[Winpcap-users] Winpcap in Intanium machine

Gianluca Varenni gianluca.varenni at cacetech.com
Thu Oct 8 07:28:48 PDT 2009 

----- Original Message ----- 
From: " Renato Araújo Ferreira" <marina.peixe at terra.com.br>
To: <winpcap-users at winpcap.org>
Sent: Wednesday, October 07, 2009 9:21 PM
Subject: Re: [Winpcap-users] Winpcap in Intanium machine


> After send that last message I tried to run windump again without any 
> parameter (that make It dump first interface of list) and this machine 
> crashed again, but with another error from another SYS file (I didn't save 
> the information). At this second try the crash dump was disabled by me due 
> to 36GB of ram size (a long time to dump), but I still have the first one 
> that generated the message that in last message.
>

If you enable just kernel memory dump, the memory dump is much smaller than 
36GB. On a normal x86/x64 machine freshly booted, it's usually below 100MB.

> I used before the gdb tool to debug core files under solaris, but I never 
> did something like it under windows. I will try to start with debuging 
> tools tomorow. Do you have any tip?

Well, the first thing you do is loading the memory dump and issue 
"!analyze -v" on the windbg command line.

>
> But I'm still afraid about DLL's. Why a wrong/problematic DLL could not 
> crash a driver that it need to access?

Because a driver should protect itself against bogus input from user level 
DLLs. A driver should never ever trust any data coming from user mode and 
should always validate it.
So in the case of some problematic DLL, if the driver receives some bogus 
data from the DLL, it must just fail the I/O request.

GV



>
> Thanks,
>
> Renato A. Ferreira
>
>
> On Qua 07/10/09 17:43 , "Gianluca Varenni" gianluca.varenni at cacetech.com 
> sent:
>> The crash is due to the driver, not to mismatching DLLs. Now you will 
>> need
>>
>> windbg and probably a second machine to debug the issue.
>>
>> I would start loading the crash dump in windbg and understanding what 
>> went
>>
>> wrong.
>>
>>
>>
>> GV
>>
>>
>>
>> ----- Original Message ----- 
>>
>> From: " Renato Araújo Ferreira" mar
>> ina.peixe at terra.com.br>
>> To: users at winpc
>> ap.org>
>> Sent: Wednesday, October 07, 2009 1:07 PM
>>
>> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
>>
>>
>>
>>
>>
>> >
>>
>> >
>>
>> >
>>
>> > I added the reference to IA64 in NPF.RC VERSIONINFO with:
>>
>> >
>>
>> >
>>
>> > #elif defined(_IA64_)
>>
>> >   VALUE "FileDescription",   "npf.sys (NT5/6 IA64) Kernel Driver"
>>
>> >
>>
>> >
>>
>> > After I changed the refferences to AMD64 (appear only two times and
>> refers
>> > to hUserEvent32Bit) from:
>>
>> >
>>
>> >
>>
>> > #ifdef _AMD64_
>>
>> >
>>
>> >
>>
>> > To:
>>
>> >
>>
>> >
>>
>> > #if defined(_AMD64_) || defined(_IA64_)
>>
>> >
>>
>> >
>>
>> > The compilation was sucessful, the "net start npf" works fine and the
>> > interfaces is now appearing in return of "windump -D". But when I tried
>> to
>> > open wireshark, the interface list was OK showing all of then, but 
>> > before
>>
>> > I click at buttom to start capture (i think that was when it started to
>>
>> > count packets) the server went down with this message:
>>
>> >
>>
>> >
>>
>> > *** STOP: 0x0000008E
>>
>> >
>> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
>> 0)
>> >
>>
>> > ***       NPF.sys - Address E00001626B738834 base at E00001626B730000,
>>
>> > DateStamp 4acce5bf
>>
>> >
>>
>> >
>>
>> > I'm still trying with the DLL's (wpcap.dll and packet.dll) that I got
>> > unpacking the installer, but they has the same name and I dont know if 
>> > I
>>
>> > choose the right one between vista, 2000 or amd64.
>>
>> >
>>
>> > I will now try to compile these DLL's before try again.
>>
>> >
>>
>> > Thanks,
>>
>> >
>>
>> > Renato A. Ferreira
>>
>> >
>>
>> > _______________________________________________
>>
>> > Winpcap-users mailing list
>>
>> > Winpcap-users at winpc
>> ap.org
>> > https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>>
>>
>>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list