wireshark lost traffic capture to loopback after upgraded npcap 0.99-r5

[timeregained]

Recently I have upgraded npcap to 0.99-r5, however , wireshark cannot capture the loopback traffic anymore, I have downgraded npcap to the version 0.99-r2 which is distributed with nmap 7.70 and it works.

Log of DiagReport and NPFInstall have been uploaded as following:

DiagReport-20180511-091823.txt
NPFInstall.log

[PavelSann]

Same problem.
Windows 10 1803.
At 0.99-r5, the loopback capture worked.

[sspring]

Same problem.
0.99-r3 and later version doesn't work on the loopback traffic.
I suggest change the title to wireshark lost traffic capture to loopback since npcap 0.99-r3

[dmiller-nmap]

Thanks for the bug report. The usual cause of this problem is installing Npcap in WinPcap API-compatible mode, which makes Wireshark unable to capture loopback traffic. However, @timeregained's DiagReport output does not seem to show that configuration. We will investigate further.

@timeregained Does the problem happen if you follow this procedure to completely remove all Npcap Loopback Adapters on your system? https://github.com/nmap/nmap/issues/923#issuecomment-402258775

[timeregained]

@dmiller-nmap Yes, the problem is still there after completely removing all Npcap Loopback Adapters on my system. By the way, the npcap is installed in WinPcap API-compatible mode and I still need this mode because some apps still depend on WinPcap.

[dmiller-nmap]

@timeregained Thanks for the reply. I would usually close this at this point, since it's a known issue that Wireshark does not use Npcap properly when WinPcap API-compatible mode is installed, but since you say that 0.99-r2 did work, I'll spend a bit more time investigating.

[dmiller-nmap]

Ok, this issue is due to an incomplete fix for nmap/nmap#1165. We made sure that when NPFInstall.exe knew that WinPcap mode was installed, it would also record the Loopback Adapter ID in the "npf" service registry key. But the installer for 0.99-r3 through 0.99-r6 runs NPFInstall.exe -il before the WinPcapCompatible registry key was written, so it couldn't actually do this. We will reorder these operations in the next release, but for now you can fix it by running NPFInstall.exe -ul followed by NPFInstall.exe -il, or by running the new FixInstall.bat script as administrator.

[PavelSann]

FixInstall.bat does not help.

C:\Program Files\Npcap>FixInstall.bat
find: 'Dot11Support': No such file or directory
Dot11Support =
find: 'LoopbackSupport': No such file or directory
LoopbackSupport =
find: 'WinPcapCompatible': No such file or directory
WinPcapCompatible =
find: '(Default)': No such file or directory
find: '(Default)': No such file or directory
"Unable to find or fix your installation"

[dmiller-nmap]

@ExIngus Can you provide output from DiagReport.bat and reg query "HKLM\SYSTEM\CurrentControlSet\Services\npcap\Parameters" /v "LoopbackSupport"?

[PavelSann]

LoopbackSupport REG_DWORD 0x1

DiagReport-20180706-185611.txt

[dmiller-nmap]

@ExIngus I still can't tell what's going wrong there. Delete the @echo off from the top of FixInstall.bat and re-run it, copying the output of the script, thanks.