Re: [WinPcap-users] Window XP Pro SP2 lockup in Ethereal with Winpcap 3.1b4
Hi Idon. I tried to replicate the problem on two different XP machines, without any luck. Did the problem show using older winpcap versions (like 3.0)? Are you using some particular Firewall software on your machine? Have a nice day GV - Original Message - From: Idon . [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Monday, May 09, 2005 11:15 PM Subject: [WinPcap-users] Window XP Pro SP2 lockup in Ethereal with Winpcap 3.1b4 Hello, There is a bug, possibly in Winpcap 3.1b4, that causes Windows XP,SP2 to lock up (requiring a hard reboot) when any version of Ethereal newer than 0.10.9 is used for capturing with the Update list of packets in real time option checked. If the option is not checked, everything is okay. The bug affects Ethereal 0.10.10 and 0.10.11. I reported this to the Ethereal devs and they say it's likely Winpcap territory. I am running a fully patched Windows XP Professional, SP2. My network adapter is 3Com EtherLink XL 10/100 PCI TX NIC (3C905B-TX) Thanks == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] ANNOUNCE: mailing list migration
Hi all. Tomorrow evening (May 11th) the winpcap-users@winpcap.polito.it mailing list will be migrated to [EMAIL PROTECTED] The operation will last some hours, during which you couls experience problems sending mails to both the mailing lists. All the existing subscribers will be automatically moved to the new mailing list, and they'll receive a confirmation message. All the mails directed to the old mailing list will be automatically redirected to the new mailing list address. Have a nice day Gianluca Varenni WinPcap Team == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Important milestone for the WinPcap project
- Original Message - From: Vasily Borovyak [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 05, 2005 9:09 AM Subject: Re: [WinPcap-users] Important milestone for the WinPcap project Hello Fulvio, FR Now, first step will be moving the WinPcap site from its current location in FR the Politecnico di Torino to a new site called winpcap.org, and the same FR will happen with the mailing lists. Please, could you provide us the instructions how to subscribe new mailing list. Hi Vasily. The mailing list migration will be done automatically: we will copy all the existing subscriber addresses to the new mailing list, and each subscriber will receive an automated confirmation with details on the new list. In the meantime, we will turn off subscribe ability to this (old) mailing list, and all the messages will be forwarded to the new ML for some time. All this stuff will happen some day next week. Before the cutoff date, I'll send a public announcement on the mailing list. Have a nice day GV -- Best regards, [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Winpcap reading from standard input broken?
Hi Animesh. You are right. There is a bug in pcap_open_offline(), that has been already fixed in the winpcap source tree. It will be available in the next release of winpcap. Thanks for the report Have a nice day GV - Original Message - From: Animesh Chaturvedi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 06, 2005 12:41 AM Subject: [WinPcap-users] Winpcap reading from standard input broken? Hi I am trying to pipe data from a tool that generates output in pcap format into tools which read pcap input using WinPcap (such as WinDump). This apparently fails consistently, even though redirecting the output of the first tool into a file and then reading that intermediate file into the second tool works fine. As an example, a command like this: generator | windump -r - -w test2.pcap Results in an error message like this: windump: pcap_loop: truncated dump file Whereas a sequence of commands like this works fine: generator test1.pcap windump -r test1.pcap -w test2.pcap A colleague of mine looked at the WinPcap source code, however, and we think the reason that it is failing is as under. He had fixed a similar problem with some other tool. Looking at pcap_open_offline() (http://winpcap.polito.it/docs/man/html/savefile_8c-source.html#l00387), it seems that when the input file is specified as stdin, no attempt is made to put the file handle into binary mode, while that is done when a regular file is opened. This can be addressed by using the setmode() function (at least with Microsoft compilers). You can find some additional info on this on these pages: http://www.cs.toronto.edu/~cosmin/TA/prog/sysconf/ http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore98/HT ML/_crt__setmode.asp It would certainly be nice if this problem could get fixed soon. REPRODUCING the problem: try i) windump -w - | windump -r - ii) windump -r - file.cap I would really appreciate if this could be fixed soon. Thanks Animesh Chaturvedi == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] iflist.c DOES NOT RETURN IP ADDRESS OF INTERFACE (DHCP)
Hi Nick. As a matter of facts, due to the lack of resources, the relative obsolescence of win9x and its poor performance, our efforts are all concentrated on the development of winpcap under NT systems. As a consequence, we can provide very little support for this OS.I'm very sorry for that.Have a nice dayGV - Original Message - From: Nick Manoleras To: winpcap-users@winpcap.polito.it Sent: Thursday, February 17, 2005 6:01 AM Subject: [WinPcap-users] iflist.c DOES NOT RETURN IP ADDRESS OF INTERFACE (DHCP) Hi All, As part of a monitoring App, I am using a program based on iflist.c to return details of all interfaces in a machine. I encounter a problem on windows 98 machines that have been allocated an address via DHCP. They return an IP address of 0.0.0.0. (XP DHCP works OK). I suspect this is a more a microsoft problem than Winpcap. Has anyone else run into this problem? Does anyone have a quick fix. Thanks, Nick.
Re: [WinPcap-users] WinPcap fails to recognize adapters, every other time
Uhm... this is rather weird. Can you please try the debug_to_file version of packet.dll? It's available at http://winpcap.polito.it/contact.htm under the section submitting bugs. Repeat your tests (I hope it will fail with the same behavior as before). Next, send me the file winpcap_debug.txt that the debug dll should have created. Have a nice day GV - Original Message - From: Paul J. Nederveen [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, February 22, 2005 6:57 PM Subject: [WinPcap-users] WinPcap fails to recognize adapters, every other time Hello, I am having a problem running winpcap on my Thinkpad T42. My system is a IBM Thinkpad T42 with: WinXP Pro SP2 Intel PRO/1000 MT Intel PRO/Wireless 2200BG WinpCap 3.1 beta4 (also tried with 3.0 alpha3, which works with this app on other XP installs) I have an application that utilizes packet.dll to loop back packets. It gets an empty list when calling PacketGetAdapterNames(). Reading the FAQ, I tested with windump. I get strange results. Every other time it returns adapter info. Running 'windump -D' in a cmd shell gives me this: F:\WinDump -D WinDump: PacketGetAdapterNames: There are no more files. F:\WinDump -D 1.\Device\NPF_GenericNdisWanAdapter (Generic NdisWan adapter) 2.\Device\NPF_{3336EC4C-31DB-4DCD-8E4C-340B968FFB09} (Intel(R) PRO/1000 MT Mobil e Connection (Microsoft's Packet Scheduler) ) 3.\Device\NPF_{C7802EB6-B280-46AA-8CBC-BBEA3D97A353} (NOC Extranet Access Adapte r (Microsoft's Packet Scheduler) ) 4.\Device\NPF_{83160726-7FD8-4181-BA3F-B4F3DCC6A221} (Intel(R) PRO/Wireless 2200 BG Network Connection (Microsoft's Packet Scheduler) ) F:\WinDump -D WinDump: PacketGetAdapterNames: There are no more files. Etc.etc Currently the PRO/1000 interface is the only one enabled. I have disabled firewall and any virus detectors. Any idea? Thanks, Paul Paul J. Nederveen Enea Embedded Technology == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] PacketOpenAdapterNPF bug - error creating service
Hi Daniel. You are right, you need SC_MANAGER_CREATE_SERVICE to install the driver. However, the service is created upon winpcap installation, so the function PacketInstallDriver() should never been called by PacketOpenAdapterNPF. Nevertheless, I think that we need to clean up that code (and maybe reopen the SCM before calling PacketInstallDriver, if we want to maintain that fcn). Thanks for the report. Have a nice day GV - Original Message - From: Daniel Smith [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Monday, February 21, 2005 11:14 PM Subject: [WinPcap-users] PacketOpenAdapterNPF bug - error creating service Hi, There is a bug in the creation of the NPF service from the PacketOpenAdapterNPF function. If the service doesn't exist, it should be created. However, a the service control manager was only being open with GENERIC_READ, which results in ERROR_ACCESS_DENIED. The service control manager must be open with the access right SC_MANAGER_CREATE_SERVICE in order to create a service. Daniel == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] PPPoX etc / generic dialup risks
Hi. It is true, the so called generic ndiswan adapter is always listed on XP (provided that you have the rights to access the netmon driver). Even if there is no dialup or similar adapter installed. However, choosing such adapter should not cause any crash in any case (basically, if you don't have any ppp hw, you won't capture anything). WinPcap forwards the request to open such adapter to Microsoft netmon (that's what we use to capture from PPP), and the request should either fail (we deal with such errors in winpcap), or succeed (and then you don't capture anything). I had a look at the winpcap code for that, and every return value from the NetMon API seems to be checked. Can you tell me the exact error message you are encountering? In the next weeks I will try to replicate it on one of my machines. Have a nice day GV - Original Message - From: Thaddy [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Wednesday, February 16, 2005 8:40 AM Subject: [WinPcap-users] PPPoX etc / generic dialup risks Hi, I noticed that on some installations there is always an entry returned for the generic driver even if there's no such hardware available. If a mainboad contains a miniport slot for either a miniport dialup modem or a miniport networkcard, at least Windows XP will install a miniport driver (recognized by the library as a valid entry), but because the actual modemdriver or networkdrivers are not installed, trying to access it will crash the software. Anybody has similar experiences? or better a solution to distinguish between an actual filled and properly installed slot and an empty slot/ rogue miniport driver? I am talking about otherwise clean machines who never had the miniport slot used. Regards, Thaddy == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4?
- Original Message - From: Guy Harris [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, February 15, 2005 6:33 PM Subject: Re: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4? Fulvio Risso wrote: GenericDialUpAdapter sounds better to me. ...although if you think of dial-up as opposed to, for example, broadband, is the NDISWAN stuff used for PPPoE or PPPoA for ADSL? Yes. Or better, if I remember well, it is used at least for some of the available PPPoE drivers, like the one shipped with XP. I'll have a couple of tests with my DSL connection at home, just to be sure. GV PS. Is anyone here on the mlist with a PPPoA connection, and can see if the PPPoA adapter is listed as dialup or something else?? == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4?
- Original Message - From: Loris Degioanni [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, February 15, 2005 7:37 AM Subject: Re: [WinPcap-users] Generic and specific NDISWAN interfaces in WinPcap 3.1 beta 4? Guy Harris wrote: Somebody trying to capture on a serial port in Ethereal sent a long note about that to the Ethereal list: http://www.ethereal.com/lists/ethereal-users/200502/msg00140.html It says: 5) Because Windows PPP support is new, there is nothing about it in the Help portion of Ethereal (Live Preserver Icon) or in the online hypertext Help or online PDF Help file. I have attached some screen captures which show that the PPP adapter doesn't show up as available until the computer has established a dial-up connection with the internet. At first all that showed up was Generic NdisWan adapter: \Device\NPF_GenericNdisWanAdapter. However I was able to capture my dial-up conversations with my internet ISP using this Generic Ndis Wan adapter. After I established the dial-up connection an additional adapter showed up WAN (PPP/SLIP) Interface: \Device\NPF_{F37D0895-3FB0-4946-89D1-42FE988DBA90}. I reloaded a fresh image of Win 2K and verified that the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F37D0895-3FB0-4946-89D1-42FE988DBA90} was present prior to loading WinPcap and Ethereal. It was. This raises the question of why WinPcap can't find it until going online and establishing a dial-up conncection and what the differences are, if any, between the two adapters. and shows a before going online image: http://www.ethereal.com/lists/ethereal-users/200502/gif6.gif with only Generic NdisWan adapter: \Device\NPF_GenericNdisWanAdapter and an after going online image: http://www.ethereal.com/lists/ethereal-users/200502/gif3.gif which shows that interface *and* a WAN (PPP/SLIP) Interface: \Device\NPF_{GUID inserted here} interface. I assume that the latter gets instantiated when an actual PPP connection is set up. I assume that he expected an interface that explicitly mentioned PPP to show up, but was presumably pleasantly surprised to find that he can capture on the generic interface. Is there any reason not to tell people to capture on the generic interface and ignore any specific interfaces that show up after you connect? The reason why we added the fake GenericNdisWanAdapter interface is that some users complained about not being able to capture before the instantiation of a PPP connection. In fact, the connection is present in the registry *before* calling the phone number, but the IP Helper API shows it (and WinPcap is allowed to open it) only *after* doing that. Moreover, the Generic Ndiswan adapter is available before a connection is established, but it does not have any IP address associated. The IP addresses are associated to the specific interfaces that are available after the connection is established. Actually, I think that a better name (like GenericPPPAdapter) could be useful, since many people don't know understand NdisWanAdapter mean. If the other developers agree on this, I can change the code with the new name. This is a good idea. I only want to check if the WanAdapter supports PPP connections only, or other ones, as well (like VPNs and SLIP, if there is still someone using SLIP...). Have a nice day GV Loris == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [ SPAM ] - Re: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter - Email found in subject
Hi Ed. Can you provide me a small sample app exploting the problem? I've tried to repeat the issue with my machines, without success. Have a nice day GV - Original Message - From: Ed Remmell [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Thursday, January 27, 2005 6:13 PM Subject: RE: [ SPAM ] - Re: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter - Email found in subject Gianluca - I look at lpAdapter in the debugger, it is not NULL for the WAN adapter. Thanks. - Ed Remmell Treck, Inc. (formerly Elmic Systems, USA) Best of Show Winner, ESC 2003 -Original Message- From: Gianluca Varenni [mailto:[EMAIL PROTECTED] Sent: Thursday, January 27, 2005 5:19 AM To: winpcap-users@winpcap.polito.it Subject: [ SPAM ] - Re: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter - Email found in subject Hi Ed. How can you be sure that lpAdapter is not NULL? The error message you sent seems an access to a null pointer I've tried to replicate this issue on my machine, and a similar problem occurs if lpAdapter is NULL. Have a nice day GV - Original Message - From: Ed Remmell [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Saturday, January 15, 2005 2:17 AM Subject: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter Dear winpcap team - On Win32 (I'm running Win XP Pro with the latest MS service packs applied), I've noted that your latest v3.1beta4 release of winpcap will crash if I execute the following sequence of packet.dll API calls on a WAN adapter: lpAdapter = PacketOpenAdapter(adapterName); PacketCloseAdapter(lpAdapter); lpAdapter is of course not NULL. After the call to PacketOpenAdapter, I look at the structure that lpAdapter points to and lpAdapter-pWanAdapter is non-NULL, indicating that it is a WAN adapter. adapterName in this case is \Device\NPF_GenericNdisWanAdapter. When the code crashes somewhere in PacketCloseAdapter, the error message I get in the Microsoft Visual C++ debugger is: Unhandled exception at 0x7c918fea in TreckDemo32d18.exe: 0xC005: Access violation writing location 0x0010. If I try this exact same sequence of calls with a non-WAN adapter (lpAdapter-pWanAdapter is NULL), it works perfectly fine. I'm not exactly sure how I'm going to code around this problem. Right now, what comes to mind is doing a string search in the adapterName to look for WanAdapter and if found then don't try opening the adapter because of this bug. That's obviously a hack, I'd prefer if you instead fix this. Thanks. - Ed Remmell Treck, Inc. (formerly Elmic Systems, USA) Best of Show Winner, ESC 2003 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.12 - Release Date: 1/14/2005 --- Treck, Inc. - Confidentiality Notice This electronic transmission may contain information that is proprietary or confidential. You are hereby notified that any dissemination, distribution or duplication of this electronic transmission to some other entity, without the expressed written consent of Treck, Inc. is strictly prohibited, unless the contents of this electronic transmission specifically authorizes you to do so. If your receipt of this electronic transmission is in error, please notify the corporate offices of Treck, Inc. immediately by calling (513) 528-5732, or by reply to this transmission. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.4 - Release Date: 1/25/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.4 - Release Date: 1/25/2005 == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Logging problem with Server 2003
Title: Message Hi. It's rather strange. WinPcap does not interact with the TCP/IP stack in any way (apart from retrieving the IP addresses of each newtork adapter). Do you have any VPN/Personal firewall software installed on your machine? Can you provide me more details on the hardware (network cards)you are using? Your network card seems to perform IP and TCP checksum offloading (i.e. the IP and TCP checksums are computed by the board, instead of the tcp/ip stack). Have a nice day GV - Original Message - From: KOURTIS Stamatis To: winpcap-users@winpcap.polito.it Sent: Friday, January 28, 2005 4:38 PM Subject: [WinPcap-users] Logging problem with Server 2003 Hi, I have recently installed etherealwith WinPcap 3.1b4on a windows 2003 server but it appears that I cannot get logged any traffic originating from the server unless a TCP flag has been set. For example, the attachement has a log of a file transfer but no packets appear to transmitted from the server although acknoledgements arrive regularly. A close examination of all server originated traffic shows that all logged packets have at least one TCP flag set. I tried otherlogging applications as well and all of them had the same problem with Ethereal and I was wondering if there is a particular issue with WinPcap. For your information,the same problem appears with WinPcap 3.0. I'd really appreciate if you could point out what might be the problemin this case. Many thanks in advance, Stamatis Do You Yahoo!?@yahoo.gr Yahoo! Mail.*DISCLAIMER*This electronic transmission (and any attached document) is intended exclusively for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any disclosure, copying, distribution or other action based upon the information by persons or entities other than the intended recipientis prohibited. If you receive this message in error, please contact the sender and delete the material from any and all computers. Mobistar does not warrant a proper and complete transmission of thisinformation, nor does it accept liability for any delays.*END OF DISCLAIMER*
Re: [WinPcap-users] Changing filter after reading doesn't discard old packets
Hi. I can confirm that the source of the problem is 2, and it affects libpcap, as well, so the same problem seems to be present on the other OSes supported by libpcap. I had a quick look at the libpcap documentation, and it seems that there are no notes documenting such behavior. I've put Guy Harris in CC to this message, maybe he has a clue about it. My opinion is that this behavior is actually a bug that needs to be fixed. Guy, what do you think? Have a nice day GV - Original Message - From: Loris Degioanni [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Wednesday, February 02, 2005 2:43 AM Subject: RE: [WinPcap-users] Changing filter after reading doesn't discard old packets I can see two reasons for that: 1. the winpcap driver is broken, and doesn't empty the kernel buffer when a new filter is set. I'm pretty sure that the latest version (3.1b4) from the WinPcap website behaves correctly from this point of view (i just cheked the code), so you can try to install it instead of the 3.0 you're currently using. 2. The driver does its job, but when you set a new filter you still have some packets in the user-level libpcap-managed buffer, and libpcap doesn't drop them. I think this is the most probable cause. I'll try to analyze the problem better, meanwhile a quick hack is to close the adapter and then reopen it before setting a new filter. Loris -Original Message- From: Gabriel Becedillas [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 01, 2005 11:09 AM To: winpcap-users@winpcap.polito.it Subject: [WinPcap-users] Changing filter after reading doesn't discard old packets Hi, I'm having a problem and I'd like to know if this is a bug or not: If I set a filter that doesn't match any packet and then read, I don't get any packet. This is ok to me. If I set a filter that doesn't match any packet but I did a previous read, I get packets. Is that ok ? that old packets that doesn't match the current filter are returned ?. I'm puting an example program (omited the headers and error checking for simplicity). I'm using WinPCap 3.0 on a Windows 2000 SP4 box. Thanks. void set_filter(pcap_t* a_Dev, const char* a_Filter) { struct bpf_program bpfprog; pcap_compile(a_Dev, bpfprog, const_castchar*(a_Filter), 1, 0xFE00); pcap_setfilter(a_Dev, bpfprog); } bool read(pcap_t* a_Dev) { pcap_pkthdr* p_hdr; u_char* p_data; return pcap_next_ex(a_Dev, p_hdr, p_data) == 1; } int main() { char error[PCAP_ERRBUF_SIZE]; bool test; pcap_t* dd = pcap_open_live(\\Device\\NPF_{3F532625-F275-42E3-A1D2-EF5AEF988F6E}, 100, 1, 2000, error); ::Sleep(5000); test = read(dd); assert(test); set_filter(dd, host 1.1.1.1); test = read(dd); assert(!test); return 0; } -- Gabriel Becedillas Developer CORE SECURITY TECHNOLOGIES Florida 141 - 2º cuerpo - 7º piso C1005AAC Buenos Aires - Argentina Tel/Fax: (54 11) 5032-CORE (2673) http://www.corest.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] re: pcap_next_ex timeout after WaitForMultipleObjects
Hi Peter. I can confirm that this is a bug that affects the capturing process with Wan Adapters (e.g. Generic NDISWAN adapter). I was very busy in the last months, but I'll work on a fix to this issue soon. It is important to point out that this bug does not affect the capturing process on normal adapters (e.g. ethernet).. Have a nice day GV - Original Message - From: phengmaly peter [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Wednesday, February 02, 2005 2:27 PM Subject: [WinPcap-users] re: pcap_next_ex timeout after WaitForMultipleObjects Which version of WinPcap are you using? Can you confirm me that you are using WinPcap 3.1beta3/4? In this case, your code should capture from the generic ndiswan adapter, and you have discovered a bug in it (in wanpacket.dll). I'll work on the fix in the next couple of weeks (maybe sooner), and let you know. Hi Gianluca, Indeed, it is 3.1 beta 4, on Windows 2K. Did You try the code snippet I've sent ? It should be able to reproduce the mentioned behaviour. Thanks, Peter == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] INTERFACE DETECTION FAILED WITH WINPCAP3.0
Hi. This is a known bug in winpcap 3.0, that was fixed in one of the betas of winpcap 3.1. This bug is caused by some empty registry keys that remain after you remove some network devices of the system. The usual suggestion is to update to 3.1beta4. Modifying the registry can be *really dangerous (I never modified the registry for this issue, as a matter of facts). In case you want to try, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} and remove all the folders (named , 0001, 0002...) that are empty. No guarantees about it. Regarding GIT, have you tried contacting the GIT developers about this issue with winpcap 3.1beta4? What is the exact problem you are encountering? Have a nice day GV - Original Message - From: [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Thursday, January 13, 2005 12:18 PM Subject: [WinPcap-users] INTERFACE DETECTION FAILED WITH WINPCAP3.0 Programs like Ethereal and GIT dont see any interfaces with WinPcap 3.0 anymore. Before it works fine, but after installing and reinstalling some Bluetooth drivers and maybe some other modifications the problem revealed. (I dont know exact when and how) I suspect a corrupt link in de register related to my Network Interface and WinPcap3.0. Installing and reinstalling winpcap3.0 and my network interface didnt work. Interface detection is correct with any higher version of WinPcap (3.1 beta series). Problem is GIT. It runs only with WinPcap version 3.0. (Ethereal works fine with WinPcap 3.1 beta 4 on my system) So, I want to get WinPcap3.0 working again. I DONT WANT TO REINSTALL MY WHOLE SYSTEM TO SOLVE THIS PROBLEM I want to try to solve it in a less brute way. Question: What could be the course of preventing winpcap3.0 detecting my network interface? What are important windows xp registry entrys which I should check relating to this problem? Please help . Elwin Nieuwenhuis ([EMAIL PROTECTED])
Re: [WinPcap-users] Suggested improvement to Win32 pcap_open_live, hardware filters
Hi Ed. I haven't yet tried to replicate this issue. Can you confirm me the problem, or better you have solved it? Have a nice day GV - Original Message - From: Ed Remmell [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Saturday, January 15, 2005 3:27 AM Subject: Re: [WinPcap-users] Suggested improvement to Win32 pcap_open_live, hardware filters Guy - Do you mean an ARP broadcast packet received by the machine running an NDIS application or one *sent* by that machine? Without NDIS_PACKET_TYPE_BROADCAST set, we could not receive an ARP broadcast packet sent (by a different machine?). I just tried to reproduce this behavior, and could not. I temporarily modified our code that calls packet.dll to only set NDIS_PACKET_TYPE_ALL_LOCAL, and I was able to receive ARP broadcast w/out any problem. I tried this running winpcap on Win '98 and XP, and using a few different Ethernet cards. So, it doesn't appear to be a real issue. - Ed -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.12 - Release Date: 1/14/2005 --- Treck, Inc. - Confidentiality Notice This electronic transmission may contain information that is proprietary or confidential. You are hereby notified that any dissemination, distribution or duplication of this electronic transmission to some other entity, without the expressed written consent of Treck, Inc. is strictly prohibited, unless the contents of this electronic transmission specifically authorizes you to do so. If your receipt of this electronic transmission is in error, please notify the corporate offices of Treck, Inc. immediately by calling (513) 528-5732, or by reply to this transmission. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] USB network adapter !
Hi Per. Is the device listed? What version of winpcap are you using? What is the output of windump -D (D capital letter)? I've never tested winpcap with usb adapters, but it should work without problems. Have a nice day GV - Original Message - From: Per Ellefsen (GR/ETO) [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Monday, January 17, 2005 10:48 AM Subject: [WinPcap-users] USB network adapter ! I am not able to find the USB network adapter from Netgear (Model EA 101) using the winpcap interface. I do need to use promiscuous mode ! Is this maybe a general problem - when using a network adapter with USB interface ? Thanks /Per Ellefsen == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter
Uhm... I'm not sure that this workaround will work every time: what happens if another adapter does not have any IP address? Have a nice day GV - Original Message - From: Ed Remmell [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Saturday, January 15, 2005 3:38 AM Subject: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter FYI, I did the following hack for this, which seems to work fine - please let me know if this won't detect all WAN adapters and I then need to code it differently: After the call to pcap_findalldevs, when I'm iterating through the pcap_if_t's, if dev-addresses is NULL then I treat this as an indication that it is a WAN adapter and skip it: if (pcap_findalldevs(alldevs, tlPcapErrbuf) != -1) { AdapterNum = 0; for (dev = alldevs; dev != NULL; dev = dev-next) { /* Skip the WAN adapter, if we try to open it with winpcap v3.1beta4 this causes a crash */ if (dev-addresses != NULL) { Etc. Thanks. - Ed Remmell Treck, Inc. (formerly Elmic Systems, USA) Best of Show Winner, ESC 2003 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.12 - Release Date: 1/14/2005 --- Treck, Inc. - Confidentiality Notice This electronic transmission may contain information that is proprietary or confidential. You are hereby notified that any dissemination, distribution or duplication of this electronic transmission to some other entity, without the expressed written consent of Treck, Inc. is strictly prohibited, unless the contents of this electronic transmission specifically authorizes you to do so. If your receipt of this electronic transmission is in error, please notify the corporate offices of Treck, Inc. immediately by calling (513) 528-5732, or by reply to this transmission. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter
Hi Ed. How can you be sure that lpAdapter is not NULL? The error message you sent seems an access to a null pointer I've tried to replicate this issue on my machine, and a similar problem occurs if lpAdapter is NULL. Have a nice day GV - Original Message - From: Ed Remmell [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Saturday, January 15, 2005 2:17 AM Subject: [WinPcap-users] Bug in v3.1beta4 of winpcap? Crash when open and close WAN adapter Dear winpcap team - On Win32 (I'm running Win XP Pro with the latest MS service packs applied), I've noted that your latest v3.1beta4 release of winpcap will crash if I execute the following sequence of packet.dll API calls on a WAN adapter: lpAdapter = PacketOpenAdapter(adapterName); PacketCloseAdapter(lpAdapter); lpAdapter is of course not NULL. After the call to PacketOpenAdapter, I look at the structure that lpAdapter points to and lpAdapter-pWanAdapter is non-NULL, indicating that it is a WAN adapter. adapterName in this case is \Device\NPF_GenericNdisWanAdapter. When the code crashes somewhere in PacketCloseAdapter, the error message I get in the Microsoft Visual C++ debugger is: Unhandled exception at 0x7c918fea in TreckDemo32d18.exe: 0xC005: Access violation writing location 0x0010. If I try this exact same sequence of calls with a non-WAN adapter (lpAdapter-pWanAdapter is NULL), it works perfectly fine. I'm not exactly sure how I'm going to code around this problem. Right now, what comes to mind is doing a string search in the adapterName to look for WanAdapter and if found then don't try opening the adapter because of this bug. That's obviously a hack, I'd prefer if you instead fix this. Thanks. - Ed Remmell Treck, Inc. (formerly Elmic Systems, USA) Best of Show Winner, ESC 2003 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.12 - Release Date: 1/14/2005 --- Treck, Inc. - Confidentiality Notice This electronic transmission may contain information that is proprietary or confidential. You are hereby notified that any dissemination, distribution or duplication of this electronic transmission to some other entity, without the expressed written consent of Treck, Inc. is strictly prohibited, unless the contents of this electronic transmission specifically authorizes you to do so. If your receipt of this electronic transmission is in error, please notify the corporate offices of Treck, Inc. immediately by calling (513) 528-5732, or by reply to this transmission. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Winpcap for XP 64 bit?
Hi. I've never compiled winpcap in the 64bit build enviroment, and I know that there are a couple of modifications to be done (in the driver, in particular) to make it work under a 64bit platform. Unfortunately, I do not have any 64bit machine to work with. Have a nice day GV - Original Message - From: JJ Streicher-Bremer To: winpcap-users@winpcap.polito.it Sent: Tuesday, January 18, 2005 12:03 AM Subject: [WinPcap-users] Winpcap for XP 64 bit? Has anybody tried to compile winpcap for Windows XP 64 bit? Thanks!
Re: [WinPcap-users] unsubscribe
Hi Jan. As clearly written in the signature of the messages, you should send the unsubscribe message to winpcap-users-request. Have a nice day GV - Original Message - From: Jan Peeters [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Wednesday, January 19, 2005 7:49 PM Subject: [WinPcap-users] unsubscribe == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] WinPcap in Safe Mode
Hi. I have never tried running winpcap in safe mode. I'll try it in the following weeks. Have a nice day GV - Original Message - From: Brian C. Wiles [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, January 18, 2005 2:02 AM Subject: [WinPcap-users] WinPcap in Safe Mode Hi, I am writing an application that uses WinPcap, and I need it to be able to run in Safe Mode. WinPcap 3.1 beta 4 does not seem to launch under Safe Mode with Networking in Windows XP. If I manually add a registry key under HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SafeBoot for NPF, it refuses to launch. Typing net start npf gives the following: The NetGroup Packet Filter Driver service could not be started. A system error has occurred. System error 31 has occurred. A device attached to the system is not functioning. -- Has anyone else been able to do this? Thanks for your help. -Brian == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Ethereal
Hi. Have you tried winpcap 3.1beta4? Can you tell me if the blue screen issue is solved in this beta version? It's very important for us in order to close winpcap 3.1. Have a nice day GV - Original Message - From: Robert Williamson [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, January 11, 2005 3:35 PM Subject: [WinPcap-users] Ethereal I am running XP with SP2. I have tried using winpcap 3.01 but still get blue screen when trying to capture information using ethereal. Ethereal told me to report this to your team. Let me know when this is corrected. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Using WinPCap in an NTService
Hi. What do you mean by "packet and wpcap dlls are not loaded"?? Those dlls can be unloaded, even if the driver is loaded (and viceversa). An application loads them to access the interface exported by the driver (that can be started or not). Have a nice day GV - Original Message - From: Cary Moore To: winpcap-users@winpcap.polito.it Sent: Thursday, January 06, 2005 1:03 PM Subject: [WinPcap-users] Using WinPCap in an NTService Is it possible to use WinPCap in an NTService application loaded when the system boots (WinXP SP2) ? I've written aservice (Delphi 2005) that works fine when started manually from the Service Control Manager but fails to start automatically when the system boots (7009 timeout error generated in the Event Log). I've set the NPF driver to load automatically and according to msinfo32 it is running but neither the packet or wpcap dlls are loaded until I manually start the service. Any help, advice, pointers would be appreciated. Cary.
