New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG Npcap: icmp[0]==3 causes pcap readers to not pick up icmp replies. #1406

NicholasKChoi opened this Issue Dec 6, 2018 · 3 comments


None yet
3 participants

NicholasKChoi commented Dec 6, 2018


I am running the version of npcap: 0.99-r7

I am running on the Windows Datacenter in Amazon:

  • the ami: ami-0261fc597bed67b34
  • the windows os info: Build#=14393.2608; Version=1607

I've also done the following:

  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)

Expected Behavior

When running wireshark to capture on the main interface with the filter: not (icmp[0]=3), I expect to capture both the icmp request and reply traffic.

Current Behavior

I only see the request traffic. The reply ICMP traffic does not show up at all. I have confirmed this both with Wireshark (which uses Npcap), and with a custom program I wrote that uses the Npcap Driver as well.

Steps to Reproduce

  1. Launch a Windows Datacenter 2016 in Amazon us-west-1 region.
  2. Install Npcap and Wireshark using the browser of your choice.
  3. Run Wireshark to capture on the Main interface with the filter not (icmp[0]=3).
  4. Generate ICMP traffic (I used the powershell command: ping -l 100 -n 10000).
  5. Add the Display Filter to Wireshark: icmp.
  6. You will only see the ICMP request traffic.

This comment has been minimized.

dmiller-nmap commented Dec 6, 2018

Thanks for this very detailed bug report. I've done a test on my own system here and was unable to reproduce, but of course it's a very different system. Still, the capture filter compilation and matching should be the same for both, so I'm guessing that the problem is not related to the capture filter. To confirm and narrow down the problem, please provide the following information:

  1. Does the ping utility indicate that a response is being received?
  2. Do you see the response in Wireshark if you do not set a capture filter? If so, please provide hex of the packet from the beginning of the IP header through the ICMP header.
  3. Do you see the response in Wireshark if you set a capture filter of icmp?
  4. Is the ping utility definitely using IPv4? There is no chance that ICMPv6 could be affecting things?
  5. Please provide output of DiagReport on your system.

Just to clarify, I understand that this packet filter is intended to filter out ICMP Destination Unreachable messages, is that correct?

@dmiller-nmap dmiller-nmap added the Npcap label Dec 6, 2018


This comment has been minimized.

guyharris commented Dec 8, 2018

  1. Does this work if you do the capturing on some flavor of UN*X (Linux, macOS, Solaris, *BSD, etc.)?

This comment has been minimized.

NicholasKChoi commented Dec 10, 2018

  1. The ping utility indicates the response is being received. And using tshark with only an -f icmp filter shows both the reply & request.
  2. I have the pcap available now, I can provide the hex later on in the day.
  3. I do.
  4. the ping is definitely using ipv4.
  5. I'll provide this as soon as I can.
  6. This same code and the same tools works on flavors of Unix etc. No issues. there.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment