New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Npcap] NIC >10s disconnect on logon due to disabling "automatic start" on install #1334

Closed
ltGuillaume opened this Issue Sep 24, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@ltGuillaume

ltGuillaume commented Sep 24, 2018

If I install Npcap (v0.99-r7) on Windows 10 x64 1709 and deselect the option "Automatically start the Npcap driver at boot time", my NIC disconnects on logon for well over 10 seconds, then reconnects. I've found that sitting there, staring at the network connection tray icon waiting for it to change isn't really my thing, especially because I only use Wireshark with Npcap only a few times a month.

@ltGuillaume

This comment has been minimized.

Show comment
Hide comment
@ltGuillaume

ltGuillaume Sep 24, 2018

As a comparison, I have checked if www.win10pcap.org behaved similarly when its driver startup is set to manual: no such thing.

ltGuillaume commented Sep 24, 2018

As a comparison, I have checked if www.win10pcap.org behaved similarly when its driver startup is set to manual: no such thing.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Sep 24, 2018

Thanks for this bug report! Npcap installs itself as a filter driver. If the service is not started at the time the network stack starts, it pauses to see if the service will start. Obviously, this is not ideal, but most of our users install with auto-start enabled. I will check to see if there is a cleaner way to support on-demand starting of the driver without interrupting the network stack.

Win10Pcap doesn't do this because it is an intermediate driver, not a filter driver. This is a more direct translation of the old WinPcap way of doing things, but fails to take advantage of the speed benefits of Ndis 6 filter drivers like Npcap.

dmiller-nmap commented Sep 24, 2018

Thanks for this bug report! Npcap installs itself as a filter driver. If the service is not started at the time the network stack starts, it pauses to see if the service will start. Obviously, this is not ideal, but most of our users install with auto-start enabled. I will check to see if there is a cleaner way to support on-demand starting of the driver without interrupting the network stack.

Win10Pcap doesn't do this because it is an intermediate driver, not a filter driver. This is a more direct translation of the old WinPcap way of doing things, but fails to take advantage of the speed benefits of Ndis 6 filter drivers like Npcap.

@ltGuillaume

This comment has been minimized.

Show comment
Hide comment
@ltGuillaume

ltGuillaume Sep 24, 2018

Yeah, it took me a while to find out it was Npcap, too, as I had made a whole batch of changes to my system in one go. Since it's a setting in the setup, I figured it couldn't do such harm. I recommend taking it out of the setup procedure, until it's fixed, if it can be.

Thanks for the explanation. If you have the time to explain, I'd like to know if there are downsides/side effects of leaving the filter driver running, even though I rarely use it (so it doesn't feel right, that's for sure). As such, speed is not really an issue for me, and I'm inclined to keep using Win10Pcap until Npcap can actually be started on demand, too.

ltGuillaume commented Sep 24, 2018

Yeah, it took me a while to find out it was Npcap, too, as I had made a whole batch of changes to my system in one go. Since it's a setting in the setup, I figured it couldn't do such harm. I recommend taking it out of the setup procedure, until it's fixed, if it can be.

Thanks for the explanation. If you have the time to explain, I'd like to know if there are downsides/side effects of leaving the filter driver running, even though I rarely use it (so it doesn't feel right, that's for sure). As such, speed is not really an issue for me, and I'm inclined to keep using Win10Pcap until Npcap can actually be started on demand, too.

@dmiller-nmap

This comment has been minimized.

Show comment
Hide comment
@dmiller-nmap

dmiller-nmap Oct 11, 2018

After further review, I am unable to duplicate this issue. There may be something wrong with your Npcap installation, so here's a procedure to make the cleanest installation possible:

  1. Uninstall WinPcap and Win10pcap if they are installed.
  2. Run the FixInstall.bat script from C:\Program Files\Npcap\ as Administrator (right click -> Run as Administrator).
  3. Uninstall Npcap.
  4. Reboot.
  5. Install Npcap with your chosen options. See below for recommended installation options.

Here are my recommendations for installation options to limit any performance impact. We test Npcap on very limited-resource virtual machines and have not noticed any measurable impact, but your situation may be different:

  1. Allow Npcap to automatically start at boot time. NDIS 6 LWF filter drivers are very lightweight (hence the name) and unless something is actively using it to capture traffic, it has negligible performance impact. All network packets are passed through immediately without delay.
  2. Install Npcap without the WinPcap API-compatible mode option. This will reduce the number of filter drivers and services running, and compatibility mode is unnecessary for Wireshark or Nmap.
  3. Install Npcap without raw 802.11 WiFi frame capture if you do not need it. This also reduces the number of filter drivers required to be installed.

dmiller-nmap commented Oct 11, 2018

After further review, I am unable to duplicate this issue. There may be something wrong with your Npcap installation, so here's a procedure to make the cleanest installation possible:

  1. Uninstall WinPcap and Win10pcap if they are installed.
  2. Run the FixInstall.bat script from C:\Program Files\Npcap\ as Administrator (right click -> Run as Administrator).
  3. Uninstall Npcap.
  4. Reboot.
  5. Install Npcap with your chosen options. See below for recommended installation options.

Here are my recommendations for installation options to limit any performance impact. We test Npcap on very limited-resource virtual machines and have not noticed any measurable impact, but your situation may be different:

  1. Allow Npcap to automatically start at boot time. NDIS 6 LWF filter drivers are very lightweight (hence the name) and unless something is actively using it to capture traffic, it has negligible performance impact. All network packets are passed through immediately without delay.
  2. Install Npcap without the WinPcap API-compatible mode option. This will reduce the number of filter drivers and services running, and compatibility mode is unnecessary for Wireshark or Nmap.
  3. Install Npcap without raw 802.11 WiFi frame capture if you do not need it. This also reduces the number of filter drivers required to be installed.
@ltGuillaume

This comment has been minimized.

Show comment
Hide comment
@ltGuillaume

ltGuillaume Oct 15, 2018

Then I'm guessing it's got something to do with the specific version of Windows I'm running, or the hardware combination. Either way, it's reproducible for me.

ltGuillaume commented Oct 15, 2018

Then I'm guessing it's got something to do with the specific version of Windows I'm running, or the hardware combination. Either way, it's reproducible for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment