[Winpcap-bugs] Possible WinPcap 4.0 beta 3 and KerioFirewalldriver incompatibility?

Gianluca Varenni gianluca.varenni at cacetech.com
Wed Jan 10 02:51:25 GMT 2007 

----- Original Message ----- 
From: "Ian" <ianc.uk at gmail.com>
To: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Cc: <winpcap-bugs at winpcap.org>
Sent: Tuesday, January 09, 2007 6:07 PM
Subject: Re: [Winpcap-bugs] Possible WinPcap 4.0 beta 3 and 
KerioFirewalldriver incompatibility?


> On 1/9/07, Gianluca Varenni <gianluca.varenni at cacetech.com> wrote:
>> ----- Original Message -----
>> From: "Ian" <ianc.uk at gmail.com>
>> To: <winpcap-bugs at winpcap.org>
>> Sent: Saturday, January 06, 2007 6:51 PM
>> Subject: [Winpcap-bugs] Possible WinPcap 4.0 beta 3 and Kerio 
>> Firewalldriver
>> incompatibility?
>>
>>
>> >I have a problem capturing in Wireshark 0.99.4 on a fully patched
>> > Windows XP Pro SP2 machine.
>> >
>> > I have tried the latest WinPcap beta 3 but the problem remains.
>> > Although WinDump seems able to capture successfully, when i try to
>> > capture with Wireshark I get a 50:50 chance of a hang when I start
>> > capturing. If the first capture works the second (so far) has always
>> > failed. I have updated to the latest NIC drivers and that hasn't fixed
>> > the problem.
>> >
>> > The fact that WinDump works OK would seem to imply the problem lies
>> > somewhere within Wireshark. However the fact that the whole machine
>> > freezes (mouse cursor stops moving, keyboard CapLock, NumLock,
>> > ScrollLock keys no longer toggle the LED's and the reset button is the
>> > only option) would seem to suggest that the problem in fact lies
>> > within a driver somewhere.
>> >
>> > I've posted on the Wireshark-dev list, and they seem to think its a
>> > bug in WinPcap.
>> >
>> > I believe I have isolated to a problem between WinPcap and my Kerio
>> > firewall, as once i disabled the Kerio firewall service and driver the
>> > hang no longer occurs. However I have been using the same version of
>> > Kerio (2.1.5) for the last three years, and I have used various
>> > versions of Ethereal/WinPcap during that time without any problems.
>> >
>>
>>
>> It definitely seems an incompatibility wih the kerio firewall. And this 
>> is
>> not a surprise, there were incompatibilities between winpcap and other
>> personal firewalls in the past, i think there is still a FAQ about that 
>> on
>> the winpcap website. Is the Kerio personal firewall free?
>
> The version of Kerio firewall I am using is/was free, but it is an old
> version (before they added all the non-firewall type stuff like HTML
> filtering, etc.) Kerio firewall used to be known as Tiny Personal
> Firewall a few years ago. It now looks like its been sold yet again
> and is now called Sunbelt Kerio Personal Firewall and is no longer
> free.
>
>>
>>
>> > I also have Cisco VPN 4.0.4 and Microsoft Virtual PC 2004 installed
>> > which both install networking drivers.
>> >
>> > I have attached the debug info produced by packet.dll. I'm a
>> > professional software developer so I have various debuggers available
>> > and I'm not afraid to use them ;-) although I've never done any low
>> > level device driver stuff before. However if someone thinks a debug
>> > session will be useful I'm happy to give it a try.
>>
>> Unfortunately debugging system freezes is not straightforward (it's 
>> actually
>> quite a pain).
>>
>> Is the machine a desktop? Is the keyboard attached through PS/2? If so,
>> there's a way to force a blue screen from the keyboard, and then process 
>> the
>> crash dump.
>
> Yes, the machine is a Windows XP Pro desktop system. It has a PS/2
> keyboard attached.
>
> I can generate a forced dump if you would like me to. What size crash
> dump should I do? A minidump so i can attached it for you to analyze
> or a full dump that I can analyze and post the results?
>
>

I'd prefer a kernel dump that I can analyze. You enable forced keyboard 
crash by following the directions here:

http://psacake.com/web/jr.asp (there's an official MS KB for that, I cannot 
find it now...)


When you have the kernel crash dump, can you please upload it here:

ftp://www.winpcap.org/pub/incoming

Thanks for the debugging!

Have a nice day
GV


>>
>> >
>> > The output from WinDump -D was
>> >
>> > C:\> WinDump -D
>> > 1.\Device\NPF_{E8415C47-0575-44E5-9C06-D19653D5F28E} (ASUSTeK/Broadcom
>> > 440x 10/100 Integrated Controller (Microsoft's Packet Scheduler) )
>> >
>> >
>> > There was a second adapter listed at one point in time (some Generic
>> > dialup thing i believe) but i selected the Hide Interface option on it
>>
>> Hide Interface where? There's no such a thing in winpcap. The only way to
>> have the Generic dialup adapter to disappear is to remove the NetMon
>> component from the system.
>
> It was an option on the Interfaces dialog within Wireshark. I thought
> NetMon was only an option on server machines and wasn't available on
> workstation machines like XP?
>
>
>>
>> Have a nice day
>> GV
>>
>> > at some point whilst trying to investigate this problem and i've never
>> > seen it listed since.
>> >
>> > Regards
>> > Ian
>> >
>>
>>
>> --------------------------------------------------------------------------------
>>
>>
>> > _______________________________________________
>> > Winpcap-bugs mailing list
>> > Winpcap-bugs at winpcap.org
>> > https://www.winpcap.org/mailman/listinfo/winpcap-bugs
>> >
>>
>>
> _______________________________________________
> Winpcap-bugs mailing list
> Winpcap-bugs at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-bugs

More information about the Winpcap-bugs mailing list