[Winpcap-users] winpcap and McAfee

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Jun 24 18:55:45 GMT 2008

----- Original Message ----- 
From: <tamagawa at skygroup.jp>
To: <winpcap-users at winpcap.org>
Sent: Monday, June 23, 2008 7:03 PM
Subject: Re: [Winpcap-users] winpcap and McAfee

> Hello,
> I'm just curious:
> What would happen if we call Winpcap API before notifying the SCM?
> Or, why we need to notify before calling any Winpcap API?

It all boils down to how the SCM works internally.
First of all, when you call a WinPcap API, for example to list the adapters, 
WinPcap makes sure that both the WinPcap driver and the Microsoft NetMon 
driver (NM) are loaded into memory. Non-pnp drivers (like winpcap and 
netmon) are managed as normal services by the OS and started on demand, 
usually. The SCM uses a lock to protect the service database, and that lock 
is held when you run your own service before notifying the SCM. When the SCM 
database lock is held, no other services can start (and basically times 
out). If in your service calls a WinPcap API, WinPcap will try to load the 
winpcap driver and the netmon one (if needed), the SCM will try to acquire 
the SCM database lock again and wait for a certain timeout (I think it's one 
minute). The lock request will eventually timeout, and the WinPcap and the 
NM drivers might not be loaded into memory.

Hope this explains a bit how the SCM works.

Have a nice day

> Cound be a stupid question but glad to hear any hints.
> Thanks in advance,
> --
> tamagawa
> Gianluca Varenni ????????:
>> If you use WinPcap from within a service, I suggest you to have a look at 
>> these slides
>> http://www.cacetech.com/SHARKFEST.08/BoF_Varenni_%20WinPcap%20Do's%20and%20Don'ts.zip 
>> in particular slide #9.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 

More information about the Winpcap-users mailing list