Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature
Hi Pascal, I am not very familiar about dialup/PPP interfaces, perhaps you mean capturing on adapters like below? WAN Miniport (SSTP) WAN Miniport (IPv6) WAN Miniport (IP) WAN Miniport (L2TP) WAN Miniport (PPPOE) WAN Miniport (PPTP) WAN Miniport (Network Monitor) WAN Miniport (IKEv2) These adapters are listed on my machine, theoretically should be able to be opened by Npcap driver. Cheers, Yang On Wed, Jul 15, 2015 at 3:16 AM, Pascal Quantin wrote: > > > 2015-07-11 11:15 GMT+02:00 Yang Luo : > >> Hi list, >> >> In order not to diverge with WinPcap interfaces, I have made a "WinPcap >> Mode" for Npcap, it uses the same system32 directory to put DLLs and has >> the same "npf" service and driver name. So it can be directly used in >> Wireshark without any patch. >> >> Another news is that I have finished Windows loopback packet capture >> feature in Npcap, Npcap will install an adapter named "Npcap Loopback >> Adapter". And I can see the loopback traffic using Wireshark now (See the >> attached pic). It seems to still have problems, like the "(no response >> found!)" in the ICMPv6 packets (ping ::1) in the pic. I don't know why >> Wireshark shows like this, perhaps you guys can provide me a clue. >> >> The latest Npcap installer is: >> https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.01.exe >> >> I have tested this version Npcap under Wireshark 1.12.6 x64, in Windows >> 8.1 x64 and Windows Server 2016 TP2. >> >> Notice: You need to try it under Win7 and later, and no need to change >> the installation options, just click the "Next"s. Npcap installed in >> "WinPcap Mode" is exclusive with WinPcap, so you must uninstall WinPcap >> first (installer will prompt you this). >> >> The README is: >> https://github.com/nmap/npcap >> >> The implementation internal about loopback traffic feature is: >> http://seclists.org/nmap-dev/2015/q3/35 >> >> >> Cheers, >> Yang >> > > Hi Yang, > > I just gave a quick try to Npcap 0.0.1 on my Windows 7 x64 box and it > seems to work pretty well. Congratulations and thanks for your work! > Any chance to add support for dialup / PPP interfaces? This is one of the > WinPcap feature that got lost when transitioning from Windows XP to Vista ( > http://www.winpcap.org/misc/faq.htm#Q-5). > > Regards, > Pascal. > > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe > ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark messages I don't want to see
On Tue, Jul 14, 2015 at 09:13:49PM +0200, Joerg Mayer wrote:
> On Tue, Jul 14, 2015 at 11:52:18AM -0700, Guy Harris wrote:
> > Line 1558 of epan/crypt/airpdcap.c is
> >
> > if (ctx->sa[ctx->first_free_index].used) {
> >
> > in AirPDcapStoreSa(). It was assuming that ctx->first_free_index would be
> > within the bounds of the array, which isn't guaranteed (what if there *are*
> > no free indices?); I've added a bounds check in
> > 4f1b8d74338ca2a6ded8498e9d87cbc3294454c0.
>
> This was on Linux (which has AIRPCAP disabled) and with only 2 entries total
> (1x wpa, 1x wpa2)
With current git head all the messages are gone.
Many thanks!
Jörg
--
Joerg Mayer
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Npcap 0.01 call for test about Windows loopback traffic capture feature
2015-07-11 11:15 GMT+02:00 Yang Luo : > Hi list, > > In order not to diverge with WinPcap interfaces, I have made a "WinPcap > Mode" for Npcap, it uses the same system32 directory to put DLLs and has > the same "npf" service and driver name. So it can be directly used in > Wireshark without any patch. > > Another news is that I have finished Windows loopback packet capture > feature in Npcap, Npcap will install an adapter named "Npcap Loopback > Adapter". And I can see the loopback traffic using Wireshark now (See the > attached pic). It seems to still have problems, like the "(no response > found!)" in the ICMPv6 packets (ping ::1) in the pic. I don't know why > Wireshark shows like this, perhaps you guys can provide me a clue. > > The latest Npcap installer is: > https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.01.exe > > I have tested this version Npcap under Wireshark 1.12.6 x64, in Windows > 8.1 x64 and Windows Server 2016 TP2. > > Notice: You need to try it under Win7 and later, and no need to change the > installation options, just click the "Next"s. Npcap installed in "WinPcap > Mode" is exclusive with WinPcap, so you must uninstall WinPcap first > (installer will prompt you this). > > The README is: > https://github.com/nmap/npcap > > The implementation internal about loopback traffic feature is: > http://seclists.org/nmap-dev/2015/q3/35 > > > Cheers, > Yang > Hi Yang, I just gave a quick try to Npcap 0.0.1 on my Windows 7 x64 box and it seems to work pretty well. Congratulations and thanks for your work! Any chance to add support for dialup / PPP interfaces? This is one of the WinPcap feature that got lost when transitioning from Windows XP to Vista ( http://www.winpcap.org/misc/faq.htm#Q-5). Regards, Pascal. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark messages I don't want to see
On Tue, Jul 14, 2015 at 11:52:18AM -0700, Guy Harris wrote:
> Line 1558 of epan/crypt/airpdcap.c is
>
> if (ctx->sa[ctx->first_free_index].used) {
>
> in AirPDcapStoreSa(). It was assuming that ctx->first_free_index would be
> within the bounds of the array, which isn't guaranteed (what if there *are*
> no free indices?); I've added a bounds check in
> 4f1b8d74338ca2a6ded8498e9d87cbc3294454c0.
