Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap Bug Report #1671

Open
mesteele101 opened this issue Jul 26, 2019 · 2 comments

Comments

@mesteele101
Copy link

commented Jul 26, 2019

This first half is on Windows 7 using Npcap 0.9881. Installing I got no errors and the service started as shown below.

Npcap 0.9881 is not showing any availabe NIC's. Now rolling back to 0.996 and I have listed the results of that below.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>d:\winids\snort\bin\snort.exe -W

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.13-WIN32 GRE (Build 15013)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using PCRE version: 8.10 2010-06-25
           Using ZLIB version: 1.2.3

Index   Physical Address        IP Address      Device Name     Description
-----   ----------------        ----------      -----------     -----------

C:\Windows\system32>

C:\Windows\system32>sc query npcap

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Windows\system32>

The Below id Npcap 0.996 and as yu can see it is listing the available NIC. Apparentlt 0.9981 is broken:(

C:\Windows\system32>d:\winids\snort\bin\snort.exe -W

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.13-WIN32 GRE (Build 15013)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reser
ved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using PCRE version: 8.10 2010-06-25
           Using ZLIB version: 1.2.3

Index   Physical Address        IP Address      Device Name     Description
-----   ----------------        ----------      -----------     -----------
    1   00:0C:29:A5:39:2E       0000:0000:fe80:0000:0000:0000:094c:30b5 \Device\NPF_{A5EB8922-B7D4-49A8-A30D-E0C8863F1B2D}      Intel(R) PRO/1000 MT Network Connection

C:\Windows\system32>

C:\Windows\system32>sc query npcap

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:\Windows\system32>
@dmiller-nmap

This comment has been minimized.

Copy link

commented Jul 29, 2019

Thanks for the report. Snort appears to not be built to target Npcap, so you must have Npcap installed in WinPcap API-compatible mode. What is the output of sc query npf? If it does not show that the service is installed, then reinstall Npcap and select the WinPcap API-compatible option.

If that does not fix the problem, it could be a version mismatch between the driver and the DLLs. Does Snort ship with its own Packet.dll or wpcap.dll? If so, this could be why it's not working with Npcap. The official line ever since WinPcap has been that the interface between Packet.dll and the NPF driver is opaque and subject to change without notice; in other words, the version of Packet.dll and the NPF driver (npcap driver in this case) must match exactly.

Here are some diagnostic steps to determine if this is the case:

  1. Try listing adapters with different software such as an up-to-date Wireshark or Nmap that is intended to be used with Npcap.
  2. Delete or rename any wpcap.dll or Packet.dll in the Snort installation directory so that it is forced to use the system-installed DLLs that Npcap installed.

Regardless, providing output from DiagReport could be helpful in diagnosing any issues.

@mesteele101

This comment has been minimized.

Copy link
Author

commented Jul 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.