Monday, November 4, 2013

Important NetScanTools Pro v11.53 Release

NetScanTools Pro v11.53 (installed) was released on November 1, 2013. This is a very important release because of the type of fixes that are in it. These fixes affect any of the tools that use WinPcap for capturing or sending packets. The WinPcap fixes are important if you use NetScanTools Pro on a machine where the network interface does not support promiscuous mode (normally WiFi 802.11) or you have more than one network interface on the machine.

If your network interface does not support promiscuous mode, all versions prior to 11.53 will not be able to open the interface resulting in a message similar to this one: "Error: Cannot open interface for packet sending. Please exit and restart NetScanTools Pro".

This means you cannot fully utilize tools that depend on WinPcap - for example the WinPcap ICMP mode of Traceroute will not work. The change in 11.53 allows the interface to be automatically opened in non-promiscuous mode if the open in promiscuous mode fails. If an adapter can be opened in promiscuous mode, all packets passing by it are passed along to the host system, however, if it is opened in 'normal' mode, then only packets intended for the system are passed to the host system. This mostly affects WiFi adapters so now you may find that NetScanTools Pro works much better with your WiFi network interface. Error message reporting has been significantly improved at the same time.

If you have more than one network interface on the system running NetScanTools Pro, all versions prior to 11.53 will only be able to send packets to the local network associated with the secondary interface. In other words if a packet sent out the secondary interface is intended for a destination beyond the default gateway, it will not get there because the default gateway mac address was not being obtained correctly. It now is obtained correctly so packets will go out the secondary interface default gateway as intended.

The WinPcap related changes affected ARP Ping, ARP Scan, Duplicate IP Address Scanner, OS Fingerprinting, Packet Capture Playback, Packet Generator, Ping, Port Scanner, Promiscuous Mode Scanner, Traceroute, Connection Monitor, Packet Capture, Passive Discovery, SNMP Dictionary Attack and SNMP Scanner.

Other changes include:
  1. The improvement of administrator privileges detection which affects TimeSync - doing a clock synchronization and DNS Tools Core Edit Hosts File. Some portions of Network Connection Endpoints are also affected.
  2. Addition of a column showing the DHCP Server MAC Address to the DHCP Server Discovery Tool.
  3. Packet Capture Playback now supports sending .pcap files in addition to .cap files.
  4. Ping Enhance/TCP Ping now correctly send the number of packets you designate.
  5. SQLite was updated to 3.8.1 and the database files were updated.

Version 11.53 is available to all those will active maintenance plans. Click on Help/Check for New Version to obtain it.

Opening a WinPcap Compatible Network Interface

Sometimes a network interface is WinPcap compatible meaning it can be opened with WinPcap, but opening it with the methods found in the example code for developers can fail. The examples usually show opening the interface using the PCAP_OPENFLAG_PROMISCUOUS. While that normally works fine for wired interfaces, wireless interfaces (WiFi 802.11) may not open - in fact according to a Winpcap-users post from 2008 regarding v4, "most of the wireless cards do not support promiscuous mode. The call to pcap_open with PCAP_OPENFLAG_PROMISCUOUS should fail" - see http://www.winpcap.org/pipermail/winpcap-users/2008-June/002532.html

Here is typical code from the examples:

pcap_t *hDev = pcap_open(deviceName, 65536, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errMsg1);

If it fails to open because the interface cannot support promiscuous mode, hDev is NULL and errMsg1 will contain a string like this: "failed to set hardware filter to promiscuous mode".

A good way of dealing with this is to first try opening the interface, then if hDev is NULL try opening it without the flag:

hDev = pcap_open(deviceName, 65536, 0, 1000, NULL, errMsg2);

Then if hDev is still NULL, report both errMsg1 and errMsg2 to the user. If they both fail you will need to avoid doing any further winpcap function calls except to do pcap_freealldevs because you most likely uses pcap_findalldevs_ex before trying to open an interface and it allocates the device list from which deviceName was found.

Why is opening an interface in promiscuous mode important? When a network interface card (NIC) is opened in promiscuous mode, all packets seen by the interface are captured and passed to the host system, while an interface opened normally only captures packets strictly intended for it alone. So if you are running a utility like NetScanTools Pro Packet Capture or Wireshark, you will most likely want to be running in promiscuous mode so you can see all the packets passing by the interface.

Applicability:
WinPcap v4.1.3 is the most current version as of this discussion. Please visit http://www.winpcap.org/