Tuesday, March 24, 2015

Updated: WinPcap and Wireshark problems on Windows 10 Tech Preview 10041

Update June 5, 2015: WinPcap 4.1.3 works on build 10130.

Update May 13, 2015: WinPcap 4.1.3 began to work again in Windows 10 preview 10061 and continues to operate in 10074. Hopefully, this trend continues - but I wouldn't count on it. But we still need to encourage Riverbed to update WinPcap from NDIS5 to NDIS6. Work has been done on this at NMAP and has been shared, so it would be great if WinPcap.org could expand on that work and release WinPcap fully compatible with NDIS6. Another issue is driver signing: in Windows 10 x64 that really will be changing, so it will be important for WinPcap to be updated before the RTM release - more about this here.

Update 3-27-15: Do you want to use Wireshark on Windows 10? Tweet about this problem! do a post about this issue. Bring it up at Sharkfest in June.

Update 3-26-15: This has been confirmed by others and a thread has been started here:
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004935.html
I will be posting about it on twitter: https://twitter.com/NetScanTools

Up until release 10041 all Windows 10 Tech Preview versions have appeared to run WinPcap 4.1.3 without a problem. Even the last version 9926 worked OK, but now we have a problem - a big problem.

About the test machine: Shuttle xpc, quad core cpu, 8GB RAM. Host OS is Windows 7 x64. Windows 10 x64 Enterprise 10041 is a guest OS running inside VirtualBox 4.3.26 r98988. Network Adapter in the VM is in Bridged mode. Physical network adapter in the Shuttle is Generic Marvell Yukon 88E8056 based Ethernet controller.

Here's what I did...and what happened...
On March 23 I upgraded 9926 to 10041 and then installed Wireshark x64 v1.12.4 from wireshark.org. Everything installed fine and WinPcap installed normally. I fired up Wireshark and got the message "No interface can be used for capturing in this system with the current configuration.". Pressing the Refresh Interfaces button did not fix it.


I know that Wireshark checks the status of the NPF driver before getting that far, so I thought maybe I should verify it manually in a Command Prompt. You can see that the Service Control Manager says it is RUNNING.


NetScanTools Pro. Since I wrote it, I know what checks are done where. I know that it loads wpcap.dll and packet.dll and checks the status of the NPF driver. So far so good. I go to the ARP Scanner (it uses WinPcap to send and receive packets) and pressed Do ARP Scan. I got this message. The arrow is pointing to a message that comes directly from WinPcap itself: "No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine."


I know exactly which function call returned that message: pcap_findalldevs_ex

pcap_findalldevs_ex is what you call to find all the WinPcap compatible interfaces on the system. If it fails, you're done. I poked through the Wireshark code and they are calling it too most likely on start.

Where do we go from here?
Obviously Microsoft changed something. Did they change NDIS? Or something else?

I've tried all the obvious things - changing compatibility mode, running the programs as administrator - nothing works. A driver expert (which I am not) needs to dive into the WinPcap code and figure this out - and soon!

If nothing is done Wireshark, nmap, NetScanTools Pro and any other apps depending on WinPcap for capturing and sending packets will not operate on Windows 10 if the changes Microsoft made are permanent.

What is your experience? has anyone else tried Wireshark on Windows 10 Enterprise 10041? Win10 has always worked on VirtualBox - has anyone tried Wireshark on Win10 in VMware or native boot?

Wednesday, March 11, 2015

Ways programs are quietly started at Windows startup time.

Have you ever wondered where to find the places that start up a program when Windows starts?

Here are three places you may not be aware of:

Start Menu.

This is the Startup folder that was in the Start menu on older versions of Windows. It's still there on Windows 8.x.
c:\ProgramData\Microsoft\Windows\start menu\programs\startup

Registry.

32 and 64 Bit Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

64 Bit Windows only (32 bit apps are in here)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run


Windows Task Scheduler. (Control Panel/Administrative Tools/Task Scheduler)

Windows 8.x/7: Expand the left panel - Task Scheduler (Local)/Task Scheduler Library/Microsoft/Windows/TheAppOfInterest

I hope this helps next time you are trying to locate where a program is being started when you start Windows.

Tuesday, March 10, 2015

Solving Serious WinPcap Installation Problems

This post will address some serious WinPcap problems our customers have seen on Windows 8.1. While they are not necessarily unique to that version of Windows, these problems may also occur on other Windows versions as well.

Applicability: This discussion is limited to the current WinPcap 4.1.3 release and is intended for users of Windows 7, 8, 8.1.

Related Blog Post:
WinPcap Installation, Status and other Tips

Common Symptoms:
  • WinPcap 4.1.3 official installer hangs at 'extract: Packet.dll' or similar.
  • Wireshark gives this message on startup "The NPF driver isn't running. You may have trouble capturing or listing interfaces."
  • NetScanTools Pro gives a message that WinPcap is not found or if it is found NetScanTools Pro locks up when you run a tool that uses WinPcap.
  • Windows locks up when you run software that uses WinPcap forcing you to do a power cycle reboot.

Where to start:
The first thing to do is find out if any or all of the three major components are installed and their versions.

1. Using File Explorer, find out if this file exists: c:\Windows\system32\drivers\npf.sys. If so, right click on it and make note of the version number. Version 4.1.3 shows up as 4.1.0.2980 (don't ask me why).

2. Search your hard drives (especially drives where programs are installed) for both wpcap.dll and packet.dll.

Right click on EVERY DLL found, do Properties/Details and verify that you see 4.1.0.2980 (4.1.3).

These are the only acceptable locations for 'public' WinPcap DLLs on a 64 bit Windows system:
c:\windows\system32\wpcap.dll (64 bit version of DLL)
c:\windows\SysWOW64\wpcap.dll (32 bit version of DLL)
c:\windows\system32\packet.dll (64 bit version of DLL)
c:\windows\SysWOW64\packet.dll (32 bit version of DLL)

These are the only acceptable locations for 'public' WinPcap DLLs on a 32 bit Windows system:
c:\windows\system32\wpcap.dll (32 bit version of DLL)
c:\windows\system32\packet.dll (32 bit version of DLL)

Did you find any other instances of wpcap.dll and/or packet.dll on your system? if so, that's huge red flag. One of our end-users running Windows 8.1 64 bit experienced all of the Common Symptoms above and he found WinPcap version 4.1.2.1742 which is actually WinPcap Pro AKA WinPcap OEM in a Netgear ReadyNAS Remote program directory.

Here's why it could be a problem: 4.1.2.1742 is WinPcap Pro. When a program loads the WinPcap Pro wpcap.dll and packet.dll, it creates a version of the winpcap driver 'on-the-fly' in system32/drivers and runs it. WinPcap Pro was intended for use on systems where WinPcap is not installed, so at least on Windows 8.1 with ReadyNAS Remote, there is apparently interference between the two types of WinPcap. (other special WinPcap Pro/OEM versions you might find: 4.1.2.2001, 4.1.2.1879, 4.0.2.1340, 4.0.2.1252, 4.0.2.1123, 4.0.2.1040, 4.0.2.901, 4.0.2.755) WinPcap Pro was discontinued by Riverbed before Windows 8 was released.

Our end-user tried to stop WinPcap with 'sc stop npf' and got 'stop-pending' status which meant it was in use. Then if he rebooted and did a 'sc queryex npf', it said npf was stopped, however, if he did 'sc start npf' it said an instance of npf is already running. Very confusing and definitely not what you would expect to see.

Solution that worked for the end-user:
The end-user stopped the ReadyNASRemote.exe process in Task Manager, then renamed ReadyNASRemote.exe to something else, then rebooted. That worked because the program could not start at boot time and therefore did not load it's special WinPcap Pro.

Next, we had to find out where ReadyNASRemote was being started from at boot time. It was not in the registry HKLM or Windows Task Scheduler. It was being launched using a shortcut under c:\ProgramData\Microsoft\Windows\start menu\programs\startup.

Once it was stopped the end-user could remove the official 'public' DLLs from the locations in Step 2 above and force a reinstall of WinPcap 4.1.3 public edition without a problem. We do not know which exact version of ReadyNASRemote this user had installed - he determined that he did not use it, so he uninstalled it before I found out.

Generalized Procedure assuming wpcap.dll and packet.dll are found elsewhere:
  1. Find any WinPcap DLLs that are not in their normal places and figure out which executable is using them (check Task Manager for those exes in the same directory as the WinPcap DLLs).
  2. Stop the offending executable process from Task Manager and rename the exe to something else (or find out where it is being started from and disable the starting process).
  3. Reboot.
  4. Remove the official WinPcap DLLs from system32 and SysWOW64 (carefully! do not remove the npf.sys) no matter what version they are.
  5. Reinstall the official WinPcap version from winpcap.org
  6. Verify WinPcap is running using administrative Command Prompt 'sc queryex npf'.
  7. Start Wireshark or NetScanTools Pro and confirm normal operation. (If Wireshark hangs at configuration 100%, review topic 5 here.)
  8. Now you have to decide if you really want to keep the offending program that was using it's own private WinPcap - that's up to you.

The next blog post will deal with the situation where you did NOT find any other out-of-place instances of wpcap.dll and packet.dll.

Monday, March 9, 2015

WinPcap Installation, Status and other Tips

WinPcap is an essential packet capturing driver for many programs, especially Wireshark and also our own NetScanTools Pro. I have been working with a few of our customers who have had problems getting it installed and properly running on Windows 8.1. What I've done here is gather together a few important tips that you can use to make sure it is running.

This post is current as of WinPcap 4.1.3 and is written from the perspective of Windows 7, 8.1 and 10.

1. How do you tell if WinPcap is installed?

Quick check: WinPcap will show up in Control Panel/Programs and Features. This is not a guarantee that it is properly installed or running.

Detailed check: WinPcap has three main components. Here is where to find them on a 64 bit Windows operating system:

  1. c:\windows\system32\drivers\npf.sys (this is the actual kernel mode driver)
  2. c:\windows\system32\packet.dll (64 bit version of DLL) and c:\windows\SysWOW64\packet.dll (32 bit version of DLL)
  3. c:\windows\system32\wpcap.dll (64 bit version of DLL) and c:\windows\SysWOW64\wpcap.dll (32 bit version of DLL)
All DLLs and the driver should be showing version 4.1.0.2980 which is really 4.1.3 (go figure).

2.  How do you tell if WinPcap is running?

The WinPcap driver does not show up in the list of services accessible through Control Panel/Administrative Tools/Services - but you can find out another way.

Start up a Command Prompt using Run as administrator and enter the following command that shows the driver configuration:

C:\WINDOWS\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

Make a note of the START_TYPE, we will discuss that later.

This command shows the actual WinPcap driver state, whether running or stopped:

C:\WINDOWS\system32>sc query npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

3. How do you start WinPcap?

From an administrator Command Prompt, enter this and look at the STATE to make sure it is running:

C:\WINDOWS\system32>sc start npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

4. How do you stop WinPcap?

From an administrator Command Prompt, enter this and look at the STATE to make sure it is stopped. If it does not stop, you need to exit any programs using it.

C:\WINDOWS\system32>sc stop npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

5. Some people have trouble starting Wireshark, it starts to load OK but stops at Configuration 100%. What can be done?

Remember the START_TYPE entry from number 2 above? It needs to change. From an administrator Command Prompt, enter this command then reboot your system, then try Wireshark again. The space after start= is required.

C:\WINDOWS\system32>sc config npf start= delayed-auto
[SC] ChangeServiceConfig SUCCESS

6. How can I tell which program is currently using WinPcap?

That can be a little difficult, but if a program is actively using WinPcap there is a way to find out by using Sysinternal's Process Explorer.

  1. Download Process Explorer and run it from here: https://technet.microsoft.com/en-us/sysinternals/bb896653
  2. Make sure npf is running.
  3. In Process Explorer, click on Find menu/Find Handle or DLL
  4. Enter wpcap or packet and press Search. If NetScanTools Pro is running, it shows nstpro.exe, PID, DLL and C:\Windows\SysWOW64\wpcap.dll - in other words, if a program is actively using WinPcap, it will show up there.
I hope these WinPcap tips help you, please let me know if you have any others to share.

Kirk

NetScanTools LE v1.52 Released on March 6, 2015

The latest release of NetScanTools LE (designed for Law Enforcement) was ready on March 6, 2015.

Version 1.52 makes operational changes to Port Scanner/Scan Common Ports to scan only the current protocol type selected, ie. TCP, UDP or TCP+UDP. Previous versions scanned using the whole list, TCP+UDP regardless of the selection.

Whois has improved support for IPv6 and the ability to get whois information for the new top level domains was greatly expanded.

We tested it on Windows 10 Enterprise version. Everything operated normally as far as we could see.

WinPcap: only one part of NetScanTools LE uses WinPcap - the Packet Capture Tool. Due to recent issues customers have had with WinPcap on Windows 8.1, we decided to add in a test to make sure WinPcap is installed and running. If npf.sys is not running you will not be able to launch the Packet Capture Tool.

We updated SQLite to v3.8.8.3 and also updated the database files.

Please visit http://www.netscantools-le.com/ to get the latest version. You may install it over previous versions.