Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve Application Verifier stops in libpcap (wpcap.dll) included with Npcap 1.79 #742

Closed
fyodor opened this issue Jul 8, 2024 · 6 comments

Comments

@fyodor
Copy link
Member

fyodor commented Jul 8, 2024

One of our Npcap OEM redistribution customers reported:

Recently we tried to run our application (x64) with Application Verifier. With the "Networking" checks enabled, 'wpcap.dll' causes two verifier stops (https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier-stop-codes-networking). We would like to enable these checks during our automated test runs. It's currently not possible due to these verifier stops.

The first one is calling 'pcap_findalldevs_ex' causing "A Winsock API was called before a successful WSAStartup() or after a balancing successful WSACleanup() call was made". Application Verifier seems to be tracking these calls on a per module basis. Even if 'main()' had called 'WSAStartup' before calling 'pcap_findalldevs_ex', the stop message is still issued.

The second one happens after 'main()' had exited. When 'wpcap.dll' is unloading the Verifier issues "Illegal networking API called from DllMain".

They are using Npcap 1.79 and sent us some sample code to reproduce. Since wpcap.dll code is 100% Libpcap, we need to work with them on a fix. We upgraded to Libpcap 1.10.4 in Npcap Version 1.74. The two stops are probably related and likely related to the order of calls to WSAStartup() and WSACleanup().

@guyharris
Copy link
Contributor

Since wpcap.dll code is 100% Libpcap, we need to work with them on a fix.

Unless packet.dll is doing WinSock stuff, which it doesn't appear to be doing, this is probably completely a libpcap issue; you probably can't just move this issue to our repository (as they belong to different top-level projects), and you may not want to do so anyway in order to track the fix getting into Npcap, but you should file a libpcap issue giving the above information.

@fyodor
Copy link
Member Author

fyodor commented Jul 8, 2024

Thanks @guyharris. We always appreciate your support! I just created libpcap#1333 and we will update it as we discover more in our own testing/debugging of the issue.

dmiller-nmap pushed a commit that referenced this issue Jul 11, 2024
We were using WinSock for the htonl, htons, and getaddrinfo functions,
but doing so caused problems related to failure to call WSACleanup().
Rather than adding that, we replaced these functions with UCRT and ntdll
functions that avoid the need to call WSAStartup or WSACleanup.
@dmiller-nmap
Copy link
Contributor

We did have one issue in Packet.dll due to not calling WSACleanup(). Replacing the few WinSock utility functions we had been using with equivalent ntdll or UCRT functions was sufficient to resolve the issue. There is still a problem with wpcap.dll, so I'll put my notes on that upstream issue.

@guyharris
Copy link
Contributor

We did have one issue in Packet.dll due to not calling WSACleanup().

What issue was that?

@dmiller-nmap
Copy link
Contributor

Correction: Application Verifier issued Stop ID WSA_NOT_INITIALIZED due to Packet.dll calling getaddrinfo() without calling WSAStartup() first. The fix in 79e42f1 removes all WinSock functions, and WSAStartup() is not present.

@dmiller-nmap
Copy link
Contributor

Npcap 1.80 includes the fix to Packet.dll as well as a change to wpcap.dll to resolve this issue. We opened a pull request with upstream libpcap containing this change: the-tcpdump-group/libpcap#1351

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants