Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap 0.9982 Failing! #1677

Open
mesteele101 opened this issue Aug 5, 2019 · 10 comments

Comments

@mesteele101
Copy link

commented Aug 5, 2019

Npcap for Windows is not working with Snort. The last version that worked correctly with Snort was 0.996...

Problem was previously reported. To test just install Npcap and Snort, then try and list available adaptors using snort -W. The list is empty :(

@mesteele101 mesteele101 changed the title Npcap 0.9992 Failing! Npcap 0.9982 Failing! Aug 5, 2019

@dmiller-nmap

This comment has been minimized.

Copy link

commented Aug 5, 2019

Can you please point us to the code within snort that uses Npcap to list adapters? We changed some internal APIs after 0.996, but they were not published APIs and are not guaranteed to be stable.

@mesteele101

This comment has been minimized.

Copy link
Author

commented Aug 5, 2019

@yyjdelete

This comment has been minimized.

Copy link

commented Aug 8, 2019

@mesteele101
Maybe you can replace Packet.dll and wpcap.dll in Snort\bin with the ones from C:\Windows\SysWOW64\Npcap?

@mesteele101

This comment has been minimized.

Copy link
Author

commented Aug 8, 2019

@yyjdelete

This comment has been minimized.

Copy link

commented Aug 8, 2019

@mesteele101
It works (WanPacket.dll and npptools.dll is no longer needed)
image

I think it's described in https://github.com/nmap/npcap/releases/tag/v0.9981 .

Redefine the I/O control codes used by Npcap using the CTL_CODE macro to
ensure proper access control and consistent parameter passing. This is not a
published API, but the change will require that Packet.DLL and the npcap
driver are the same version.

BTW:
@dmiller-nmap
Seems there is another version of Packet.dll/wpcap.dll from mingw32/64-wpcap, which may be used to compile cross platform apps, which may also not works.
https://www.google.com/search?q=mingw64-wpcap
https://github.com/search?q=mingw64-wpcap&type=Code

@mesteele101

This comment has been minimized.

Copy link
Author

commented Aug 8, 2019

@mesteele101

This comment has been minimized.

Copy link
Author

commented Aug 8, 2019

@dmiller-nmap

This comment has been minimized.

Copy link

commented Aug 8, 2019

Yes, if Npcap is installed, it will have its own DLLs installed. However, in order to avoid conflicting with WinPcap, which uses the same DLL names, we elected to install its DLLs in a subdirectory of System32. Therefore, software that wishes to use Npcap should delay-load the DLL and add that subdirectory to the DLL search path before loading. This is the preferred method to avoid DLL-hell that comes with shipping your own copies of the DLL, which is what caused the breakage when the version became unsynchronized with the version of the Npcap driver installed.

If Npcap is installed in WinPcap API-compatible mode, software can just load wpcap.dll or packet.dll directly without modifying the search path, since they will be overwritten with the Npcap versions. This is probably how Snort is written already. Note that not all the new features of Npcap are supported in WinPcap API-compatible mode, even if they may work in current versions.

@dmiller-nmap

This comment has been minimized.

Copy link

commented Aug 8, 2019

@yyjdelete Thanks for the analysis. I'm not familiar with the mingw build, but we've known for a while that statically-built stuff or things shipping their own DLLs might be broken by some of the changes we're making. This is partly why we keep putting off the Npcap 1.0 release: we want to have a stable API that won't break things like this, but there are just too many great changes we want to make before then.

@mesteele101

This comment has been minimized.

Copy link
Author

commented Aug 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.