Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap strange behavior with WireShark #1789

Open
jeffrimko opened this issue Oct 17, 2019 · 8 comments
Labels

Comments

@jeffrimko
Copy link

@jeffrimko jeffrimko commented Oct 17, 2019

Been seeing strange behavior with Wireshark and the Npcap Loopback Adapater. After starting a Wireshark capture on that interface, websites no longer load in a browser. For example, trying to browse to Wikipedia might result in a "Can’t reach this page" in Microsoft Edge or a ERR_CONNECTION_ABORTED/ERR_CONNECTION_RESET in Chrome. This issue will continue after the capture has stopped until I manually stop Npcap in a terminal using "net stop npcap".

It's possible that just having Npcap running is the issue but the issue seems to consistently happen after starting a Wireshark capture.

I added a screen capture of the issue here: https://youtu.be/eUuBBvwRU0g

Windows 10 version 1803
Wireshark version 3.0.5 (v3.0.5-0-g752a55954770)
Npcap version 0.9983
DiagReport-20191017-164533.txt

@dmiller-nmap

This comment has been minimized.

Copy link

@dmiller-nmap dmiller-nmap commented Oct 23, 2019

Since you have Npcap 0.9983 installed, you no longer need the Npcap Loopback Adapter in order to do loopback capture. This dummy adapter was needed in previous releases, but had an unfortunate side effect of causing routing problems especially on systems with multiple network adapters or VPNs. The only reason it is left in is for legacy support for certain programs that need it, primarily Nmap 7.80 and earlier. Try reinstalling Npcap and un-checking the "Legacy loopback" installation option. If this does not solve the problem, we will see what remains to be done.

@jeffrimko

This comment has been minimized.

Copy link
Author

@jeffrimko jeffrimko commented Oct 24, 2019

Thanks for the response! I tried the following but am still seeing the issue:

  • Uninstalled Nmap 7.7.
  • Uninstalled Npcap 0.9983.
  • Restarted PC.
  • Confirmed that Wireshark captures on other interfaces did not show the reported weird behavior.
  • Reinstalled Npcap 0.9983 (left all 4 installation option boxes unchecked, including the legacy loopback support box).
  • Restarted PC.
  • Tried Wireshark capture on "Adapter for loopback traffic capture".

A few observations:

  • When Npcap is installed, Wireshark will not properly load all of the capture interfaces unless Npcap is running.
  • Stopping Npcap after the interfaces load and then attempting to start a capture on one results an error message: The capture session could not be initiated on interface '\Device\NPF_{9701151C-7BE6-470A-9E0D-67ECF4EFA37D}' (Error opening adapter: The system cannot find the device specified. (20)).
  • The issue happens even when capturing on a non-loopback interface. Note that Wireshark requires Npcap to be running to even start a capture on any interface. This might not be the case, might be due to having started a loopback capture first then switching adapters.
@dmiller-nmap

This comment has been minimized.

Copy link

@dmiller-nmap dmiller-nmap commented Oct 24, 2019

Yes, Wireshark requires Npcap to be running in order to do capture because Npcap is what does the capturing, so your observations are as expected. I will look into this and see if I can reproduce your issue here.

@dmiller-nmap

This comment has been minimized.

Copy link

@dmiller-nmap dmiller-nmap commented Oct 24, 2019

I have not been able to reproduce this issue, so I have a few more diagnostic questions or suggestions:

  1. Is your VPN connected when you experience this issue? If so, does the issue persist if the VPN is not disconnected?
  2. Have you experienced the issue on any other systems, and if so, what do those have in common with this one?
  3. You may have leftover Npcap Loopback adapters from previous installations of Npcap. Remove them according to #1634 and try again.
  4. There may be a conflict or problem with Citrix's Deterministic Network Enhancer (DNE), so removing that or disabling it may fix your problem. Let us know if this is the case.
@jeffrimko

This comment has been minimized.

Copy link
Author

@jeffrimko jeffrimko commented Oct 24, 2019

Answering your questions in order:

  1. The issue shows up both connected and disconnected to the VPN.
  2. Think issue has been seen on another work PC but I can't confirm at the moment. Could be a weird interaction with some company policy software, not sure.
  3. Will do. Very certain there were older versions of Npcap installed on this PC previously.
  4. Okay, I'm not familiar with DNE but will look into it.

Big thanks again and I'll report back with any new info soon!

@jeffrimko

This comment has been minimized.

Copy link
Author

@jeffrimko jeffrimko commented Oct 28, 2019

Okay, some updates related to the previous list of questions:

  1. I didn't find any leftover Npcap Loopback adapters from previous installs.
  2. I'm still not sure what DNE is but suspect it's not a factor here.

The issue is definitely a direct result of the "C:\Windows\System32\Npcap\wpcap.dll" file. When I move this file to a temporary location, the issue goes away and the loopback adapter does not show up in Wireshark. When this file is in its normal location, the issue occurs immediately after starting Wireshark and it loads the list of interfaces (i.e. no need to start a capture).

I did notice some strange Wireshark traffic graphs with npcap enabled and disabled (by moving the wpcap.dll):
image

Maybe there is some strange interaction with Hyper-V (this is Windows 10 Pro, I forgot to mention that previously, sorry). I might try to temporarily disable Hyper-V later using these instructions found on StackOverflow. I cannot permanently disable Hyper-V since Docker is needed on this machine.

@guyharris

This comment has been minimized.

Copy link

@guyharris guyharris commented Nov 1, 2019

If Npcap is disabled in the second screenshot, presumably WinPcap is being used - some capture driver, packet.dll for that driver, and capture DLL for Wireshark to use is present.

@jeffrimko

This comment has been minimized.

Copy link
Author

@jeffrimko jeffrimko commented Nov 18, 2019

Quick update, I haven't investigated this much further recently. After some reading, was scared away from disabling Hyper-V since some people report issues afterwards. If anyone has advice on how to debug this, please give a holler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.