Re: [WinPcap-users] windump -D results in error
Uhm That's a bit strange. Can you please use the bug report procedure detailed at http://winpcap.polito.it/contact.htm (bottom half of the page)? Have a nice day GV - Original Message - From: Alex Narinsky [EMAIL PROTECTED] To: winpcap-users@winpcap.polito.it Sent: Tuesday, December 21, 2004 11:49 PM Subject: [WinPcap-users] windump -D results in error Hello, For some reason windump -D is not working on my computer. I am getting: windump: PacketGetAdapterNames: Cannot create a file when that file already exists. What can be the reason? Thanks == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] priority of capture driver and port filtering problem
Hi. First of all, do NOT send HTML messages to the list. Use plain text. Replies are quoted with --GV-- Have a nice day GV - Original Message - From: Cefur To: winpcap-users@winpcap.polito.it Sent: Tuesday, January 04, 2005 11:01 AM Subject: [WinPcap-users] priority of capture driver and port filtering problem First question: Like a lot of you I have made a bridge with WinPCap and now I am playing with it. So I made a little test. When the bridge computer is not under heavy load the latency of the bridge is not so big (it can be tolerated). But when this computer is 100% utilized (under heavy load) then an erratic behavior happens. For a couple of seconds the latency is normal then sky rockets (probably a lot of packets is lost - I didn't checked yet) and then again few seconds normal ... etc. I set the priority of the program to critical but that didn't help. settings: setmintocopy = 0 (for low latency) Well I was wondering could it be that capturing driver priority is too low? Well I know it was already talked about ... but I didn't find any good answer. What I am asking is, can this priority of the driver be set any higher? --GV-- The concept of priority is related to threads. The driver does not run in the context of a thread. It's rather run in the context of a software interrupt (called DPC = Deferred Procedure Call in the WinNT terminology). As a consequence, it runs with a priority (the term is abused, here, the right term is IRQL, in the WinNT terminology) higher than any thread. The performance problem you are having can be due to a number of reasons, the most probable ones are: 1. a poorly performing NIC card or NIC driver 2. having set mintocopy to 0, basically you are polling the driver continuously-- the number of ring switches (userland--kernel--userland) is high, and this switch is very expensive. 3. although WinPcap can be used to build bridges, it was created with a different objective in mind (packet capture, and packet send for testing purposes). As a consequence, responsiveness was sacrificed in favor of a higher packet capture rate. If you want to create a high performance bridge, maybe winpcap is not the best choice. A custom kernel driver for it maybe will be a better solution. --GV-- Second question: How can I pcap_open_dead with pcap_open (for example I would like just to send packets and not capture it from an adapter)? --GV-- pcap_open_dead is used to open a fake pcap adapter. There is no way to open a pcap adapter to send packets, only. However, you can open an adapter in non-promiscuous mode, and only send packets through it, and not receiving packets thorugh it. --GV-- Third question: How can I set filter to capture only on ports higher then 139, because something like port 139 doesn't work? --GV-- The right syntax for tcp is tcp[0:2] 139 or tcp[2:2] 139 --GV-- Thx. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Startup help
Hi Jesse. Did you succeed in compiling windump? Have a nice day GV - Original Message - From: Jesse Gordon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 11:57 PM Subject: Re: [WinPcap-users] Startup help Loris, Thanks very much for the help! Anybody, I'm still struggling away trying to get something to work -- I think I'm lacking in the driver development kit. I did get a current install of cygwin working nicely, but it fails to compile tcpdump and gives some cryptic remark about 'main' and -lpcap or something. (If one of you builds tcpdump with cygwin I would be ever so grateful to report exact errors.) Basically, my desire is to modify tcpdump. I do not need to modify winpcap. Do I need to compile winpcap in order to compile tcpdump? Or can I simply use the precompiled winpcap files when I compile tcpdump? Thanks very much, Jesse - Original Message - From: Loris Degioanni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 09, 2004 11:03 AM Subject: RE: [WinPcap-users] Startup help Jesse, at http://winpcap.polito.it/docs/docs31beta4/html/index.html, you can find some directions to compile WinPcap. Similar information can be found in the readme-visualC and readme-cygwin files in the WinPcap source code. If you want to improve these documents, you are of course welcome. Loris -Original Message- From: Jesse Gordon [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 08, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: [WinPcap-users] Startup help Hello, I'm familier with the concept of compiling programs as I have compiled many packages for Linux, but I'm having trouble figuring out exactly how I can get set up to compile WinDump on my Windows 2003 workstation. I would be very grateful if somebody would provide a list of things (such as compilers) and files I need to download, or point me to a HOW-TO which explains each step. For compilers I have Microsoft Visual C++ Toolkit 2003 command line compiler, from the Microsoft website. Also I have downloaded cygwin and mingW32, but I can't seem to get MingW32 to compile any programs with network support, and I can't seem to get cygwin to compile any programs. But I'll be glad to try and re-install cygwin again. If I can't make cygwin or MSVC++ to compile windump, I may have access to other C compilers because the company I work for has an MSDN subscription. If there is not already a HOW-TO page that gives these step-by-step instructions, and I do get it all figured out (probably with some help from you guys), I'll be glad to write a how-to page for new-comers (such as I am right now) and either post it on my website or give you the HTML so you can paste it into your windump website. Thank you very much, Jesse == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] NPF_IoControl causing crash on XP with control code BIOCSETF
Title: Does pcap_sendpacket() work on PPP, WinXp Hi Daniel. I suppose you are using WinPcap 3.0. This is a known bug, that has been fixed starting from WinPcap 3.1 beta. I suggest you to use WinPcap 3.1 beta4 to solve this issue. Havea nice day GV - Original Message - From: Daniel Smith To: [EMAIL PROTECTED] Sent: Friday, December 17, 2004 12:33 AM Subject: [WinPcap-users] NPF_IoControl causing crash on XP with control code BIOCSETF Hi, I'musing an application to send arps to look for particular devices connected to installed adapters. I apply a filter so that only ARP packets are recieved. Under windows XP, I have experience spontanious reboots (blue screen with PAGE_FAULT_IN_NONPAGED_AREA). It doesn't happen frequently, about 4 timesover 5 days recently. From my understanding, these filters are applied at the NPF level, and not passed down to the actual NIC driver, so theNIC drivers we have been testing on shouldn't be in question.After looking at the minidumps, it appears that the fault is happening at line 690 of Packet.c, which is: if (((struct bpf_insn*)prog)[cnt].code==BPF_SEPARATION (insns-cnt-1)!=0) In user land, there is nothing to suggest the dynamically allocated memory for the bpf_insn struct(happening at icode_to_fcode in optimize.c) has been freed before sending DeviceIoControl, or that the malloc failed. From what I know about whats happening with the IO, the user virtual memory is mapped to the system buffer in the non-paged pool (I could be wrong here). The only explaination I seeis that the SystemBuffer, which exists in the non-paged pool, has somehow become bogus, and when the above line of code is executed, we get the crash. Has anyone experienced this behavior before, or know of any related bugs? I'm basically left clueless as to why this is happening! Kind Regards, Daniel
Re: [WinPcap-users] crash
Hi Lars. Did you solve your problems? We need your help to fix this crash issue. Have a nice day GV - Original Message - From: Loris Degioanni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 6:50 PM Subject: RE: [WinPcap-users] crash Even the command line ones? If yes, can you: - tell me the list of interfaces reported by winpcap on your system - tell me if the bug happens just on one machine or everywhere - report the bug as explained at http://winpcap.polito.it/contact.htm Thanks, Loris Some time they crash and sometimes they don't, just like my program /Lars -Original Message- From: Loris Degioanni [mailto:[EMAIL PROTECTED] Sent: 22. november 2004 19:37 To: [EMAIL PROTECTED] Subject: RE: [WinPcap-users] crash What happens with the examples of the WinPcap developers's pack, e.g. netmeter? Loris -Original Message- From: Lars Larsen [mailto:] Sent: Thursday, November 18, 2004 7:40 AM To: [EMAIL PROTECTED] Subject: [WinPcap-users] crash Hello World\n; Sometimes I am getting crashes when using WPCAP.LIB, a 0xC005 read error exception. originating from pcap_findalldevs_ex() but it is not every time I get the crash, and then it works like a dream. I am building an application based on wpcap.lib 3.1.beta4, mvc++ 6.0 sp6, for W2K sp4, According to the loaded DLL list, it happens some where outside my context (a Kernel mode thing?) I had to include the api in a DLL based on MFC, and because it is difficult to convince the complier/linker to handle both MFC and non-MFC code, I have build a pcap.lib, that i link with my MFC code. the FAQ is convinced that a bug like this should be fixed a long time ago, is it a poltergeist ??? Any suggestions??? regards Lars -- Software developer Lars Larsen ICCC A/S DK Telegrafvej 5A 2700 Ballerup Denmark tel : +45 44 86 04 00 fax : +45 44 86 04 39 == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Sending packets in a queue
Hi. Sorry for the long delay in the answer. I think you are queuing packets by using something like pcap_dump or similar. WinPcap (or better, libpcap) prepends each packet in a savefile with a 16 bytes header containing the oroginal and captured length of the packet, and the timestamp of the packet. Exactly, which APIs do you want to use to send packets? Have you read the winpcap manuals? Why don't you use the winpcap standard APIs to read and write capture files? Have a nice day GV - Original Message - From: Venkatramani, Bharath [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 15, 2004 3:49 PM Subject: [WinPcap-users] Sending packets in a queue When I send packets using queues, I notice something. In ethereal, the total number of bytes off the wire is, for instance, 92 bytes. However, when I put that same packet in a queue, I notice that caplen is (packetsize + 16) bytes all the time (in this case, it is 108 bytes). Why is this so? I have dissected the packet into its Link-layer, header, data and trailer parts. Can I simply recombine these parts and shove the packet in a queue to send it? Thanks. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Problem with pcap type
Hi. This is an issue due to a forward declaration of the pcap_t structure that the MC++ does not like. Please look at this answer (and related thread) I gave to a user having the same problem. http://www.mail-archive.com/winpcap-users@winpcap.polito.it/msg02138.html Have a nice day GV - Original Message - From: Pawe Chmielarz To: [EMAIL PROTECTED] Sent: Thursday, December 02, 2004 10:13 AM Subject: [WinPcap-users] Problem with pcap type When I use a construction like: pcap_t *adhandle; ... adhandle = pcap_open_live(d-name, 65536, 1, 1000, errbuf); I get an error message: "An unhandled exception of type 'System.TypeLoadException' occurred in Unknown Module. Additional information: Could not load type pcap from assembly Devlist, Version=1.0.1797.17501, Culture=neutral, PublicKeyToken=null." I have WinXP, I develop under VC++ 7 (from .NET package), wpcap.dll ispresent in system but in output I get message like follow: 'Devlist.exe': Loaded 'C:\WINDOWS\system32\wpcap.dll', No symbols loaded. Thanks in advance for any helps and suggestion! Best regards,Pawe Chmielarz.
Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Hi Matthew. I've read all the messages trying to find out what could cause the problem. I want to add a couple of things: 1. winpcap does not install anything that modifies the behavior of a nic driver by changing registry entries or similar (although it does install a couple of registry entries for its own kernel driver npf.sys). Promiscuous mode is set when an adapter is open, when you close the adapter, promiscuous mode is disabled. 2. There is a sort of side effect in turning promiscuous mode on: basically the TCP/IP stack behaves differently with special promiscuous packets, and this "feature" is used by apps that are able to find the sniffers on a network. You can find a better explanation of this behavior here: http://www.securityfriday.com/promiscuous_detection_01.pdf 3. Some users suggested to use some sysinternals tools like pskill, pslist, process explorer, regmon. You can also use tcpview from sysinternals. Although it only shows tcp and udp infos, sometimes it's useful to discover "strange" applications that listen to some udp or tcp ports... Have you tried sniffing the traffic between the machine and the switch with a third machine? You can install a hub between the two machines, and then use a third machine running windows + winpcap (being careful to remove tcp/ip from the network card use to sniff, so that the sniffer is *completely* invisible) or linux/bsd + libpcap. Hope it helps GV - Original Message - From: Matthew Tagg To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 1:52 PM Subject: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests. We have a machine in our datacenter that started stealing ARP's request once we installed WinpCap and Traffic Statistic (http://www.trafficstatistic.com). Marcel Bartels the authorassures me it not related to his application thus I'm wondering if any othe WinPCap users have heard of this. Basically it is answering ARP's from the switch for IP's that are not assigned to the machine. This had the effect of DOS'ing other boxes on the same switch for which the IP did belong to. It was intermittent because obviously the real box that owned the IP would sometimes beat the rogue machine with an ARP reply. The very strange things is after winpcap and trafficstatstic where uninstalled, it STILL continued to steal ARP's. Then we swapped out the network card for an identical one, same problem. We eventually installed a second card this time 1000mpbs Realtek and unplugged the 100mpbs from the network. This solved it as a temporary measure. Also Promiscuous and Brodacast mode where unchecked in the trafficstatistic software. Additional details: OS: Windows 2003 Network: Realtek 100MBps Other software: Netlimiter (installed 1 week before the incident and later uninstalled too along with winpcap). Off the top of my head I can suspect: - buggy drivers - winpcap bug - some low-level registry setting changed Thanks for any help Regards, Matthew
Re: [WinPcap-users] PacketGetAdapterNames() fails unless ethereal is run once
Hi Tom. Have you solved your problems regarding adapters listing? Have a nice day GV - Original Message - From: Fulvio Risso [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 5:52 PM Subject: RE: [WinPcap-users] PacketGetAdapterNames() fails unless ethereal is run once Please do not use packet.dll API. Use the wpcap.dll onesinstead. So, in this case you should use the findalldevs_ex() Cheers, fulvio -Original Message- From: Tom Brown [mailto:[EMAIL PROTECTED] Sent: venerdi 5 novembre 2004 22.35 To: [EMAIL PROTECTED] Subject: [WinPcap-users] PacketGetAdapterNames() fails unless ethereal is run once Hi, I have converted some of the WinPCap 3.1 beta 3 source to Delphi. I am trying to create a Delphi app that sends out a raw ethernet packet. My first step is to get a list of adapters. So, I call PacketGetAdapterNames() to create a list. I have found that PacketGetAdapterNames() fails for me if I have not run an ethereal capture first. Once I run an ethereal capture, the call to PacketGetAdapterNames() succeeds. Why is this? The failure occurs in PacketOpenAdapterNPF() when it calls CreateFile(). I've looked through the ethereal source a bit and didn't see any other initialization that needs to occur. I am calling PacketGetAdapterNames() directly. Is there something else that should happen first? Thanks, Tom == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] General driver development question
Hi Rob. Can you provide me some more details on the configuration of your machine (OS, type of network card)? I have fixed and tested this some months ago (a user reported the same identical problem), so I suppose there is something weird in the driver that allows a 1528-bytes packet to pass the checks. Have a nice day GV - Original Message - From: Rob Henningsgard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 29, 2004 3:51 PM Subject: RE: [WinPcap-users] General driver development question Hi Loris, Recent versions of WinPcap *should* check pretty toroughly the frame lenght before sending it, because we had several bug reports (and bug fixes) in the past on this matter. Rob, what version are you using? The deadlock crash was with 3.1 Beta 3, it was totally repeatable, and it was proven to be caused by my defective code calling send_packet with a packet length of 1528 bytes. It has been running perfectly since I fixed my code. When I get a chance, I'll try to pull out my archive and see if the same thing happens with your new beta 4. With best regards, Rob--- == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] unhandled exception while using compiler optimization in VC 7.1
Hi Alex. We are using VC7.1 with a lot of winpcap based apps, without any problem. Were you able to create a minimal winpcap based app exploiting such optimization problem? Have a nice day GV - Original Message - From: Alex Narinsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 8:56 PM Subject: [WinPcap-users] unhandled exception while using compiler optimization in VC 7.1 My project that uses winpcap works fine if I do not specify optimization in the C++ compiler options. If I use optimization it immediately gives me unhandled exception. Did anybody use compiler optimization while working with winpcap? Thanks == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: Re: [WinPcap-users] Winpcap
- Original Message - From: Dave Ungerer [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 29, 2004 12:33 PM Subject: RE: Re: [WinPcap-users] Winpcap I have exactly the same problem when using W2k server over terminal services. Are you saying it will list the interfaces correctly if I attach a monitor and kb / mouse directly to the server? Yes. Also, after I attained the interface names, will I be able to open them over terminal services? No. The problem is not in listing the adapters, but in opening them. The code that lists the adapters does find the adapter names, but it checks that it's possible to open them. Since this check fails, the adapters are not listed. How involved is this bug fix, and when is the next release? Looking forward to it... The bug fix is documented is this mail I sent a couple of weeks ago on the mlist http://www.mail-archive.com/[EMAIL PROTECTED]/msg02155.html The next beta of winpcap will be released by the end of the next week. Have a nice day GV Best regards, Dave Ungerer -Original Message- From: Petr Laznovsky [mailto:[EMAIL PROTECTED] Sent: 22 October 2004 03:12 PM To: [EMAIL PROTECTED] Subject: Re: Re: [WinPcap-users] Winpcap Yes, I am use the router over Citrix MetaFrame, which is frontend for Terminal Services. OK, I will wait for next release... Petr Laznovsky Hi All, I am running winpcap on W2kS network router with three interfaces. One is onboard Intel card, and two are identically PCI card with Realtek 8139 chipset. All interfaces are normally recognized by system and normally working, but winpcap does not recognize these interfaces. The only interface which winpcap offer me for capturing is Generic NdisWan adapter. All aplication, which work based on winpcap does not recognize interfaces, but system normally routing traffic between these cards Where is problem? Any ideas GV Which version of WinPcap are you using? Are you using win2000 over Terminal GV services? There is a known bug in winpcap 3.1beta3 that causes the adapters GV not to be listed correctly. The bug has been fixed on our source tree, and GV will be available in the next release of WinPcap. GV Have a nice day GV GV With best, Petr Laznovsky - Petr Laznovsky E-mail: lazna(replacewithATcharacter)volny.cz JID: [EMAIL PROTECTED] ICQ UIN: 10127380 GSM: +420-603-460-892 WWW: http://www.lazna.tk Registered CZFree.net member #2130 == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Very wierd problem
There were a lot of modifications/fixes/features added from WinPcap 2.3 to 3.1... All of them are documented in the changelog, available at http://winpcap.polito.it/misc/changelog.htm Can you provide me some more details on the configuration of the machine crashing? Or better, can you provide me a crash dump, so that I can analyze it and see what happens? Have a nice day GV - Original Message - From: Jens Munk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 25, 2004 4:02 PM Subject: [WinPcap-users] Very wierd problem I am using the WinPCap for four projects, and when I updated to the latest version 3.1 beta I have got a strange problem in the latest application still under development. I am using WinPCap to send and receive raw packages and the three first applications work fine with both version 2.3, which I used to use, and the new version 3.1. The latest application also works fine with both versions until I shut the application down. In case of version 2.3 everything is fine whereas with WinPCap version 3.1 I get a BSOD and the computer reboots. Stepping through my code I can get all the way to the very last line of code and then it dies after that. The code I use to initialize, send and receive is the same for all my WinPCap projects (I have made a code compare) and although it must be something in my code it is very strange that it works with WinPCap 2.3 and not 3.1. Unfortunately I switched to version 3.1 during the development of this project, so I have no clue as to what I did to create the problem since I have been with version 2.3 at that time. Can anybody enlighten me what is so different between 2.3 and 3.1 that can cause this? Any other clues would also be highly appreciated. Thanks, Jens. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Using wpdpack with managed C++
- Original Message - From: Punnoose Roshan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 4:26 PM Subject: [WinPcap-users] Using wpdpack with managed C++ Hi, I want to use Windows Forms in Visual Studio .NET 2003 with wpdpack, but I get the error: TypeLoadException, Could not load type pcap from assembly. Is there any way that this can be bypassed? Thanks. Hi. I think that you are encountering a TypeLoadException in module Unknown. The problem is due to the fact that the standard winpcap include file pcap.h contains only a forward declaration of struct pcap, but not the actual definition of it. As a consequence, the managed c++ compiler does not emit any metadata for that type, since there's no definition for it. There are two solutions to the problem: 1. Include pcap-int.h instead of pcap.h. This include the actual definition for the type struct pcap 2. add a fake definition of struct pcap. The simplest one is struct pcap{};. Have a nice day GV Roshan == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] COMPATIBILITY PROBLEM BETWEEN STRUCTURES PCAP_T LPPACKET
- Original Message - From: {Pedro Lucas-Suporte Netcount} [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 3:08 PM Subject: Re: [WinPcap-users] COMPATIBILITY PROBLEM BETWEEN STRUCTURES PCAP_T LPPACKET Hi Phil I didn't get why you say you can no longer use the lower level API of packet.dll/packet32.h ? Maybe he refers to the note in the WinPcap documentation about the Packet API: - Important note, read carefully! If you are writing a capture application and you do not have particular/low level requirements, you are recommended to use the functions of wpcap, that are compatible with the ones of the Unix packet capture library (libpcap), instead of the API described in this chapter. wpcap.dll relies on packet.dll, but provides a more powerful, immediate and easy to use programming environment. With wpcap.dll, operations like capturing a packet, creating a capture filter or saving a dump on a file are safely implemented and intuitive to use. Moreover, the programs written to use libpcap are easily compiled on Unix thanks to the compatibility between Win32 and Unix versions of this library. As a consequence, since the normal and suggested way for an application to use WinPcap is through wpcap.dll, we cannot guarantee that the packet.dll API will not be changed in the future releases. - Have a nice day GV I, for example, am using the API PacketOpenAdapter, etc, and not relying at all in wpcap upper layer functions, and it works OK with Windows XP and VC7. So you should be able to use LPADAPTER, LPPACKET, 'PacketopenAdapter', PacketReceivePacket, etc. The only thing you need to bother nowadays is the UNICODE/ASCII format for the strings returned by 'PacketopenAdapter'. Before Winpcap 3.1, it was UNICODE. Now it is ASCII. Pedro - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 06, 2004 3:02 PM Subject: [WinPcap-users] COMPATIBILITY PROBLEM BETWEEN STRUCTURES PCAP_T LPPACKET Hi all, Since 4 weeks I've been doing my own experience of Winpcap (Its exported functions) and Packet32.h (Its routines). I am working with a self-programmed sniffer tool that was developped under Windows NT 4.0 with VC 6 as an MFC project. The sniffer tool used since then packet32.h (but not the version that is provided when downloading the developper's pack on the official site of Winpcap). As you can imagine, this sniffer tool coupled with such system of capture is incompatible, thus not working anymore under windows XP. Therefore, I tried to update the tool under VC 6 buy emmbedding exported functions of wpcap.dll in the script. So far, all was ok since I am able to list devices on the local machine, open a device, print the packets and their contents. My problem is now the following. The former part of the script accessing the adapter, was calling 'PacketopenAdapter'. This returns a pointer on an object of type structure LPPACKET. This object was reused to store packets in a buffer so that the program could assess them afterwards (PacketSendPacket or PacketReceivePacket were taking the object as argument). Now, I access the adapter via Pcap_open and it returns a pointer on an object of type structure pcap_t. Is there any compatiblity between what is returned by Pcap_open and what is returned by PacketOpenAdapter? Any help will be mostly appreciated, Regards, Filip. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Statically linked WinPcap?
- Original Message - From: Andreas Rieke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, October 09, 2004 1:58 PM Subject: [WinPcap-users] Statically linked WinPcap? Hi, when writing an application which uses pcap under linux and WinPcap under Windows, I would for several reasons like to statically link pcap/WinPcap to my binaries, and under linux, this works fine. What about Windows? Is it possible - for example under Microsoft Visual Studio .NET 2003 (C++) - to compile and link WinPcap without using any DLLs and without requiring a WinPcap installation on the target machine? No. Although it would be technically possible (but not simple) to put all the user level stuff into the executable (and you will need to create several versions of your executable, since the DLLs for the various Windows flavors are different), winpcap ships with a kernel driver, that cannot be embedded in the executable, that needs to be installed separately. Have a nice day GV Thanks in advance, Andras == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] [ANNOUNCE] New winpcap mirror
A new mirror of both the WinPcap and the Windump website is available from today, in Taiwan. The URLs for these two mirrors are: WinPcap: http://winpcap.cs.pu.edu.tw Windump: http://windump.cs.pu.edu.tw Thanks to the Algorithm and Bioinformatics Laboratory, Department of Computer Science at Providence University, Taichung, for having set up this new mirror! Have a nice day Gianluca Varenni WinPcap team == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] pcap_next_ex and buffer overflow
Stupid question: are you storing the header pointer between different calls to pcap_next_ex? That pointer is valid only until the next call to pcap_next_ex, or to pcap_close. Have a nice day GV PS. header doesn't need to be initialized before the call to pcap_next_ex. Have a nice day GV - Original Message - From: Venkatramani, Bharath [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 10:10 PM Subject: RE: [WinPcap-users] pcap_next_ex and buffer overflow Yes. I am not incrementing SessionNum in the first place, so it remains at 0. PcapSession[0] is also not null. When I was debugging my application further, I see that header-caplen and header-len blow up (for instance, caplen becomes 1511663 - something like that - unlike the previous iterations when it was a 2-3 digit number) immediately after the green arrow points to the line while((res = pcap_next_ex(PcapSession[SessionNum], header, pkt_data))= 0). Would this info help, or is the blowup happening because the header has nothing in it in the first place? -Original Message- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 4:03 PM To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] pcap_next_ex and buffer overflow On Sep 15, 2004, at 10:49 AM, Venkatramani, Bharath wrote: I am using winpcap 3.0 and have been having this problem for some time now. I am calling my DLL from Labview 7.1 and everytime I run my program in debug mode, I get an error saying that labview has encountered a reading access violation at 0x005 (something to that extent). Then I get a green arrow pointing to this statement in my code: | while( (res = pcap_next_ex(PcapSession[SessionNum], header, pkt_data))= 0) { ... } Are you certain that 1) SessionNum is nonnegative and is less than the number of elements in the PcapSession array and, if that's true, 2) PcapSession[SessionNum] is non-null? If not, then you need to change your code to make sure both of those are true. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] installer, silent installer
WinPcap does not install in the C: drive, by deafult, it installs in the folder WinPcap in the %ProgramFiles% folder (that can be different from c:\program files). However, some files are installed directly to the system folder, and cannot be moved out of those folders. Have a nice day GV - Original Message - From: Wenjie Wang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 2:02 AM Subject: RE: [WinPcap-users] installer, silent installer :-Original Message- :From: Alex Narinsky [mailto:[EMAIL PROTECTED] :Sent: Wednesday, 15 September 2004 9:42 AM :To: [EMAIL PROTECTED] :Subject: RE: [WinPcap-users] installer, silent installer : : :The problem is that the winpcap installer does not ask about the :installation directory. The silent installer does not ask a permission :for rebooting computer : I have installed winpcap on my machine some times ago and I can't recall details. Judging by what you've described, it sounds like it's done by design to install on C: only. If it is such, there is not much an end user can do;( As for the silent installer, I'm presume it's unattanced inatallation for installshield setup.exe file. There is a way to regenerate it for setup.exe generated by installshield project. I can't remember exact how to do it;( You might be able to find the answer quicker from http://community.installshield.com/ Cheers, WWang +-Wenjie Wang a.k.a William -+ | WANG Infonology Systems |EMail : [EMAIL PROTECTED] | | Phone : (02) 9871 2018 |[EMAIL PROTECTED] | | Mobile: 0412 688 380|http://users.bigpond.net.au/WISeAgent | +-+--+ == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3
- Original Message - From: Mim Zai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 27, 2004 7:37 PM Subject: Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 When I upgrade to XP SP2, the tcptrace program that uses WinPcap 3.1 beta 3 wouldn't work when I tried to generate some plots. It gave errors, something to do with Win32 file. Ethereal seems to run as usual though. So I removed the SP2 and tcptrace worked I don't know how tcptrace works, so I cannot help you a lot. What is the exact error reported by tcptrace? The only think I know is that SP2 has disabled raw sockets (and this does not impact on winpcap itself), this removal can cause problems with apps using winpcap *and* raw sockets (nmap, if I remember well). fine. The same occured for xplot but xplot doesn't uses WinPcap right? I don't know. Have a nice day GV --- Gianluca Varenni [EMAIL PROTECTED] wrote: Last friday I installed the latest RC (or beta? I don't remember) of SP2, and winpcap worked smoothly. What problems did you encounter? Have a nice day GV - Original Message - From: Gianluca Varenni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 13, 2004 12:47 PM Subject: Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 I haven't tried Service pack 2, yet. What problems are you encountering? Have a nice day GV - Original Message - From: terry braun [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 3:59 PM Subject: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 Does anyone have any experience with XP SP 2 and winpcap 3.1 beta 3? Things are broken for me but maybe that is not the reason. Terry == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Found a issue in AdInfo.c - Function AddAdapterIPH
I'll have a look at this issue with PacketOpenAdapterNPF in the following weeks. Thank you for the bug report. Have a nice day GV - Original Message - From: Tom McAnnally To: [EMAIL PROTECTED] Sent: Friday, August 27, 2004 9:27 AM Subject: [WinPcap-users] Found a issue in AdInfo.c - Function AddAdapterIPH Hello All, Do you know if there is a way to enumerate the NPF_ device list? Also, I found an issue that you may wish to fix. The details follow. I have a system on which I am unable to use WinPCap since the enumeration of the network devices fails to find the network device which I wish to use. I have not solved this yet, but in looking for a solution, I did find the following issue. When enumerating devices I end up with the following call stack. Packet.dll!PacketOpenAdapterNPF(char * AdapterName=0x00141c98) Line 708 C Packet.dll!AddAdapterIPH(_IP_ADAPTER_INFO * IphAd=0x0014dd10) Line 503 + 0xc C Packet.dll!PacketGetAdaptersIPH() Line 632 + 0x9 C Packet.dll!PacketPopulateAdaptersInfoList() Line 1248 C Packet.dll!PacketGetAdapterNames(unsigned short * pStr=0x, unsigned long * BufferSize=0x0012cc5c) Line 2032 C wpcap.dll!pcap_findalldevs(pcap_if * * alldevsp=0x0012f0ac, char * errbuf=0x0012ef8c) Line 228 + 0xb C wpcap.dll!pcap_findalldevs_ex(char * source=0x005a199c, pcap_rmtauth * auth=0x, pcap_if * * alldevs=0x0012f0ac, char * errbuf=0x0012ef8c) Line 184 + 0xd C I noticed that PacketOpenAdapterNPF takes a wide string as input, but it seems that AddAdapterIPH passes in an ascii string. This causes a bug on the following line in PacketOpenAdapterNPF since the resulting string stored in SymbolicLink is wrong, any device which is discovered via IPH will not be added to the adapter list. wsprintf(SymbolicLink, TEXT(".\\%s"), AdapterName[16]); I would suggest the following patch to AddAdapterIPH to pass the correct wide string to PacketOpenAdapterNPF. BOOLEAN AddAdapterIPH(PIP_ADAPTER_INFO IphAd) { PIP_ADAPTER_INFO AdList = NULL; ULONG OutBufLen=0; PADAPTER_INFO TmpAdInfo, SAdInfo; PIP_ADDR_STRING TmpAddrStr; UINT i; struct sockaddr_in *TmpAddr; CHAR TName[256]; LPADAPTER adapter; PWCHAR UAdName; // Create the NPF device name from the original device name strcpy(TName, "\\Device\\NPF_"); _snprintf(TName + 12, ADAPTER_NAME_LENGTH - 12, "%s", IphAd-AdapterName); // Scan the adapters list to see if this one is already present for(SAdInfo = AdaptersInfoList; SAdInfo != NULL; SAdInfo = SAdInfo-Next) { if(strcmp(TName, SAdInfo-Name) == 0) { ODS("PacketGetAdaptersIPH: Adapter already present in the list\n"); goto SkipAd; } } if(IphAd-Type == IF_TYPE_PPP || IphAd-Type == IF_TYPE_SLIP) { if (!WanPacketTestAdapter()) goto SkipAd; } else { UAdName = SChar2WChar(TName); adapter = PacketOpenAdapterNPF((PCHAR)UAdName); GlobalFreePtr(UAdName); if(adapter == NULL) { // We are not able to open this adapter. Skip to the next one. ODS("PacketGetAdaptersIPH: unable to open the adapter\n"); goto SkipAd; } else { PacketCloseAdapter(adapter); } } // // Adapter valid and not yet present in the list. Allocate the ADAPTER_INFO structure // TmpAdInfo = GlobalAllocPtr(GMEM_MOVEABLE | GMEM_ZEROINIT, sizeof(ADAPTER_INFO)); if (TmpAdInfo == NULL) { ODS("PacketGetAdaptersIPH: GlobalAlloc Failed\n"); return FALSE; } // Copy the device name strcpy(TmpAdInfo-Name, TName); // Copy the description _snprintf(TmpAdInfo-Description, ADAPTER_DESC_LENGTH, "%s", IphAd-Description); // Copy the MAC address TmpAdInfo-MacAddressLen = IphAd-AddressLength; memcpy(TmpAdInfo-MacAddress, IphAd-Address, (MAX_MAC_ADDR_LENGTHMAX_ADAPTER_ADDRESS_LENGTH)? MAX_MAC_ADDR_LENGTH:MAX_ADAPTER_ADDRESS_LENGTH); // Calculate the number of IP addresses of this interface for(TmpAddrStr = IphAd-IpAddressList, i = 0; TmpAddrStr != NULL; TmpAddrStr = TmpAddrStr-Next, i++) { } TmpAdInfo-NetworkAddresses = GlobalAllocPtr(GMEM_MOVEABLE | GMEM_ZEROINIT, MAX_NETWORK_ADDRESSES * sizeof(npf_if_addr)); if (TmpAdInfo-NetworkAddresses == NULL) { ODS("PacketGetAdaptersIPH: GlobalAlloc Failed\n"); GlobalFreePtr(TmpAdInfo); return FALSE; } // Scan the addresses, convert them to addrinfo structures and put each of them in the list
Re: [WinPcap-users] Determinate which application sent packet
- Original Message - From: Marcin Zaj±czkowski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, August 22, 2004 11:34 AM Subject: [WinPcap-users] Determinate which application sent packet Hi, I want to ask is it possible to determinate using WinPcap which application on local machine sent/received captured packet? No, winpcap is not able to understand this. I know that tcpview (www.sysinternals.com) is able to display such info, but it's not a capture library/app. Have a nice day GV Regards Marcin == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] GPRS Dial Up Interface
I don't know which version of TCP is implemented in Windows XP, but I'm sure that they have TCP SACK since Windows 2000. Hope it helps GV - Original Message - From: Mim Zai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 13, 2004 7:37 PM Subject: Re: [WinPcap-users] GPRS Dial Up Interface Hi GV, I'm practically new to this thing. So if you don't mind I would like to ask another questionn. My OS is Windows XP Home Edition SP1, what is the TCP version it's running? I tried searching Microsoft website but couldn't find the answer. Thanks. = = = Original message = = = - Original Message - From: Mim Zai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 12:36 AM Subject: [WinPcap-users] GPRS Dial Up Interface Hi, I've installed WinPcap 3.1 beta 3 and would like to use Ethereal as my protocol analyzer to capture TCP packets from my GPRS dial up interface. Is this possible and should I encounter any bugs? It's possible. You should use winpcap 3.1 beta3. Have a nice day GV Thanks. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3
Last friday I installed the latest RC (or beta? I don't remember) of SP2, and winpcap worked smoothly. What problems did you encounter? Have a nice day GV - Original Message - From: Gianluca Varenni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 13, 2004 12:47 PM Subject: Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 I haven't tried Service pack 2, yet. What problems are you encountering? Have a nice day GV - Original Message - From: terry braun [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 3:59 PM Subject: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 Does anyone have any experience with XP SP 2 and winpcap 3.1 beta 3? Things are broken for me but maybe that is not the reason. Terry == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3
- Original Message - From: Steve Ericson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 13, 2004 10:06 AM Subject: Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 Possibly unrelated information: I tested Wincap 3.1 beta3 on windows server 2003 and was dropping about 50% of packets... vs no loss at all for 3.0. Machine was brand new Dell P4 2.8GHz. This is quite strange... ... we didn't have any particular modification to the driver (that has the largest impact on packet drops) from release 3.0 to 3.1beta3. However I will have some tests on this issue. Which API did you use? PacketXXX or pcapXXX? Were you using a custom app or a known one? Did you dump the packets to disk, dump to screen, other? Have you tried doing the same tests now? The performance is affected by a number of things (disk fragmentation, apllications running at that moment, type of traffic, patches in the OS, NIC driver) Have a nice day GV +Steve - Original Message - From: terry braun [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 6:59 PM Subject: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 Does anyone have any experience with XP SP 2 and winpcap 3.1 beta 3? Things are broken for me but maybe that is not the reason. Terry == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3
I haven't tried Service pack 2, yet. What problems are you encountering? Have a nice day GV - Original Message - From: terry braun [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 12, 2004 3:59 PM Subject: [WinPcap-users] xp service pack 2 and winpcap3.1 beta 3 Does anyone have any experience with XP SP 2 and winpcap 3.1 beta 3? Things are broken for me but maybe that is not the reason. Terry == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] NPF crashes under strange circumstances
Hi. As Davis told you, I need to analyze the crash dump to understand what is happening. Please use both packet.dll and npf.sys coming from WinPcap 3.1 beta3. In order to enable the memory dump, you need to go to start-control panel-system Advanced tab Startup and recovery - Settings Write debugging information panel, choose kernel memory dump (or full memory dump). This info is for Windows XP, I think it's the same for Win 2000 (I do not have a win2k at hand, at the moment). If you choose kernel memory dump, the generated file is usually between 50 and 100 MB (but you can zip it to half its size, usually). If you choose full memory dump, the generated file is the total size of your RAM... You will find that file in c:\windows\memory.dmp. When you have that crash dump, I'll send you the address of an FTP server to upload that file. Ok? Since this is a bug report, I'll move this thread to the winpcap-bugs alias, which I have put in CC. Hope it helps. Have a nice day GV - Original Message - From: Göran Backlund [EMAIL PROTECTED] To: winpcap-list [EMAIL PROTECTED] Sent: Thursday, August 05, 2004 8:50 PM Subject: [WinPcap-users] NPF crashes under strange circumstances Hello I'm writing a windows service using the ATL. I'm using packet.dll for reception (3.1 Beta 3). I experienced some crashes, and after a while I narrowed it down to this: The only thing the app does right now is creating a XMLDOMDocument object MSXML2::IXMLDOMDocumentPtr docInput = NULL; HRESULT res = docInput.CreateInstance(__uuidof(DOMDocument40)); and then call PacketOpenAdapter for two different adapters LPADAPTER lpAdapter1, lpAdapter2; lpAdapter1 = PacketOpenAdapter(\\Device\\NPF_{5DFB42C9-8B6E-46AF-A422-93125BFA132B}); lpAdapter2 = PacketOpenAdapter(\\Device\\NPF_{FFB5C62D-7865-41BB-BC0A-3EFD2A6A175B}); It then enters a infinite loop while(true); So far so good If a then fire up the taskmanager and kill the process, THE COMPUTER REBOOTS. No BSOD no nothing, just instantly reboots. This doesn't happen If I remove call to docInput.CreateInstanceXML. If I start the application in the debugger everything looks perfectly ok (createInstance returns OK, packetOpenAdapter returns a LPADAPTER object) and I can exit the application without crash. It only krashes when I kill it in the taskmanager. Curios to see what happens on earlier versions of winpcap, I installed winpcap 3.0 Using this version the reboots doesn't appear. I can kill the app from the taskmanager without any problems. So, I installed 3.1 Beta which also worked fine... ... I moved on to 3.1 Beta 2 and suddenly the reboots appeared again. So, something has changed between beta 1 and beta 2. I now tested different combinations between npf.sys and packet.dll and found out the following: Beta2 NPF, Beta 1 packet.dll : this combination works fine. Beta2 packet.dll, Beta2 NPF : this combination crashes when app is killed. Beta 1 NPF, Beta 2 packet.dll: this combination crashes when app is killed. Beta 1 driver, beta 1 packet.dll: this combination works fine. My conclusion: Since beta 2 seems to work using beta 1 packet.dll, one might suspect that a bug has been born in beta 2 packet.dll, which causes the NPF driver to reboot under these circumstances. The strange this is that it all depends on wheater a create the com-object or not. And it only crashes when app is killed, which would suggest that a app is killed in a different way if a COM-instance has been created. Any thoughts? Best regards, Göran == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
Re: [WinPcap-users] clarification on SMP issue
This is correct. Winpcap 3.0 and subsequent releases are SMP safe. We have done some work to optimize the capture on SMP systems in the released versions, by using multiple kernel buffers, one for each CPU, but we haven't yet tested the performance improvement. Have a nice day GV - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 4:22 PM Subject: RE: [WinPcap-users] clarification on SMP issue My experience is that this means that the NPF driver works without crashing. In versions prior to 3.0, it crashed on an SMP system. --- Steighton Haley [EMAIL PROTECTED] Software Engineer There are 10 types of people in this world, those who understand binary, and those who don't. -Original Message- From: Göran Backlund [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 4:00 PM To: winpcap-list Subject: [WinPcap-users] clarification on SMP issue The support for SMP machines has been included starting from version 3.0. From winpcap FAQ... Does this mean that the NPF-driver merely WORK (i.e not crash or anything), or does it actually benefits from running on a SMP system? Best regards, Göran == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == = This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] =
Re: [WinPcap-users] Winpcap 3.0 lockup.
Have you tried winpcap 3.1beta3? Have a nice day GV - Original Message - From: Craig Carr [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:49 PM Subject: RE: [WinPcap-users] Winpcap 3.0 lockup. The application is on Win2k, the adapter in an Intel 8255xx - based Integrated Fast Ethernet. The timeout is set to 1s, have there been problems with timeouts?, as that is what seem to be happening, the call never times out. Craig. -Original Message- From: Gianluca Varenni [mailto:[EMAIL PROTECTED] Sent: Thursday, 5 August 2004 4:44 a.m. To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Winpcap 3.0 lockup. Sorry for the previous mail, I hit send too early... Regarding your problem, have you tried to use winpcap 3.1beta3? What is the timeout you use when you open the adapter through pcap_openXXX? What operating system and adapter? Have a nice day GV - Original Message - From: Craig Carr [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 2:28 PM Subject: [WinPcap-users] Winpcap 3.0 lockup. Sorry if this type of question has been asked before...but here goes. We have written a audio recording package, using winpcap 3.0, the basic source is while(true) { if ((res = pcap_next_ex(adhandle_, header, pkt_data)) = 0) { //Winpcap error switch(res) { case 0: if (timeout_counter == 0) { LOG_0(WinIpCapture::Capture, pcap_next_ex, timeout); } break; case -1: LOG_0(WinIpCapture::Capture, pcap_next_ex, error occurred); break; case -2: LOG_0(WinIpCapture::Capture, pcap_next_ex, EOF was reached reading from an offline capture); break; } } else { //Log that we got a udp packet if (log_counter == 0) { LOG_0(WinIpCapture::Capture, processing raw packet); } //Do stuff with the packet. } } The opening of the adapter is a copy and paste of the examples in the documentation. This application ran for months in house, when it was put on a client site the application does not last more than a couple of days. At first I thought it could be hardware related, so we put the original machine out on site, same behavior. It does not seem to be stress related, as it the application can last anywhere from a couple of hours to a couple of days. From what I can see in the application log, the call from pcap_next_ex never returns. No exceptions are thrown by the packet processing code. Can anybody suggest where to start looking?, has anybody seen similar behavior? Thank you in advance. Craig. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Winpcap 3.0 lockup.
Ha - Original Message - From: Craig Carr [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 2:28 PM Subject: [WinPcap-users] Winpcap 3.0 lockup. Sorry if this type of question has been asked before...but here goes. We have written a audio recording package, using winpcap 3.0, the basic source is while(true) { if ((res = pcap_next_ex(adhandle_, header, pkt_data)) = 0) { //Winpcap error switch(res) { case 0: if (timeout_counter == 0) { LOG_0(WinIpCapture::Capture, pcap_next_ex, timeout); } break; case -1: LOG_0(WinIpCapture::Capture, pcap_next_ex, error occurred); break; case -2: LOG_0(WinIpCapture::Capture, pcap_next_ex, EOF was reached reading from an offline capture); break; } } else { //Log that we got a udp packet if (log_counter == 0) { LOG_0(WinIpCapture::Capture, processing raw packet); } //Do stuff with the packet. } } The opening of the adapter is a copy and paste of the examples in the documentation. This application ran for months in house, when it was put on a client site the application does not last more than a couple of days. At first I thought it could be hardware related, so we put the original machine out on site, same behavior. It does not seem to be stress related, as it the application can last anywhere from a couple of hours to a couple of days. From what I can see in the application log, the call from pcap_next_ex never returns. No exceptions are thrown by the packet processing code. Can anybody suggest where to start looking?, has anybody seen similar behavior? Thank you in advance. Craig. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Winpcap 3.0 lockup.
Sorry for the previous mail, I hit send too early... Regarding your problem, have you tried to use winpcap 3.1beta3? What is the timeout you use when you open the adapter through pcap_openXXX? What operating system and adapter? Have a nice day GV - Original Message - From: Craig Carr [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 2:28 PM Subject: [WinPcap-users] Winpcap 3.0 lockup. Sorry if this type of question has been asked before...but here goes. We have written a audio recording package, using winpcap 3.0, the basic source is while(true) { if ((res = pcap_next_ex(adhandle_, header, pkt_data)) = 0) { //Winpcap error switch(res) { case 0: if (timeout_counter == 0) { LOG_0(WinIpCapture::Capture, pcap_next_ex, timeout); } break; case -1: LOG_0(WinIpCapture::Capture, pcap_next_ex, error occurred); break; case -2: LOG_0(WinIpCapture::Capture, pcap_next_ex, EOF was reached reading from an offline capture); break; } } else { //Log that we got a udp packet if (log_counter == 0) { LOG_0(WinIpCapture::Capture, processing raw packet); } //Do stuff with the packet. } } The opening of the adapter is a copy and paste of the examples in the documentation. This application ran for months in house, when it was put on a client site the application does not last more than a couple of days. At first I thought it could be hardware related, so we put the original machine out on site, same behavior. It does not seem to be stress related, as it the application can last anywhere from a couple of hours to a couple of days. From what I can see in the application log, the call from pcap_next_ex never returns. No exceptions are thrown by the packet processing code. Can anybody suggest where to start looking?, has anybody seen similar behavior? Thank you in advance. Craig. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] GPRS Dial Up Interface
- Original Message - From: Mim Zai [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 03, 2004 12:36 AM Subject: [WinPcap-users] GPRS Dial Up Interface Hi, I've installed WinPcap 3.1 beta 3 and would like to use Ethereal as my protocol analyzer to capture TCP packets from my GPRS dial up interface. Is this possible and should I encounter any bugs? It's possible. You should use winpcap 3.1 beta3. Have a nice day GV Thanks. ___ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] other packet capture SDK
- Original Message - From: {Pedro Lucas-Suporte Netcount} [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 3:30 AM Subject: Re: [WinPcap-users] other packet capture SDK First glance, it is EXPEN$IVE. 5000 USD to be able to ship the component with my Freeware/Adware application ? Featurewise, looks good, specially the fact that one can supposedly load and unload the component without additional network driver installation, etc. I would like to see the architecture of that stuff Hopefully it detects Ndiswan better than Winpcap. Lot's of ADSL users of Winpcap (mostly those with USB linked modems) complaint that they cannot What are the problems you are encountering with NdisWan?? We are working hard to stabilize WinPcap, through the various 3.1 betas released in the last months, and we plan to release the final version of WinPcap 3.1 soon. If you have any problem about WinPcap, please report it to [EMAIL PROTECTED] Have a nice day GV capture via Winpcap. But well, it's good, and free and with good support :-) The fact that it can be an ActiveX,DLL, VCL or static library looks good too. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] unsubscribe
Hi. You have to send such message to [EMAIL PROTECTED] and the message should be plain text, no HTML. Havea nice day GV - Original Message - From: Yi-Wen Liu To: [EMAIL PROTECTED] Sent: Monday, July 05, 2004 8:07 PM Subject: [WinPcap-users] unsubscribe unsubscribe
Re: [WinPcap-users] Code Migration from Winpcap v3.0 to v3.1 BETA problem
Title: Code Migration from Winpcap v3.0 to v3.1 BETA problem Hi. It depends on the API layer you are using: the pcap API (pcap_) has not changed (although we have fixed a lot of bugs), BUT the Packet API (PacketXXX) has changed. You can find details on such modifications in the changelog of winpcap, available at http://winpcap.polito.it/misc/changelog.htm Have a nice day GV - Original Message - From: Huertas García, Victor To: [EMAIL PROTECTED] Sent: Friday, June 25, 2004 11:41 AM Subject: [WinPcap-users] Code Migration from Winpcap v3.0 to v3.1 BETA problem Hi all, I have developed an very simple application using the Winpcap v3.0. It works perfectly. It simply gets a list of all adapters, selects one of them and capture IGMP packets in promicuous mode.. However, I have to execute this application in a PC with a Sygate Personal Firewall. I have detected a lot of compatibility problems between Winpcap and this firewall. In a forum, somebody told me that with the v3.1 BETA there is no problem. Then I tried to execute my application with v3.1 BETA and it doesn't work at all. It was supposed to be compatible with an older version, isn't it? I don't understand why it is not working... Any idea? Please, I need an answer ASAP Thank you very much. Víctor Huertas Garcia Networking Engineer Indra Espacio S.A. ---Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente.The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] Anyone attending TechEd Europe in Amsterdam?
Hi all. Next week I will be at Microsoft TechEd Europe, in Amsterdam. If you are there and have any question about WinPcap, or you want to meet me, please drop me a mail at [EMAIL PROTECTED] Have a nice day Gianluca Varenni WinPcap team == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Odd behavior Redux on NT4
Hi. As Loris pointed out in the other mail, WinPcap requires TCP/IP installed in order to detect adapters. I think that the patch you did some time ago has given you all those errors (wanpacket.dll, npptools and such not found), because you were using the wrong packet.dll: there are two (actually 3, one is for 9x) separate packet.dll. They are built by using different project configurations under Visual C++. The one for NT4 is called Release Win32_NT4/Debug Win32_NT4 (and the dll file is put in the folder NT4_debug/NT4_Release). Have a nice day GV - Original Message - From: Rob Henningsgard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 1:12 AM Subject: [WinPcap-users] Odd behavior Redux on NT4 Hello all, There must be an echo in here... with no TCP-IP stack installed under Windows NT4, the PACKET.DLL from 3.1 Beta 3 complains, Can not find TCP-IP Bindings. In order to run the packet capture driver, you must install TCP-IP. (My reference to the echo is that I had exactly the same problem with Beta 2 under Windows 2000 running with no TCP-IP, and that was fixed in Beta 3.) I tried the same trick I had used under 2000, with my patched 3.1 Beta 2 DLL, but that gave me a hassle about not finding several other DLLs, like WANPACKET.DLL, NPPTools.DLL, and MSVCR1.DLL. This may be unrelated (as in I may have inadvertently linked in something to my app that I shouldn't have), but I thought I'd mention it anyhow. So, Gianluca, is it (or will it be) possible to run PACKET.DLL under NT4 without having the TCP-IP stack installed? It's been working great under Win2000. Thanks, Rob--- == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Unable to send packet over WAN network adapter
Hi. This is a known limitation of WinPcap with NdisWan adapters. It is documented in the release notes (but not in the winpcap docs, sorry): Version 3.1 beta, 3 feb 04 a.. Support for capture on NdisWan, with the following features: a.. Based on the NetMon API, does NOT use NPF.sys b.. Works with PPP (dial-up) and VPN links c.. Works on Windows 2000 and XP, only d.. Packet transmission is not supported e.. Packet filtering is done at user level Have a nice day GV - Original Message - From: Dmitri Krasnenko [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 6:06 PM Subject: Re: [WinPcap-users] Unable to send packet over WAN network adapter On Mon, 21 Jun 2004 19:14:24 +0600 (PKST), [EMAIL PROTECTED] wrote: then i am sure there must be some thing wrong with ur code,, u need to have a closer look at ur own code before broadcasting mails to every one,, remember this is a free mailing list,does not mean that u start spreading mails every time u are faced with a problem Hi, In my WinPcap-based application I receive error when I send packets using pcap_sendpacket() over WAN(PPP/SLIP) adapter. The error description returned by pcap_geterr() is empty string. Can somebody help? Note: Over ethernet adapter the code works fine. -- Thank you in advance, Dmitri Krasnenko. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == Well, the code samples from WinPcap developer's pack fails too. -- Dmitri Krasnenko == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Access Violation using pcap_findalldevs
- Original Message - From: Andrea Talucci [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 07, 2004 5:02 PM Subject: Re: [WinPcap-users] Access Violation using pcap_findalldevs Gianluca Varenni wrote: Can you provide me a small test app showing the bug? It's strange, it happens only if I place a break point at the line of the function containing the pcap_findalldevs call... I think It's just some dirty pointer in my code coming up in debug mode... however here follows the code: there is a main, some declaration, and the call to getInterface. Placing a break point at d=getInterface(...) and entering into the function while debugging, generate the access violation calling pcap_findalldevs(...). Not placing the break point, causes the program to execute correctly. The ide is VS6 with the last service pack. regards, Andrea int main(int argc, char **argv){ pcap_if_t *d=0; struct bpf_program fcode; bpf_u_int32 netp=0; bpf_u_int32 NetMask=0; char filterString[256]; int seldevice=0; int i=0; // Breakpoint at the following line... d=getInterface(seldevice); [...] } pcap_if_t *getInterface(int *seldevice){ pcap_if_t *d; int i=0; // Access Violation if (pcap_findalldevs(alldevs, errbuf) == -1){ fprintf(stderr,Error in pcap_findalldevs: %s\n, errbuf); exit(1); } Are you about this? I think the right code would be if (pcap_findalldevs(d, errbuf) == -1){ ^^^ However I need a small test app that compiles to track down the problem. Have a nice day GV [...] } == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Changes in behavior/bugs in Winpcap 3.1beta
- Original Message - From: Mark Pizzolato [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 07, 2004 10:57 PM Subject: Re: [WinPcap-users] Changes in behavior/bugs in Winpcap 3.1beta Well, my original report/analysis was based on a little bit of laziness. Since I had both Ethereal and my App's display of available interfaces I tried to infer the inner workings. My analysis was completely wrong. There is NO issue with the values returned by pcap_datalink(). It returns DLT_EN10MB as appropriate. However, there are an issuues with pcap_findalldevs() on ONLY my Win2K Server SMP system, which happens to have installed the Microsoft supplied Network Monitor application installed. All of the win-pcap V3.1 beta versions work find on my WinXP and Win2K Pro desktop systems. The Win2K Server SMP system gets the following results from pcap_findalldevs with differing versions of win-pcap: winpcap V3.0: \Device\NPF_{054BF786-C6A0-47E1-A532-3B17559575C2} (Intel(R) PRO/100+ Management Adapter) \Device\NPF_{F582D8E0-3386-4DEE-A88A-68C1B752D3E5} (3Com EtherLink PCI) winpcap V3.1 beta: error in pcap_findalldevs: PacketGetAdapterNames: Attempt to release mutex not owned by caller Ok, that was fixed in winpcap 3.1beta3. winpcap V3.1 beta2: \Device\NPF_GenericNdisWanAdapter (Generic NdisWan adapter) winpcap V3.1 beta3: \Device\NPF_GenericNdisWanAdapter (Generic NdisWan adapter) This is not normal. Is the missing NIC bound to tcp/ip or not? Can you please send me a bug report as explained at http://winpcap.polito.it/contact.htm, so that I can try to track down the issue? Have a nice day GV My original analysis was lead astray by Ethereal's Capture Options Dialog box. The Interface field seems to be populated either from a remembered value or is derived some other way besides using pcap_findalldevs(). The contents of the list dropdown for the Interface IS the interface set returned by pcap_findalldevs(). Initially (in my mind) I merged the current value of the field with the dropdown contents. So in the end, Ethereal and my App are seeing the same data (Generic Ndis Wan Adapter), and NOT seeing either of the physical NICs which are installed in the system. - Mark Pizzolato == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Callback() never called with wpcap3.1beta
Hi. Which callback are you referring to? Is it the one passed to pcap_loop() or pcap_dispatch()? What OS are you using? Which adapter are you using? Have you tested windump? Windump uses pcap_loop to capture packets, if windump is able to capture packets, then it's a problem with your app. Have a nice day GV - Original Message - From: Vasily Borovyak [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 31, 2004 3:20 PM Subject: [WinPcap-users] Callback() never called with wpcap3.1beta Hello , Subj on some conditions. I haven't check those conditions exactly. Somebody confirm or refute me, please. I can prove it. Need more information? -- i! == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Access Violation using pcap_findalldevs
Hi. Can you provide me a small test app showing the bug? Have a nice day GV - Original Message - From: Andrea Talucci [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 31, 2004 6:23 PM Subject: [WinPcap-users] Access Violation using pcap_findalldevs Hi all, I experience (with both last beta2 and beta3 version) an Access Violation using pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, alldevs, errbuf); or pcap_findalldevs(alldevs, errbuf); Is this a known problem or is it my code with some nusty bug :-) ? regards, andrea == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Send only pcap interface
Hi. How did you manage packets? Remember that a packet returned by pcap_next_ex remains valid up to the next call to pcap_next_ex or pcap_close (whatever comes first). Since you are delaying packets, you must copy then before calling pcap_next_ex to receive the next packet. If this is your case, I can also provide you some hints on why the bug does not exploit when there is no delay. Have a nice day GV - Original Message - From: Frank Natoli [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 4:22 PM Subject: [WinPcap-users] Send only pcap interface As I see a number of other members are doing, I am writing a packet relay program using Winpcap. Test system has two NICs, to relay packets across two LANs. Program has a thread to be used for capture purposes, one for each NIC. Each thread performs pcap_open_live and pcap_next_ex. Program also has a thread to be used for relay purposes, one for each NIC. Each thread performs pcap_open_live and pcap_sendpacket as needed. Everything works fine, capture on one NIC, relay/send on another (discard echo back packets), both directions. Can ping across the program, again in both directions. Problem occurs when relay thread intentionally delays packets via Win32 Sleep. Amount of sleep is programmable. When set to 3000ms, program works badly, failing to relay many packets, occasionally succeeding but eventually crashing with some memory allocation fault, deep inside Win32. Question is this: do the two pcap_open_live on same NIC (one for capture, one for relay, separate threads) somehow affect one another? If the thread that is doing pcap_sendpacket only (occasionally delayed) interfering with the thread that is doing pcap_next_ex on the same NIC? Thanks for your time. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Question regarding building npf.sys
- Original Message - From: Goran B [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 27, 2004 12:32 AM Subject: [WinPcap-users] Question regarding building npf.sys When using the windows DDK to build the npf driver, which build environment do you choose for the w2k/xp version? Do you choose Windows XP Build environment, or Windows 2000 Build environment? Does it matter? Hi. The latest releases of the WinPcap driver were compiled (for 2000/XP/2k3) using DDK build 2600 (Windows XP DDK, I suppose), and the 2000 Free Build Environment. However I have installed the latest DDK (DDK build 3790, the Windows 2003 DDK) on my machine yesterday, tested the driver with all the 32-bit flavours (2000,XP,2003 Checked/Free) and the compiled npf.sys works smoothly on 2000/XP/2003. I plan to use this DDK for the future WinPcap releases. Have a nice day GV Best regards, Goran == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Disable capturing of outgoing packets
- Original Message - From: Goran B [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 24, 2004 10:45 PM Subject: [WinPcap-users] Disable capturing of outgoing packets Hello Everybody, I'm working on a very simple software ethernet bridge using winpcap. It uses only two NICs. Packets received on the first NIC will be sent out on the other and vice versa. Now, due to the 'loopback' mechanism, everytime I forward a packet, the same packet is then received later on the same nic that it was sent on (which will be forwarded to the first device, which will receive it again and so on...). I'm using Windows XP Professional and I've tried to modify the NPF driver to set the NDIS_FLAGS_DONT_LOOPBACK on outgoing packets but it does not work. I've also tried to set NDIS_FLAGS_DONT_LOOPBACK|0x400 which is supposed to be an undocumented feature of win2k but that didn't work either. Hi. If I remember well, the right flag under Windows XP is NDIS_FLAGS_SKIP_LOOPBACK. I've answered a similar question some time ago on this mailing list, it's archived here http://www.mail-archive.com/[EMAIL PROTECTED]/msg00832.html Have a nice day GV Have you experienced similar problems? Is there any solution to this? == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Problems HP computers
- Original Message - From: Jens Munk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 19, 2004 11:19 PM Subject: Re: [WinPcap-users] Problems HP computers My program is using the Packet API to communicate with some low level controllers, and when set I just store the selected adapter so the program automatically starts communicating next time I start it. It's not a big deal now that I am aware of it, and I have actually been using the version 2.3 for two years now without a single flaw. Nice job! Why don't to migrate to the pcap API? I know this would be a big change for your code, but the pcap API is more stable, while the packet API is subject to change from time to time (in fact I suppose you had to modify some stuff in your code to work with 3.1 beta, in particular regarding the PacketGetAdapterNames() API). Have a nice day GV Thanks, Jens. Why do you need such information about the prefixes we use for the adapters? We cannot grant not to change that prefix in the future versions (as we do not grant not to change the Packet API, as well). Have a nice day GV == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Problems HP computers
- Original Message - From: Jens Munk [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 11:36 PM Subject: Re: [WinPcap-users] Problems HP computers Thanks, I have just got it working. It appears that the 2.3 inserts a \device\packet_ before the NIC ID whereas the version 3.1 inserts a \device\NPF_ before the ID. When I handle this it works just fine. Why do you need such information about the prefixes we use for the adapters? We cannot grant not to change that prefix in the future versions (as we do not grant not to change the Packet API, as well). Have a nice day GV Jens. - Original Message - From: Toby Harris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 6:15 PM Subject: RE: [WinPcap-users] Problems HP computers I have been successfully using this snoop component for Delphi http://www.snoopanalyzer.com/download/download.asp. Might be worth a look. So I have two options: Either to get version 2.3 to install or modify my code to use version 3.1 instead and I guess the latter is the way to go. However, is there any shortcuts to the code changes needed? Just complicate matters further, I am using Lars Peter Christiansens Delphi wrapper. Thanks again, Jens. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] ANNOUNCE: WinPcap 3.1 beta3 has been released
The beta3 of WinPcap 3.1 is available from today in the download section of the WinPcap site. WinPcap 3.1 beta3 is a minor update, that fixes a couple of bugs present in beta2, that prevented it to work on Windows 9x. CHANGELOG = - Bug fixing: + Fixed a bug related to device listing if TCP/IP is not installed: on 2000/XP if TCP is not installed, it reported you must install TCP/IP, and this was plain wrong. + Added PacketSetSnapLen() under Win9x. Without this function, wpcap.dll fails to load on Win9x. + PacketGetAdapterNames() has been rewritten under Win9x, in order to comply to the correct behavior specified in the documentation. = == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] BSOD while setting packet filter in Winpcap 3.0
- Original Message - From: Bruce Leidl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:26 PM Subject: [WinPcap-users] BSOD while setting packet filter in Winpcap 3.0 Hi list, While investigating a system crash while using Winpcap 3.0 I discovered that the source of the problem was a two byte read off of the end of an array in the packet driver while processing the BIOCSETF IoControl which is called by pcap_setfilter() to apply a packet filter. The problem is not particularly easy to reproduce and I suppose the only time it would cause a problem (and a blue screen) is if the buffer happened to be aligned to end exactly at the end of a page when the following page is not mapped in the memory manager. I noticed that this has been fixed in the latest beta version of 3.1 although I didn't see any reference to this particular bug in the changelogs for the last few versions. You are right. The bug has been fixed between WinPcap 3.01 alpha and WinPcap 3.1 beta. The changelog on the web site is a summary of the CVS changelog, and this was not listed (actually, this fix should be under the changelog item minor bug fixes, but I forgot to add this line in the WinPcap 3.1beta changelog). Since for my application it is not convenient to force the user to upgrade their version of Winpcap to a version without the bug, and since I am not sure how tightly coupled the libraries are with the driver for a particular version I instead tried to find a workaround that I could apply to the application itself. I ended up adding a harmless (I think) instruction to the end of the bpf program structure between the call to pcap_compile() and pcap_setfilter() which should avoid the bug in the kernel. On my dev machine I usually have mismatching versions for the driver and the dlls, BUT I have never performed any test regarding the compatibility of all the features of the driver coupled with various versions of the DLLs. The solution you are using should work, but I think that the best solution would be to migrate to winpcap 3.1 betas, we have fixed a couple of other bugs in the drivers that caused BSODs. I've pasted my code below in case somebody else is in the same situation and might find this useful. It would also be great if somebody that is more familiar with the driver than I am could review this workaround and verify that it avoids the problem without breaking anything and also that it will be compatible with future versions. #ifdef WIN32 // This is a workaround for a bug in the winpcap driver that can cause a BSOD // on windows. There is an off by one read when setting the filter that we can // avoid by appending a BPF_SEPARATION instruction to the filter program. { struct bpf_insn *ins; unsigned len; len = bpf.bf_len; ins = (struct bpf_insn *)malloc((len + 1) * sizeof(struct bpf_insn)); if(ins) { memset(ins, 0, (len + 1) * sizeof (struct bpf_insn)); memcpy(ins, bpf.bf_insns, len * sizeof(struct bpf_insn)); pcap_freecode(bpf); ins[len].code = BPF_SEPARATION; bpf.bf_len = len + 1; bpf.bf_insns = ins; } } #endif I think that this patch is applied to your code (and not in wpcap.dll). Isn't it? Be careful if you allocate memory inside your app (ins = (...)malloc(...)), and then free it by using pcap_freecode() (somewhere in your code, not the one in the snippet you sent). It's always extremely dangerous to allocate memory into an exe/dll and free it into another dll/exe: you don't know which version of the C RunTime the exe/dll has been linked to (libc, msvcrt, debug/release, single thread/multithread), and the memory managers changes between different C RunTimes. Some time ago I experienced a similar problem (causing a crash into an app), and it took me some *months* to address it (I didn't spend months to debug it, I left a memory leak into the app...). Knowlegde base Q140584 in the Microsoft documentation gives some hints on such problems with the CRT. Have a nice day GV cheers, --brl == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Timeout responses to pcap_getnext_ex with high network load and using pcap_setbuff
- Original Message - From: Steve Fernandes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 3:33 PM Subject: [WinPcap-users] Timeout responses to pcap_getnext_ex with high network load and using pcap_setbuff Hi, I have a problem using WinPCap to capture packet files on a busy network. I am using WinPCap 3.0 on a system running Windows 2000 Professional with Service Pack 4. I open the adapter using pcap_open_live (timeout set to 1000), set the buffer size to 40,960,000 using pcap_setbuff and then use pcap_next_ex to get the packets. The setbuff command returns 0 (zero), so I presume it is working ok. Yes. You can be sure that this buffer is really allocated in the driver by looking at the task manager, Tab performance, Panel kernel memory, it's nonpaged. This value should increase of about 40 MB after pcap_setbuff(). When I start my program running on a heavily loaded network (over 13,000 packets per second) I keep getting timeout responses and no proper packets. Quite strange... But if I do not use setbuff it seems to work ok. Also, if I start the high network traffic after starting my program, it seems to work ok. That's really odd. Even though I set the timeout value in pcap_open_live to 1000, the timeout responses seem to be coming in much faster than 1 second intervals. This is normal: pcap_next_ex returns if either (whatever comes first) - the timeout has elapsed - at least mintocopy bytes are present in the kernel buffer. The default value for mintocopy is 16kB, you can change it with pcap_setmintocopy() My test program is a command prompt program, running under Windows 2000 Pro. The timestamps for the packets (which I get using SYSTEMTIME and display) show the timeout responses coming in approxiamtely 100 milliseconds apart. What do you mean? pcap_next_ex could return up to 1 second (the timeout you have set) after the packet has been captured, BUT the timestamp in the packet header tells you the actual capture time. Have a nice day GV Here is relevant code sections: First the initialisation /* Open the adapter */ if ( (adhandle= pcap_open_live(d-name, // name of the device 65536, // portion of the packet to capture. // 65536 grants that the whole packet will be // captured on all the MACs. 1, // promiscuous mode 1000,// read timeout errbuf // error buffer ) ) == NULL) { fprintf(stderr,\nUnable to open the adapter. %s is not supported by WinPcap\n); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } printf(\nlistening on %s...\n, d-description); /* At this point, we don't need any more the device list. Free it */ pcap_freealldevs(alldevs); // set the buffer size sbresult = pcap_setbuff(adhandle, nSetBuff); printf (SetBuff returned : %d\n, sbresult); ... And the reading section. while (1) { retcode = pcap_next_ex(adhandle, hdr, data); switch (retcode) { case -2: // eof reached whilst reading packet display_packet(Dried up, 0, 0); break; case -1: // error occurred display_packet(Error reading packet, trying again, 0, 0); break; case 0: // timeout display_packet(Timeout reading packet, 0, 0); break; case 1: // received packet ok display_packet(Got Packet, hdr, data); break; } } Am I doing something wrong? Thanks for the help Steve __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Odd behavior (sort of a bug)
- Original Message - From: Rob Henningsgard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 9:51 PM Subject: [WinPcap-users] Odd behavior (sort of a bug) Hello all, Has anybody else run WinPcap 3.1 beta 2 in Win2000 with no TCP-IP installed on the machine? I've been running fine for weeks with TCP-IP disabled, but then I realized that with all of the stupid TCP and UDP listening ports Windows opens up (can you say, virus invitations?), I really didn't want TCP-IP installed at all. So I removed TCP-IP, and re-ran my program. Surprise! WinPcap (OK, actually Packet32) throws up errors saying, Can not find TCP/IP bindings. In order to run the packet capture driver you must install TCP-IP. Guess what? It is not true! WinPcap runs perfectly with no TCP-IP driver installed, both with my own application and with Ethereal (although Ethereal _does_ throw an access violation when you quit the program). Hi. You are right, there's a bug in packet.dll under NTx that causes winpcap 3.1beta2 to show that message if TCP/IP is removed from the machine. I've corrected that bug in our source tree, and it be available in winpcap beta3, that will be released in a week. So has anybody else encountered this? I just joined MSDN and have not received, installed, or tested my DDK yet, so I am not comfortable rebuilding Packet32.DLL with the error message and false return to PacketGetAdapterNames() commented out (about line 1671 of Packet32.C). Could somebody on the list perhaps do a quick build of that for me? I'd be much obliged. Why the DDK? You don't need the DDK to compile packet.dll, you need VC6 plus the platform sdk. Have a nice day GV Thanks to all, Rob--- - LapTwo Technology Corporation Phone: 763-633-9434 16820 Highway 10, Suite 130 Fax: 253-276-2755 Elk River, Minnesota 55330 http://www.laptwo.com - == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] install pcap without installing?
WinPcap installs a kernel driver, too (npf.sys). Why don't you use the so-called transparent-installation? It's available in the download page, http://winpcap.polito.it/install/default.htm Have a nice day GV - Original Message - From: Babu Shankar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 1:28 PM Subject: RE: [WinPcap-users] install pcap without installing? You Have to copy these files on to the Syetem32 folder of Windows and not where your program sits. It would be the Windows Directory \System32 on WinXP, WinNT\System32 on WInServer so on... -Original Message- From: Axel Bock [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:02 PM To: WinPCAP mailing list Subject: [WinPcap-users] install pcap without installing? Hi, I have written a pcap program to analyze network traffic. BUT now I have to install this program on different machines, and due to the nature of the project (foreign machines with foreign admins :-) I simply cannot install winpcap on any of them. Now I am searching for a method to just copy in the program - create a directory, copy all dlls into it (done - packet.dll and wpcap.dll as far as I know), and run the program. Alas - no way. pcap does not find any devices. Now can anyone tell me how to do this manually? It's a bit important (of course :-) many thanks in advance greetings, axel. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Odd behavior (sort of a bug)
- Original Message - From: Rob Henningsgard [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 2:52 PM Subject: Re: [WinPcap-users] Odd behavior (sort of a bug) Gianluca, It is not true! WinPcap runs perfectly with no TCP-IP driver You are right, there's a bug in packet.dll under NTx that causes winpcap 3.1beta2 to show that message if TCP/IP is removed Oh good! I'm really glad to hear that it's a bug, and not that I was doing something dumb (which happens often enough). I've corrected that bug in our source tree, and it be available in winpcap beta3, that will be released in a week. That is just super! You and your colleagues are the greatest. have not received, installed, or tested my DDK yet Why the DDK? You don't need the DDK... you need VC6 plus the platform sdk. Oh, got it. Actually, I don't have VC6 either. I only recently converted from seventeen years of using only Borland tools, and I bought Visual Studio .NET Pro. So the only VC I've got is 7.0. What's the problem, then? You can import the VC6 project into VC 7.0, and compile with that compiler. I develop and build with VC7.1 (but I build the official release with VC6.0 because of compatibility reasons). Have a nice day GV I got the MSDN DDK because I will eventually need to write an NDIS miniport driver, to sit in front of Windows TCP-IP and filter out packets I do not want Windows to ever see. Have a nice day, GV Thanks again for everything, Gianluca. Rob--- - LapTwo Technology Corporation Phone: 763-633-9434 16820 Highway 10, Suite 130 Fax: 253-276-2755 Elk River, Minnesota 55330 http://www.laptwo.com - == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
[WinPcap-users] ANNOUNCE: WinPcap 3.1 beta2 has been released
The beta2 of WinPcap 3.1 is available from today in the download section of the WinPcap site. WinPcap 3.1 beta2 is a minor update, that fixes a number of bugs that were present in the first beta. There's a new feature, too: under 2000/XP/2003 we have added a new fake NdisWan adapter, useful to capture LCP/NCP PPP packet, for example. This adapter is always listed (if you have enough privileges), even if you don't have any PPP/VPN/... connection established. Please note that this feature is experimental, and that we will be glad to hear comments from people that use it. CHANGELOG = - Added some code to show a fake NdisWan adapter, useful to capture LCP/NCP packets. This adapter is always listed on 2000/XP/2003 (if you have enough privileges), even if you don't have any PPP/VPN/... connection established. - Added a check in the installer, so that the installation fails if you don't have administrator privileges. - Added a check so that NdisWan adapters (PPP, VPN, ...) are listed only if you can capture from them. - Added a new sample program, which gets the MAC address of an interface using packet.dll - Modified the access to the global list of adapters in packet.dll under NT4/2000/XP/2003. Now packet.dll should be thread-safe. - Bug fixing: + fixed some resource leaks in the remote capture daemon (rpcapd). + fixed a couple of resource leaks in packet.dll. + fixed some meaningless last error messages set by PacketOpenAdapter (e.g. The operation completed successfully). + fixed a shortcoming in pcap_findalldevs, by which the adapters where not listed if they couldn't fit into a 8kB buffer. + fixed a memory leak in pcap_lookupdev. + fixed some bugs related to adapters listing: * some adapters were not listed, especially if some registry keys are messed up. * in some situations the listing failed with the message Attempt to release a mutex not owned by caller * if PacketGetAdapterNames() failed, it returned the wrong number of needed bytes for the input buffer. + fixed a buffer overrun in npf.sys that caused crashes (BSODs) when there are too many adapters in the registry. + fixed a bug in npf.sys that caused blue screens (BSODs) when you try to send jumbo packets, i.e. packets bigger than the maximum frame size for the selected link type. + minor bug fixes. = == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Capturing/Sending Packets In Visual Basic
- Original Message - From: Anssi Kolehmainen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 02, 2004 12:42 PM Subject: RE: [WinPcap-users] Capturing/Sending Packets In Visual Basic Hey, I found out about your projects and WinPCap a little while ago. So far, I can see all of you have put forth a lot of effort into making this. I had a few questions though, since I'm not really a proficient C++ User. I do have C++, and all the example files work, but I wanted to know if it was possible to use WPCap.dll or Packet.dll in Visual Basic using API calls. I have tried to convert some of the C++ API to VB, but it just doesn't seem to work. Here is an example: Private Declare Function PacketGetAdapterNames Lib packet.dll (pStr As String, BufferSize As Long) As Boolean I thought this would be a correct API call, but it seems to have errors when I call it. If anyone could help me on this issue, I would greatly appriciate it. Thanks! C function BOOLEAN PacketGetAdapterNames (PTSTR pStr, PULONG BufferSize) Would translate to Private Declare Function PacketGetAdapterNames lib packet.dll (byval pStr as String, byref BufferSize as long) as long One big thing with VB is that it _doesn't_ support multi-threading. Multi threading happens if you use callback functions (like pcap_loop). This is wrong: pcap_loop (and all the other APIs for receiving packets) do not make use of any thread: they are simply blocking, and they execute your callback whenever a packet is received from the kernel driver. Regarding PacketGetAdapterNames, beware two important things: 1. I don't know the marshaling provided by VB, but pStr is NOT a single string, it's a bunch of ANSI strings, terminated by a double NULL. 2. Remember that the Packet API is *discouraged*, as clearly written in the documentation (http://winpcap.polito.it/docs/docs31beta/html/group__packetapi.html), as it is possible that it will change in the future release (and we did it in WinPcap 3.1 beta). It's quite better to use the pcap API. Have a nice day GV Translating functions from C to VB is easy when you remember few simple things: - ByVal = direct value - ByRef = pointer to value (usually P or LP in front of C type) - With strings byval = pointer to string, byref = pointer to pointer to string - PTSTR = pointer to string = byval string - PULONG = pointer to long = byref long - BOOLEAN = long - Nearly everything are longs - C int = VB long - C short = VB integer Following might work. Public Type PACKET hEvent as long Overlapped as long Buffer as byte*1048576 Length as long BytesReceived as long bIoComplete as long End Type Private Declare Function PacketReceivePacket lib packet.dll (byref Adapter as ADAPTER, byref Packet as PACKET, sync as long) as long But it might not work because you need to use PakcetAllocatePacket PacketInitPacket... Maybe 'Dim lppacket as long' might work... In short: It can be done but it is a real pain because VB doesn't have pointers. (Like C/C++ has) Anssi Kolehmainen == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] fatal flex scanner internal error--end of buffer missed
- Original Message - From: Klein Cristian [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 30, 2004 12:45 PM Subject: RE: [WinPcap-users] fatal flex scanner internal error--end of buffer missed The error occured in Win 2000 / WinPCap 3.0. Immediately after I installed WinPCap from its setup program. What do you mean by after I installed Winpcap? Did it happen -during- the installation, or after the installer ended (and the last installer window installation complete bla bla bla closed)? Can you provide me a screenshot showing the problem (send it to me privately, do not send it to the entire mailing list)? Have a nice day GV == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] WinPCap 3.1 Beta and WAN/Slip Interface on XP Pro
Hi. I have added a new FAQ related to PPP on the winpcap site a couple of days ago: http://winpcap.polito.it/misc/faq.htm#Q-25 If it doesn't solve you problem, can you please send a bug report to [EMAIL PROTECTED] Have a nice day GV - Original Message - From: Jim Chapman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 5:37 AM Subject: [WinPcap-users] WinPCap 3.1 Beta and WAN/Slip Interface on XP Pro I've installed WinPCap 3.1 Beta and Ethereal 0.10.3 on Windows 2000 and it works great on the WAN (PPP/SLIP) (Windows DUN) interface. But when I install the same on Windows XP Pro, it lets me select the adapter, but doesn't capture a thing. Any suggestions, anyone? Jim in Portland == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] fatal flex scanner internal error--end of buffer missed
Hi. What do you mean "using the API"? WinPCap has its own installer ("winpcap_version.exe"). Have a nice day GV - Original Message - From: Klein Cristian To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 6:14 PM Subject: [WinPcap-users] fatal flex scanner internal error--end of buffer missed I have installed WinPCap using the API. When I ran the program next time I got the error: "fatal flex scanner internal error--end of buffer missed". Could someone please tell me what it means?
Re: [WinPcap-users] Question about IP Checksum
Hi. I think your network adapter is responsible for putting the IP checksum to the packets, so outbound packets captured with winpcap do not have such checksums (as they are captured before the NIC card). Have a nice day GV - Original Message - From: Huang Tao, SLC ICM N RD (BJ) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 7:23 AM Subject: [WinPcap-users] Question about IP Checksum Dear all, I use winpcap to capture ip packets sent out from the computer running winpcap, but I found the checksum of the ip header are 0. At the same time, I use another computer in the same subnet as the first one to capture the IP packets in the network with winpcap and I can capture the same IP packet with checksum in the IP Header. Is it the normal case? or sth wrong with it? Cheers, Huang Tao == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] cannot run pcap on Windows XP with Microsoft Visual C++ .NET
Hi. I think you have created a managed c++ application (Console Application (.NET)). You must create a native win32 c++ application to run the examples in the tutorial. It's called Win32 Console project in the new project wizard. The error VC is giving you is in fact generated by the Common Language Runtime (CLR) while loading some type (pcap, in this case) from an unknown assembly or module. Have a nice day GV - Original Message - From: Alex Narinsky [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 27, 2004 4:53 PM Subject: [WinPcap-users] cannot run pcap on Windows XP with Microsoft Visual C++ .NET Hello, I am trying to run the pcap tutorial example Opening an adapter and capturing the packets on Windows XP using Microsoft Visual C++ .NET. On VC++ 6.0 this example works. Also, previous examples in .NET work too. However, this particular example results in the error: An unhandled exception of type 'System.TypeLoadException' occurred in Unknown Module. Additional information: Could not load type pcap from assembly pcap, Version=1.0.1578.16508, Culture=neutral, PublicKeyToken=null. Does anybody have a successful experience running pcap on Windows XP with Microsoft Visual C++ .NET? Thank you Alex Narinsky == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] fatal flex scanner internal error--end of buffer missed
On Fri, 30 Apr 2004 23:00:37 +0300 Klein Cristian [EMAIL PROTECTED] wrote: What do you mean using the API? Sorry, I mean that I made a special API which launches the installer. Nevertheless, this is not so important. What I would like to know is why I got the fatal flex scanner internal error--end of buffer missed error and what it means. I have never encountered such a weird message (and noone has ever reported such an error message). The installer is generated automatically with an installer generator. Have you tried running the installer from the command line? Are you local administrator on the target machine? Which windows flavour are you using (9x/nt4/2k/xp/2k3)? Which winpcap version are you using? Have a nice day GV BFN, Cristi. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] WinPcap NMap
- Original Message - From: Gisle Vanem [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 9:51 PM Subject: Re: [WinPcap-users] WinPcap NMap Alan S. Jones [EMAIL PROTECTED] said: I have been watching some of the WinPcap 3.1 beta development along with NMap development. At one point I ran into some problems with NMap after I upgraded to WinPcap 3.1 beta. Not figuring anything else out till I ran across some comments that made me downgrade to WinPcap 3.0 and things seemed to work fine. My impression from reading the WinPcap list was that programs should not need to make any changes to work between WinPcap 3.0 and 3.1. That was surely the intention of the WinPcap developers, but practice and implicit rules like ASCII naming are used only on Win-9x and Unicode on Win-NT was broken in the 3.1 update. Many programs (including nmap) makes this assumption. Well, I do not think they make any assumption. They were written following the specs of the old versions of the Packet API. Not really surprising since many of the WinPcap examples does the same thing Well, we did modified some examples from 3.0 to 3.1beta, but these modifications affected only the ones using the Packet API (we actually modified some examples using the pcap API, in order to use some better pcap APIs). So instead of breaking this rule, our Italian friends should IMHO have created a new function that returns ASCII on Win-NT+ and a backward compatible function that returns Unicode on Win-NT+. Kind of messy, but ... That's why we sent a request for comments on August 2003. No one told us hey, you'd better do this way. Instead, a user said --- | - PacketGetAdapterNames() now returns the names of the| | adapter in ASCII rather than in Unicode. | | This is quite good. | --- and noone complained about this. This is the URL of the start of a thread in the NMap group about a fix to get 3.1 to work: http://seclists.org/lists/nmap-dev/2004/Jan-Mar/0077.html Sounds familiar since I wrote that :) But isn't there an updated binary of nmap you can use? Or compile it yourself? Why doesn't nmap migrate to the pcap API, instead of using the packet API? BTW. There are other problems with pcap_open_live() in 3.1; If you pass a device on a machine with = 2 devices (in my case the RealTek eth adapter and the IPv6 pseudo tunnelling device), the PacketOpenAdapter() will fail since (OTOH) the list of *all* devices hasn't been found at that point (since PacketGetAdapterNames() and PacketPopulateAdaptersInfoList() hasn't been called). An easy fix is to do (void) pcap_lookupdev(errbuf) (or pcap_findalldevs*()) before pcap_open_live() on the device you want to use. I have fixed this problem on our source tree. Why didn't you report this problem on the winpcap-bugs mailing list when you discovered the bug, instead of --gv GNU GPL: Free as in herpes. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
Hi. Why don't you use pcap_findalldevs() or pcap_findalldevs_ex()? It returns a list of adapters (i.e. pcap_if structures), each one containing a list of the IPv4 and IPv6 addresses associated to each adapter. In particular, there's a example in the developer's pack (iflist) showing how to obtain the list of addresses for each adapter. The same example is present in the tutorial part of the winpcap documentation, available online at Have a nice day GV - Original Message - From: Gisle Vanem [EMAIL PROTECTED] To: WinDump [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 2:38 PM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? (please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Fw: [WinPcap-users] does winpcap work with adapter with multiple IP addresses?
- Original Message - From: Gianluca Varenni [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 9:10 AM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? Hi. Why don't you use pcap_findalldevs() or pcap_findalldevs_ex()? It returns a list of adapters (i.e. pcap_if structures), each one containing a list of the IPv4 and IPv6 addresses associated to each adapter. In particular, there's a example in the developer's pack (iflist) showing how to obtain the list of addresses for each adapter. The same example is present in the tutorial part of the winpcap documentation, available online at oops... it's at http://winpcap.polito.it/docs/docs31beta/html/group__wpcap__tut2.html Have a nice day GV - Original Message - From: Gisle Vanem [EMAIL PROTECTED] To: WinDump [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 2:38 PM Subject: Re: [WinPcap-users] does winpcap work with adapter with multiple IP addresses? (please don't start a new thread by replying to a previous unrelated posting. It messes up threaded email clients and the web-mail archive). Jinhai Yang said: I'm looking at set up proper filter rules for an adapter with two IP addresses. My question is: Does winpcap work with adapter with multiple IP addresses? I looked at the code, seems to me pcap_lookupnet() and pcap_compile() both assume one IP address per adapter. Yes, pcap_lookupnet() returns only the 1st address. It says so plainly in the comment in inet.c: We need only the first IPv4 address, so we must scan the array returned by PacketGetNetInfo() in order to skip non IPv4 (i.e. IPv6 addresses). You can probably circumvent this by calling PacketGetNetInfoEx() and extract the correct address before calling pcap_compile(). But are you sure Windows doesn't create two devices in this case? (one for each address. The 2nd being some pseudo device one can use to route through to the 1st device. I know it does that for Terredo/IPv6 tunneling). PS. What would be the proper description of such a box? I thought multihomed means a box with 1 adapter and 1 address each. Is this a multihomed box too? --gv == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] WinPcap NMap
- Original Message - From: Alan S. Jones [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 18, 2004 9:43 PM Subject: [WinPcap-users] WinPcap NMap I have been watching some of the WinPcap 3.1 beta development along with NMap development. At one point I ran into some problems with NMap after I upgraded to WinPcap 3.1 beta. Not figuring anything else out till I ran across some comments that made me downgrade to WinPcap 3.0 and things seemed to work fine. My impression from reading the WinPcap list was that programs should not need to make any changes to work between WinPcap 3.0 and 3.1. Yes, If they use the pcapXXX API. You can have problems only if you use the PacketXXX API. And nmap is actually using the PcapXXX API (line 308 of winip.c in the nmap 3.50 sources). A clean solution to the problem is to use pcap_findalldevs(), which is available on both WinPcap and libpcap from quite a lot of time. Is this a bug in WinPcap? Is the fix proposed the best fix? It might be nice if the right people on each side talked if needed. This is a bit disappointing: we sent a mail to this mailing list proposing some changes in the PacketXXX API (clearly stating the possible breaks in current applications) at the end of August 2003. Nobody told us hey, Nmap will stop working!. At the beginning of february 2004, we released WinPcap 3.1beta. This version was the first release having these PacketXXX API modifications (they were documented both in the announce message posted on this mailing list, and in the WinPcap online changelog). Some users reported a problem with nmap (on the winpcap-bugs mail address), and we advised them to contact the nmap developers. I think we did our best to help our users. There are tons of apps based on winpcap, we cannot contact their authors one by one telling them hey, have you tested your app with the newest winpcap? Does it work for you? or something like that. What we do is to announce our releases (and send request for comments) on the winpcap-users mailing. Sorry for the long mail. Have a nice day GV This is the URL of the start of a thread in the NMap group about a fix to get 3.1 to work: http://seclists.org/lists/nmap-dev/2004/Jan-Mar/0077.html You can see the whole thread here: http://seclists.org/lists/nmap-dev/2004/Jan-Mar/ List info: http://seclists.org/#nmap-dev -- Alan S. Jones [EMAIL PROTECTED] http://users.ipa.net/~asj == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Problem to list packet with pcap_next_ex
Hi. I'm not completely sure, because I don't know how the C_Paquet constructor works, but I think that the problem is that you are storing the pointer returned in pkt_data into your C_Paquet class. Unfortunately, this pointer is valid only up to the next call to pcap_next_ex (or pcap_close). In practice, in order, to store the packets returned by pcap_next_ex, you must copy them into some buffer of your program. Have a nice day GV - Original Message - From: Julien Seignalet To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 5:27 AM Subject: [WinPcap-users] Problem to list packet with pcap_next_ex Hello all, First time I used this mailing list so hello all :) I program a c++ software to capture network traffic and analyze it so Winpcap is very useful :) But i got an issue with the pcap_next_ex function. I explain: In my code i analyze the paket as soon as they arrived and it works fine. (i analyze pkt_data and prints the packet). After that, i need to "construct" a Paquet Class with its packet_data and the number of the packet. After having my packet, i add it into a list of packet and here is the issue. When i print my list after for example, 5 packets received, my list seems bugged, as if pkt_data was not correct. Here is the code in C++: //Code located into a thread to sniff while executing other commands in the main program while((res = pcap_next_ex( adhandle, header, pkt_data)) = 0){ if(res == 0) { /* Timeout elapsed */ //continue; } else { if (res == -1) { } else {paquet = pkt_data;Paquet_courant = new C_Paquet (paquet, cpto); cpto ++; Liste_Paque-Add((void*)Paquet_courant); Synchronize (AfficherListe); } type of Liste_Paque is: TList *Liste_Paque; AfficherListe is a function to print list of packets. When i print mypackets, it works fine for generally 3 or 4 packets and after, it prints unattended data So can u explain me how to store each packet into a list ? I need this storage list because i use it in other capabilities of my program. Any help will be appreciated. Thanks a lot.
Re: [WinPcap-users] Winpcap 3.1 beta: Problem with packet length and captured length
Hi. We experienced a similar problem with one of our lab machines (using an intel server Fast Ethernet card). In practice some network cards (server nics, usually), are able to fragment outbound packets in smaller chunks (I don't know how, exactly), so they announce to protocol drivers (TCP-IP as well as winpcap) that the maximum packet size is more than 1514 bytes. As a consequence, the tcp-ip stack sends jumbo packets, and winpcap captures them (obviously). A workaround to the problem is to disable these features on the network card (by means of the control panel of the nic driver), if I remember well it's called offload TCP segmentation on my machine. Hope it helps GV - Original Message - From: Pawan Singh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 1:48 AM Subject: [WinPcap-users] Winpcap 3.1 beta: Problem with packet length and captured length Hi, I am using winpcap 3.1 beta. I am seeing IP packets on an 100 Mbit Ethernet segment which have IP header total length 2000. This causes Winpcap library to return packet length and captured length to be greater equal to IP total length + Ethernet header length. Is this a bug in winpcap because captured length should never be greater than 1536 on an Ethernet segment? In such a case, how does the driver even return these extra bytes (i.e. after 1536) because Ethernet card should never provide a packet data more than 1536 bytes. Thanks Pawan Singh [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Winpcap 3.1 beta: Problem with packet length and captured length
On Mon, 19 Apr 2004 08:32:55 -0700 Pawan Singh [EMAIL PROTECTED] wrote: I read about offload TCP segmentation. Does winpcap capture packets before or after segmentation? Before, since segmentation is done on the NIC itself. Have a nice day GV Pawan Singh [EMAIL PROTECTED] 650 776 3958 -Original Message- From: Gianluca Varenni [mailto:[EMAIL PROTECTED] Sent: Monday, April 19, 2004 4:58 AM To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Winpcap 3.1 beta: Problem with packet length and captured length Hi. We experienced a similar problem with one of our lab machines (using an intel server Fast Ethernet card). In practice some network cards (server nics, usually), are able to fragment outbound packets in smaller chunks (I don't know how, exactly), so they announce to protocol drivers (TCP-IP as well as winpcap) that the maximum packet size is more than 1514 bytes. As a consequence, the tcp-ip stack sends jumbo packets, and winpcap captures them (obviously). A workaround to the problem is to disable these features on the network card (by means of the control panel of the nic driver), if I remember well it's called offload TCP segmentation on my machine. Hope it helps GV - Original Message - From: Pawan Singh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 1:48 AM Subject: [WinPcap-users] Winpcap 3.1 beta: Problem with packet length and captured length Hi, I am using winpcap 3.1 beta. I am seeing IP packets on an 100 Mbit Ethernet segment which have IP header total length 2000. This causes Winpcap library to return packet length and captured length to be greater equal to IP total length + Ethernet header length. Is this a bug in winpcap because captured length should never be greater than 1536 on an Ethernet segment? In such a case, how does the driver even return these extra bytes (i.e. after 1536) because Ethernet card should never provide a packet data more than 1536 bytes. Thanks Pawan Singh [EMAIL PROTECTED] == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Kernel Buffer Error
Hi. The non paged pool is absolutely too high: on my machine it's about 10MB, on our SMP application server is 25 MB... In the last mails you didn't corfirm me that you are using WinPcap 3.1 beta. Can you please confirm this? We had a similar problem in one of our old versions (I think winpcap 3.0 alpha???), but they have been fixed in the subsequent versions. Have a nice day GV - Original Message - From: Joel Moore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 15, 2004 11:31 PM Subject: RE: [WinPcap-users] Kernel Buffer Error Ok, it's happened again. I'm getting the not enough memory to allocate the kernel buffer error again. My kernel memory statistics: Total: 113,300 Kb Paged: 38,004 Kb Nonpaged: 75,316 Kb Doesn't seem too drastic to me. I'm not sure what else to check. Now I can't use Ethereal or Windump until I reboot. -Original Message- From: Joel Moore [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 9:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [WinPcap-users] Kernel Buffer Error Thanks, I'll keep an eye on it and report back when it happens again. However, if I was running out of kernel memory wouldn't I be seeing problems elsewhere? Do you know if there's any way to track how much kernel memory each service is using? XP doesn't seem to offer that kind of granularity. Just for the record, my current kernel memory statistics (approximate): Total: 101,904 Kb Paged: 40,828 Kb Non-paged: 61,100 Kb I tried Ethereal a few times and received no errors. -Original Message- From: Gianluca Varenni [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 13, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: Re: [WinPcap-users] Kernel Buffer Error Hi. Are you using the latest version of WinPcap (3.1beta)? Can you please have a look at the memory usage of your system on the Task Manager, in particular the items Paged and NonPaged in the kernel memory part of the mem usage? A user reported a similar problem, and it was actually due to a service leaking some resources. The consequence was that WinPcap was not able to allocate the appropriate resources for its work. Have a nice day GV == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Kernel Buffer Error
Hi. Are you using the latest version of WinPcap (3.1beta)? Can you please have a look at the memory usage of your system on the Task Manager, in particular the items Paged and NonPaged in the kernel memory part of the mem usage? A user reported a similar problem, and it was actually due to a service leaking some resources. The consequence was that WinPcap was not able to allocate the appropriate resources for its work. Have a nice day GV - Original Message - From: Joel Moore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 08, 2004 12:02 PM Subject: [WinPcap-users] Kernel Buffer Error I only recently realized that this error comes from WinPcap. Sometimes I'll get the following error message from Ethereal (or WinDump) when I try to start a capture session: not enough memory to allocate the kernel buffer The only way to get Ethereal working again is to reboot. Does anyone know if there is a way to deal with this without rebooting? Is anyone familiar with this error? Thanks, Joel Moore == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] How to set windump to produce ethereal likes output
Windump -w somefilename http://windump.polito.it/docs/manual.htm Have a nice day GV - Original Message - From: Mr Researcher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 09, 2004 5:49 PM Subject: [WinPcap-users] How to set windump to produce ethereal likes output Hi everyone, I just want to know how Can I set windump so that produce ethereal likes output. Any help are very appreciate. Thanks for your attention. Best regards, niezam. _ Using a handphone prepaid card? Reload your credit online! http://www.msn.com.my/reloadredir/default.asp == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Support for Windows XP 64-bit Edition
Title: Support for Windows XP 64-bit Edition Hi. At the moment there is no support for any Windows 64bit flavour. This is because we do not have any 64 bit machine to develop/test a 64bit driver. If you (or someone else on the list) are able to donate us an Itanium/AMD64 machine, we will be very happy to make winpcap work on 64bit. Have a nice day GV - Original Message - From: Norman Chen To: '[EMAIL PROTECTED]' Sent: Wednesday, March 24, 2004 9:14 PM Subject: [WinPcap-users] Support for Windows XP 64-bit Edition Hi all, Do anybody know whether there will be support for the Windows 64-bit (AMD64) platform? It seems to me like wpcap.dll and packet.dll should run fine under the WOW64 environment, but npf.sys would need to be ported to use the AMD64 DDK, since 32-bit drivers can't be loaded or run on the system. I couldn't find any info so I'm wondering if it's on the radar? Thanks! Norm
Re: [WinPcap-users] Error in pcap_dump_open
Hi. There was a bug in pcap_dump_open. We have fixed it in our source tree, and it will be present in the next release of WinPcap. Have a nice day GV - Original Message - From: Tan Victor-A18027 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 3:35 AM Subject: [WinPcap-users] Error in pcap_dump_open When pcap_dump_open(devhandle, filename) is called for a filename which is read-only, I see the following using Purify: [E] NPW: NULL pointer write in EnterCriticalSection {1 occurrence} Writing 24 bytes to 0x0020 (24 bytes at 0x0020 illegal) Address 0x0020 points into invalid memory Thread ID: 0x84c Error location [KERNEL32.dll ip=0x6c5733c8] [wpcap.dll ip=0x10015442] [wpcap.dll ip=0x1001583a] CInterface::writeCaptureFileHeader(basic_stringchar,char_traitschar::std, allocatorchar::std::std const) [interface.cpp:746] // write file header pcap_dumper_t *dump = 0; try { = pcap_dump_open(mDeviceHandle, fileName.c_str()); }catch(...) { // close the device if we have opened it Subsequent calls to pcap_dump_open sometimes produced unexpected results. Can somebody explain whether this is this a known bug? Thanks, Victor == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] Using the netmon driver with WinPcap for Gigabit adapters.
Title: Message Hi. You can try the netmon driver by using "netcap" which is provided with Windows XP (if I remember well, you must install it through the resource kit present on the XP installation CD). Regarding dropping packets, winpcap can drop packets for a variety of reasons, like -very slow capturing application -dumping packets to disk Have a nice day GV - Original Message - From: Robert Thornthwaite To: [EMAIL PROTECTED] Sent: Friday, April 02, 2004 12:18 AM Subject: [WinPcap-users] Using the netmon driver with WinPcap for Gigabit adapters. Hello, Has anyone tried using the netmon driver with WinPcap to see how it compares with the npf.sys driver? In particular for packet capture with Gigabit Ethernet, does the netmon driver drop fewer packets? The option of using netmonwith a Gigabit NIC is not supported in the 3.1 beta release.I am trying to figure out how to try this. Thanks. -Robert Robert Thornthwaite Input/Output, Inc. phone: 281 879 2112 email: [EMAIL PROTECTED] web: http://www.i-o.com/
Re: [WinPcap-users] WinPcap 3.1 beta pcap_findalldevs_ex() problem
Hi. We have discovered and fixed a couple of bugs in the function that lists the local adapters. The patches will be present in WinPcap 3.1 final, which we plan to release in a couple of weeks. Have a nice day GV - Original Message - From: Jang Choe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 05, 2004 10:49 PM Subject: [WinPcap-users] WinPcap 3.1 beta pcap_findalldevs_ex() problem I used the same code for winpcap3.1 alpha. It all compiles and builds well. But when I run my program, i get this error: Error in pcap_findalldevs_ex: PacketGetAdapterNames: Attempt to release mutex not owned by caller. What does this error mean and how do I solve this? Thank you. == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] == == This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==
Re: [WinPcap-users] DLL problem
Did the hint provided by Vensal solve your problem? Have a nice day GV - Original Message - From: Dave Seidel To: WinPcap-Users Sent: Thursday, March 04, 2004 3:45 PM Subject: [WinPcap-users] DLL problem Our application uses WinPcap 3.0. One of our users is reporting the error message "The procedure entry point pcap_findalldevs could not be located in the dynamic link library wpcap.dll" he also gets this with windump. Now, I know that this usually means that he has an old version of WinPcap on his machine. But I have had him uninstall and reinstall WinPcap more than once, with reboots in between, and the problem is still there. He us using WinXP. Any ideas? We're stumped. - Dave --- Dave Seidel, Founder Mindreef :: Web Service Diagnostics http://www.mindreef.com