their exploits Therefore: we should recommend removing WinPcap By the same logic: Most spyware developers utilize features in Microsoft operating systems in the exploits Therefore: we should recommend removing all Microsoft operating systems. Well, at least it makes sense to me. ;-) --- Steighton Haley [EMAIL PROTECTED] Software Engineer There are 10 types of people in this world, those who understand binary, and those who don't. -Original Message- From: Fulvio Risso [mailto:[EMAIL PROTECTED] Sent: Thursday, January 06, 2005 11:07 PM To: winpcap-users@winpcap.polito.it Subject: RE: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1 Hi. Unfortunately, there are some spyware (cain, if I remember well) which are using WinPcap for performing their job. Hence, the alarm that comes from Microsoft is not so wrong. However, I feel there's nothing to do against this problem. Unless convincing who is developing spyware not to use WinPcap, but I fee this a bit tricky... fulvio -Original Message- From: Philip Stoev [mailto:[EMAIL PROTECTED] Sent: giovedì 6 gennaio 2005 19.30 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] WinPcap identified as spyware by Microsoft AntiSpyware Beta 1 Hello, WinPcap is identified as follows: WinPCap Type: Enabler Threat Level: Low Author: WinPCap Team including = Loris Degioanni Description: WinPCap is an Open Source Windows Packet Filtering Library. It provides low level internet system traffic data to other applications that leverage its utilities. Advice: This software is not necessarily hazardous unless it is used by a particular spyware threat. If you quarantine or remove all of the spyware threats from your computer you do not necessarily need to remove this program. Please note: if a legitimate application is using functionality contained in an enabler application, removing the enabler may cause that application to cease functioning properly. This application is okay to have running on your computer, as they are only dangerous if a Spyware application is also installed on your machine and exploiting it. However if you did not install this, or know of a legitimate application that did, you may consider quarantining or removing it. Please note: if a legitimate application is using functionality contained in an enabler application, it may cause that application to cease functioning properly. About Enabler: While not spyware, it provides functionality that spyware products have been known to exploit. Normally, these applications are okay to have running on your machine, as they are only dangerous if a Spyware application is also installed on your machine and exploiting it. However if you did not install this, or know of a legitimate application that did, you may consider quarantining or removing it. Please note: if a legitimate application is using functionality contained in an enabler application, removing the enabler may cause that application to cease functioning properly. = Is it true that WinPcap is being exploted by spyware? If so, can that be prevented? Philip == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4?
-Original Message- From: Loris Degioanni [mailto:[EMAIL PROTECTED] Sent: martedì 15 febbraio 2005 7.38 To: winpcap-users@winpcap.polito.it Subject: Re: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4? Guy Harris wrote: Somebody trying to capture on a serial port in Ethereal sent a long note about that to the Ethereal list: http://www.ethereal.com/lists/ethereal-users/200502/msg00140.html It says: 5) Because Windows PPP support is new, there is nothing about it in the Help portion of Ethereal (Live Preserver Icon) or in the online hypertext Help or online PDF Help file. I have attached some screen captures which show that the PPP adapter doesn't show up as available until the computer has established a dial-up connection with the internet. At first all that showed up was Generic NdisWan adapter: \Device\NPF_GenericNdisWanAdapter. However I was able to capture my dial-up conversations with my internet ISP using this Generic Ndis Wan adapter. After I established the dial-up connection an additional adapter showed up WAN (PPP/SLIP) Interface: \Device\NPF_{F37D0895-3FB0-4946-89D1-42FE988DBA90}. I reloaded a fresh image of Win 2K and verified that the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\ Interfaces\{F37D0895-3FB0-4946-89D1-42FE988DBA90} was present prior to loading WinPcap and Ethereal. It was. This raises the question of why WinPcap can't find it until going online and establishing a dial-up conncection and what the differences are, if any, between the two adapters. and shows a before going online image: http://www.ethereal.com/lists/ethereal-users/200502/gif6.gif with only Generic NdisWan adapter: \Device\NPF_GenericNdisWanAdapter and an after going online image: http://www.ethereal.com/lists/ethereal-users/200502/gif3.gif which shows that interface *and* a WAN (PPP/SLIP) Interface: \Device\NPF_{GUID inserted here} interface. I assume that the latter gets instantiated when an actual PPP connection is set up. I assume that he expected an interface that explicitly mentioned PPP to show up, but was presumably pleasantly surprised to find that he can capture on the generic interface. Is there any reason not to tell people to capture on the generic interface and ignore any specific interfaces that show up after you connect? The reason why we added the fake GenericNdisWanAdapter interface is that some users complained about not being able to capture before the instantiation of a PPP connection. In fact, the connection is present in the registry *before* calling the phone number, but the IP Helper API shows it (and WinPcap is allowed to open it) only *after* doing that. Actually, I think that a better name (like GenericPPPAdapter) could be useful, since many people don't know understand NdisWanAdapter mean. If the other developers agree on this, I can change the code with the new name. GenericDialUpAdapter sounds better to me. fulvio = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] where can I download symbol of npf.sys?
If you want to modify some parts of the WinPcap source code, you have to compile it. So, it's pretty useless that we sent you the .pdb file. I suggest you to try compiling everything from scratch. Cheers, fulvio -Original Message- From: Xue Yong Zhi [mailto:[EMAIL PROTECTED] Sent: marted 1 marzo 2005 19.56 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] where can I download symbol of npf.sys? Winpcap 3.0 caused BOSD on my desktop, and even if I know the new beta may fix that bug, I'd like to have a workaround for older version as well. Bruce Leidl's approach(http://www.mail-archive.com/[EMAIL PROTECTED] it/msg01749.html) works pretty well. But as I mentioned, BOSD happened again. I serched the maillist and noticed older version has bug in pcap_sendpacket as well(http://www.mail-archive.com/winpcap-users@winpcap.polito.it/m sg01491.html). I believe I might be able to avoid that by leaking some memeory by purpose(it's better to crash a client 's machine), but first I need to be sure this is the bug I encountered. I tried to debug the memory.dump with windbg, but it can not find debugging symbol for npf.sys. Can any of you wincap developers upload or send me the .pdb files of winpcap 3.0? Thank you. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
RE: [WinPcap-users] Undefined Functions and Data Structures in Tutorial Code Example2
Your problem is due to some old headers that are distributed with Microsoft Visual C 6.0. Please update these headers by installing the Microsoft Platform SDK, or let's update the compiler to MS Visual Studio 2003. Cheers, fulvio -Original Message- From: Mario Hollibaugh [mailto: Sent: venerdì 25 marzo 2005 23.12 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] Undefined Functions and Data Structures in Tutorial Code Example2 I'm new with WinPcap 3.1 beta4, and only this morning (and only by the grace of God I'm sure) did I get programs using the WinPcap library to start compiling, linking, and running. I'm reading through the tutorials (for 3.1 beta 4, of course), disecting the code provided line by line until I understand it completely before moving on. I've run into a bit of a problem with the tutorial lesson #2 and its corresponding sample code (this lesson is entitled Obtaining Advanced Information About Installed Drivers). If you look at the webpage for tutorial lesson #2 near the bottom of the code you will find the following function: code char* ip6tos(struct sockaddr *sockaddr, char *address, int addrlen) { socklen_t sockaddrlen; #ifdef WIN32 sockaddrlen = sizeof(struct sockaddr_in6); #else sockaddrlen = sizeof(struct sockaddr_storage); #endif if(getnameinfo(sockaddr, sockaddrlen, address, addrlen, NULL, 0, NI_NUMERICHOST) != 0) address = NULL; return address; }/code When I try to compile, I'm getting an undeclared identifier error on both socklen_t (and it goes without saying, sockaddrlen as well), and the function getnameinfo(). Also, the compiler is complaining that NI_NUMERICHOST is an undeclared identifier. So I went to the online documentation for WinPcap v3.1 beta 4 and started digging, and unfortunately found nothing on the above listed items for which I am receiving errors. If you look at the very top of the code snippet for lesson#2, you will find 2 include statements (under the #ifndef WIN32 line, which should be my case since I'm using a non-MFC project in VC++ 6.0): 1) #include sys/socket.h, and 2) #include netinet/in.h. I was going to dig in these 2 files , however, they didn't come with the developer kit version of WinPcap 3.1 beta 4. And actually if you think about it, it's impossible for those files to exist since Windows naming conventions don't allow a / in a file name :-( Finally I began looking in MSDN for any sign of the above mentioned 3 things, and again found nothing. Anyone have any ideas where these 2 datatypes, and the function are defined, and where the documentation on them can be found? I mean theoretically anyone who has ever programmed using the WinPcap library should've ran into this same problem... Sorry my question ended up so long, but I wanted to save people some time in case they thought to try looking in the online documentation etc. etc. since I already did :-) cheers, Mario == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] =
RE: [WinPcap-users] Timeout settings for a capture
In order to increase perfomances, you have to set the timeout to an higher vlaue. In any case, this does not make too much diffence in case of networks with normal loads. Cheers, fulvio -Original Message- From: Mario Hollibaugh [mailto: Sent: giovedì 14 aprile 2005 1.05 To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] Timeout settings for a capture Hi. I wrote a little program in C to capture some TCP packets and break em up to look at them later. I just want to make sure that I'm capturing all the packets so I'm wondering... in order to capture MORE packets should I set the timeout higher or lower? Thanks. Cheers, Mario == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==