[Winpcap-bugs] winpcap bug on some AWS instances

Jordan, Josh jojord at amazon.com
Fri Jul 31 04:51:30 UTC 2015


Hello,

This is Josh from Amazon Web Services. We're reaching out to you as we've recently been made aware of an issue with the WinPcap library causing BSOD's on Windows Server 2008 R2 when WinPcap is initialized. This affects Wireshark as well as several monitoring applications such as Alert Logic running on Windows.

We've narrowed the issue down on our platform to the following:

-Occurs specifically on Server 2008R2 and instance types with 16vCPUs (c3.4xlarge, r3.4xlarge, I2.4xlarge, etc.
-WinPcap version 4.1.3
-no custom network software installed in the OS. Windows firewall is enabled.
-happens with all AWS provided network drivers (Citrix, AWS PV, Intel)

>From our BSOD dump file analysis, it seems to be a bug in npf.sys where paged memory is being accessed at the wrong IRQL. We do not have the right symbols to map to the line where the crash is occurring though.
I've attached a minidump file as well as zipped versions of the output from windump.  On an instance type having the issue windump causes a BSOD. On other instance types the output is this:
1.\Device\NPF_{06B43C11-860E-4712-A69F-A721B7C39664} (Citrix)

The steps to reproduce this in AWS are the following:
-Launch a C3.4xlarge 2008R2 instance
-Install latest version of Wireshark
-Launch Wireshark - BSOD

We understand that Riverbed Technologies is also a customer of AWS, so we'd like to help in any way we can. Please feel free to reach out to us.


Thanks,

Josh Jordan
AWS Support

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20150731/27fdbeda/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: windump-nobsod-t2-large.zip
Type: application/x-zip-compressed
Size: 173844 bytes
Desc: windump-nobsod-t2-large.zip
URL: <http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20150731/27fdbeda/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: windump-bsod-c3-4xl.zip
Type: application/x-zip-compressed
Size: 514 bytes
Desc: windump-bsod-c3-4xl.zip
URL: <http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20150731/27fdbeda/attachment-0004.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: windbg-analysis.txt
URL: <http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20150731/27fdbeda/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: minidump.zip
Type: application/x-zip-compressed
Size: 20098 bytes
Desc: minidump.zip
URL: <http://www.winpcap.org/pipermail/winpcap-bugs/attachments/20150731/27fdbeda/attachment-0005.bin>


More information about the Winpcap-bugs mailing list