[Winpcap-bugs] Possible WinPcap 4.0 beta 3 and Kerio Firewall driver incompatibility?

Ian ianc.uk at gmail.com
Sun Jan 7 02:51:36 GMT 2007 

I have a problem capturing in Wireshark 0.99.4 on a fully patched
Windows XP Pro SP2 machine.

I have tried the latest WinPcap beta 3 but the problem remains.
Although WinDump seems able to capture successfully, when i try to
capture with Wireshark I get a 50:50 chance of a hang when I start
capturing. If the first capture works the second (so far) has always
failed. I have updated to the latest NIC drivers and that hasn't fixed
the problem.

The fact that WinDump works OK would seem to imply the problem lies
somewhere within Wireshark. However the fact that the whole machine
freezes (mouse cursor stops moving, keyboard CapLock, NumLock,
ScrollLock keys no longer toggle the LED's and the reset button is the
only option) would seem to suggest that the problem in fact lies
within a driver somewhere.

I've posted on the Wireshark-dev list, and they seem to think its a
bug in WinPcap.

I believe I have isolated to a problem between WinPcap and my Kerio
firewall, as once i disabled the Kerio firewall service and driver the
hang no longer occurs. However I have been using the same version of
Kerio (2.1.5) for the last three years, and I have used various
versions of Ethereal/WinPcap during that time without any problems.

I also have Cisco VPN 4.0.4 and Microsoft Virtual PC 2004 installed
which both install networking drivers.

I have attached the debug info produced by packet.dll. I'm a
professional software developer so I have various debuggers available
and I'm not afraid to use them ;-) although I've never done any low
level device driver stuff before. However if someone thinks a debug
session will be useful I'm happy to give it a try.

The output from WinDump -D was

C:\> WinDump -D
1.\Device\NPF_{E8415C47-0575-44E5-9C06-D19653D5F28E} (ASUSTeK/Broadcom
440x 10/100 Integrated Controller (Microsoft's Packet Scheduler) )


There was a second adapter listed at one point in time (some Generic
dialup thing i believe) but i selected the Hide Interface option on it
at some point whilst trying to investigate this problem and i've never
seen it listed since.

Regards
Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WinPcap_debug.zip
Type: application/zip
Size: 10994 bytes
Desc: not available
Url : http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20070107/3b819d8d/WinPcap_debug.zip

More information about the Winpcap-bugs mailing list