This was on Linux (which has AIRPCAP disabled) and with only 2 entries total
(1x wpa, 1x wpa2)
Thanks!
Jörg
--
Joerg Mayer
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___
Sent via:Wireshark-dev mailing list
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark messages I don't want to see
On Jul 14, 2015, at 11:01 AM, Joerg Mayer wrote:
> ... but have no idea how to find or fix:
Line 158 of the current epan/address.h is the
memcpy(to_data, from->data, from->len);
in copy_address().
The fact that it didn't *crash* is probably because from->len is zero, so it
didn't actually try dereferencing either of the null pointers, and so that
to_data, which is allocated based on from->len, is null.
I guess what it should do is
if (from->len != 0)
memcpy(to_data, from->data, from->len);
as ANSI C makes no guarantees that memcpy(NULL, NULL, 0) is harmless. (In
practice, it's probably harmless in all implementations, but we shouldn't
assume that.)
I just now checked that in as change I0b3dc1541b52670d8fef459754c9494cfcc59e5d.
Line 1558 of epan/crypt/airpdcap.c is
if (ctx->sa[ctx->first_free_index].used) {
in AirPDcapStoreSa(). It was assuming that ctx->first_free_index would be
within the bounds of the array, which isn't guaranteed (what if there *are* no
free indices?); I've added a bounds check in
4f1b8d74338ca2a6ded8498e9d87cbc3294454c0.
___
Sent via:Wireshark-dev mailing list
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Wireshark messages I don't want to see
Hi Jörg, On Tue, Jul 14, 2015 at 08:01:38PM +0200, Joerg Mayer wrote: > ... but have no idea how to find or fix: > > jmayer@egg privat$ wireshark -r 6.pcap.gz > /home/jmayer/work/wireshark/git/epan/address.h:158:5: runtime error: null > pointer passed as argument 1, which is declared to never be null > /home/jmayer/work/wireshark/git/epan/address.h:158:5: runtime error: null > pointer passed as argument 2, which is declared to never be null > /home/jmayer/work/wireshark/git/epan/crypt/airpdcap.c:1558:16: runtime error: > index 256 out of bounds for type 'AIRPDCAP_SEC_ASSOCIATION [256]' These messages are from ubsan (Undefined Behavior Sanitizer). In order to debug such issues, I suggest setting these options: export UBSAN_OPTIONS=print_stacktrace=1 \ ASAN_OPTIONS=strip_path_prefix=/home/jmayer/work/wireshark/git/ \ It produces the stack trace of the origin and strips the common source prefix. See http://stackoverflow.com/q/30809022 if you want to use gdb to break on such reports. > git head as of 6-7 hours ago, qt only. > I loaded an 802.11 trace, added a wpa2 key and looked at the result. The trace > is probably confidential (will need to ask). > Please let me know what information is needed to get rid of the first 3 > messages > in particular. A stacktrace would be helpful :-) -- Kind regards, Peter Wu https://lekensteyn.nl ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector
On Jul 14, 2015, at 4:23 AM, mman...@netscape.net wrote: > I started looking at the long options, but I thought they also needed a > corresponding mnemonic letter as well. No - part of the whole reason for long options is to give you an escape when you run out of the subset of ASCII characters not used as shell metacharacters. In getopt_long(), they do need a numerical value for the switch statement, but the value returned by getopt_long() is an int, so there's plenty of room for numerical values that aren't char values. We just #define the additional values for long options that don't have matching short options. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] Wireshark messages I don't want to see
... but have no idea how to find or fix: jmayer@egg privat$ wireshark -r 6.pcap.gz /home/jmayer/work/wireshark/git/epan/address.h:158:5: runtime error: null pointer passed as argument 1, which is declared to never be null /home/jmayer/work/wireshark/git/epan/address.h:158:5: runtime error: null pointer passed as argument 2, which is declared to never be null /home/jmayer/work/wireshark/git/epan/crypt/airpdcap.c:1558:16: runtime error: index 256 out of bounds for type 'AIRPDCAP_SEC_ASSOCIATION [256]' FIX: Auto-size each preference pane. FIX Add drag reordering to UAT dialog FIX: Auto-size each preference pane. FIX Add drag reordering to UAT dialog FIX: Auto-size each preference pane. FIX Add drag reordering to UAT dialog git head as of 6-7 hours ago, qt only. I loaded an 802.11 trace, added a wpa2 key and looked at the result. The trace is probably confidential (will need to ask). Please let me know what information is needed to get rid of the first 3 messages in particular. Thanks Jörg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector
I started looking at the long options, but I thought they also needed a corresponding mnemonic letter as well. I'll take a look at what you put in Gerrit. Thanks for the head start! -Original Message- From: Jim Young To: Developer support list for Wireshark Sent: Tue, Jul 14, 2015 1:13 am Subject: Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector Hey Michael, Are there are any mnemonic option letters available? Would use of long options be the appropriate solution in this case? A few years ago I had a need for some additional options for a hacked up version of tshark. Because there were not enough sensible option letters available I ended up using long options. This worked out great. Most of these local long options were very specific to the problem at hand but I suspect the --disable-protocol option might be usable to others. I've just pushed patch to gerrit (9631) to add --disable-protocol option to tshark. Perhaps that patch might give you some ideas. Jim Y. From: " mman...@netscape.net" < mman...@netscape.net> Reply-To: " wireshark-dev@wireshark.org" < wireshark-dev@wireshark.org> Date: Monday, July 13, 2015 8:27 PM To: " wireshark-dev@wireshark.org" < wireshark-dev@wireshark.org> Subject: Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector Command-line option sounds good, but it will probably take longer to figure out the option letter (how many do we have left?) than the functionality that does the enable/disable. Suggestions for option "letter" to use? Have we gone beyond just letters yet? A letter for each enable and disable sounds a bit greedy, so many comma separate "short name" with 0 or 1 for enable/disable? I also agree that enable/disable protocols for the command line option should be ephemeral, however IF they are launched from Wireshark and then the Enabled Protocol dialog is launched and then saved, the command line option behavior will then be saved to the heuristic dissector file. TShark never has the opportunity to make the change permanent. This should obviously be a separate patch from either the dialog or the preference removal. I think the heuristic dialog is now ready for submittal (added the short name), but I have been hesitant about "dropping the hammer down" with the preference removal patch. Having the command-line support before the preferences are removed should at least ease the transition. -Original Message- From: Pascal Quantin < pascal.quan...@gmail.com> To: Developer support list for Wireshark < wireshark-dev@wireshark.org> Sent: Mon, Jul 13, 2015 10:03 am Subject: Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector Le 13 juil. 2015 3:32 PM, < mman...@netscape.net> a écrit : > > I thought somebody might complain about something like this, but I was more > focused on the Wireshark (packet) context menu, where I was less inclined to > make changes. This however seems like a more valid use case to consider. > My question back would be - what "string" should be used by tshark? The > "display name" can have some undesirable characters in it from a command > line perspective (ie probably require quotes), and the "internal" short name > string isn't otherwise exposed for users to learn what is. > Should the "short name" be exposed on the tabbed dialog so users can learn > it to apply it to a (new) tshark option? > I think we should expose the short name to users. Preferences have their internal name displayed in a pop-up. We could either do the same, or have the internal name explicitly displayed in a column. Should the enabled / disabled heuristic protocol given in the command line be ephemeral or persistent? I believe it should be the former, like the DL mapping value you can indicate manually in the command line and that does not get stored. Pascal. > > > -Original Message- > From: Pascal Quantin < pascal.quan...@gmail.com> > To: Developer support list for Wireshark < > wireshark-dev@wireshark.org> > Sent: Mon, Jul 13, 2015 9:21 am > Subject: Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector > > > > Le 13 juil. 2015 3:03 AM, < mman...@netscape.net> a écrit : > > > > With: > > > > https://code.wireshark.org/review/9508/ > > https://code.wireshark.org/review/9610/ > >
Re: [Wireshark-dev] Enabling/disabling ANY heuristic dissector
On Jul 13, 2015, at 5:27 PM, mman...@netscape.net wrote: > Command-line option sounds good, but it will probably take longer to figure > out the option letter (how many do we have left?) than the functionality that > does the enable/disable. Suggestions for option "letter" to use? Have we > gone beyond just letters yet? Yes, we have: $ man tshark TSHARK(1) The Wireshark Network Analyzer TSHARK(1) NAME tshark - Dump and analyze network traffic ... --capture-comment Add a capture comment to the output file. This option is only available if a new output file in pcapng format is created. Only one capture comment may be set per output file. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
