New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap - Monitor mode & FCS #1231

gpotter2 opened this Issue Jun 2, 2018 · 0 comments


None yet
1 participant

gpotter2 commented Jun 2, 2018



I know that there are plenty issues about this subject, but I wanted to update them, and help fix the real issue by all means. They all seem dead, and outdated (npcap 0.9.6, or similar)


I'm having a similar issue than #1036 (comment), but using a different adapter.

I'm using a CSL USB 2.0 WLAN-Adapter 27395, with a Ralink RT5572.


I have been able to investigate a little bit.

Here are 4 packets, received at the same time with Microsoft Message Analyser and Wireshark. Microsoft Message analyser uses a builtin "made by microsoft" adapter, where as wireshark uses Npcap.

  • Message Analyser


According to Message Analyser, only the 3rd packet has a FCS (the one with STDO_Invites (R)) of 1612709912

The others don't have a FCS

  • Wireshark (with Npcap)

They all have a FCS, marked as invalid.

The one that really had a FCS has one of


This gives several informations:

  • the FCS issue is related to Npcap, and it seems that Npcap fails to detect correctly which packets have a FCS, and which don’t.
  • The FCS that is packed with Npcap isn’t the original one, as it differs from the one seen through message analyser
  • some of the packet metadata is not received in Npcap (channel frequency...) but is in message analyser. The problem is coming from Npcap

Both pcaps are in the provided zip (packets captured from message analyser, and from wireshark)

Please ask me any additional questions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment