[Winpcap-users] Winpcap in Intanium machine

Renato Araújo Ferreira marina.peixe at terra.com.br
Thu Oct 8 13:54:16 PDT 2009


the rigth stack:

NPF!GetTimeKQPC [time_calls.h @ 373]
NPF!NPF_tap [read.c @ 607]
NDIS

this line of time_calls.h:

dst->tv_usec = data->start[0].tv_usec + (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);

I will look for an way to read the content of variable. Is there any known way to run this dump in visual studio and see the content of these variables?

Thanks,

Renato A. Ferreira

 On Qui 08/10/09 16:56 ,  Renato Araújo Ferreira marina.peixe at terra.com.br sent:
> The smalldump combined with the npf.pdb generated a stack trace like
> follow
> GetTimeKQPC
> NPF_tap
> NDIS
> 
> with a memory exaust error.... I don't remember the correct spelling
> because it did not make sense in source code so I didn't care to copy the
> information... 
> I think that because the pdb file was not the same from the sys file build,
> as I compiled too many times before combine them. After I recompiled again
> to be sure to use the sys/pdb generate at same build and analyse the rigth
> infromation, but is not generating the symbols anymore and I don't know
> why.
> Now I'm trying a kernel dump option, that takes a long time to be
> generated. The small dump is fast and take a few kilobytes. There are only
> this two options.
> 
> On Qui 08/10/09 11:28 , "Gianluca Varenni" gianluca.varenni at cacetech.com sent:> 
> > 
> > ----- Original Message ----- 
> > 
> > From: " Renato Araújo Ferreira" mar
> > ina.pe
> ixe at terra.com.br>> To: users at winpc
> > ap.org>
> > Sent: Wednesday, October 07, 2009 9:21 PM
> > 
> > Subject: Re: [Winpcap-users] Winpcap in Intanium machine> 
> > 
> > 
> > 
> > 
> > > After send that last message I tried to run windump again without any
> > > parameter (that make It dump first interface of list) and this
> machine> 
> > > crashed again, but with another error from another SYS file (I
> didn't> save 
> > > the information). At this second try the crash dump was disabled by
> me> due 
> > > to 36GB of ram size (a long time to dump), but I still have the first
> one> 
> > > that generated the message that in last message.> 
> > >
> > 
> > 
> > 
> > If you enable just kernel memory dump, the memory dump is much smaller
> than> 
> > 36GB. On a normal x86/x64 machine freshly booted, it's usually
> below> 100MB.
> > 
> > 
> > > I used before the gdb tool to debug core files under solaris, but I
> never> 
> > > did something like it under windows. I will try to start with
> debuging> 
> > > tools tomorow. Do you have any tip?
> > 
> > 
> > 
> > Well, the first thing you do is loading the memory dump and issue
> > 
> > "!analyze -v" on the windbg command line.
> > 
> > 
> > 
> > >
> > 
> > > But I'm still afraid about DLL's. Why a wrong/problematic DLL could
> not> 
> > > crash a driver that it need to access?
> > 
> > 
> > 
> > Because a driver should protect itself against bogus input from user
> level> 
> > DLLs. A driver should never ever trust any data coming from user mode
> and> 
> > should always validate it.
> > 
> > So in the case of some problematic DLL, if the driver receives some
> bogus> 
> > data from the DLL, it must just fail the I/O request.> 
> > 
> > 
> > GV
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > >
> > 
> > > Thanks,
> > 
> > >
> > 
> > > Renato A. Ferreira
> > 
> > >
> > 
> > >
> > 
> > > On Qua 07/10/09 17:43 , "Gianluca Varenni" gianluca.varenni at cacetech.com > > sent:
> > 
> > >> The crash is due to the driver, not to mismatching DLLs. Now you
> will> 
> > >> need
> > 
> > >>
> > 
> > >> windbg and probably a second machine to debug the issue.> 
> > >>
> > 
> > >> I would start loading the crash dump in windbg and understanding
> what> 
> > >> went
> > 
> > >>
> > 
> > >> wrong.
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >> GV
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >> ----- Original Message ----- 
> > 
> > >>
> > 
> > >> From: " Renato Araújo Ferreira" mar
> > 
> > >> ina.pe
> > ixe at terra.co
> m.br>> >> To: users at winpc
> > 
> > >> ap.org>
> > 
> > >> Sent: Wednesday, October 07, 2009 1:07 PM> 
> > >>
> > 
> > >> Subject: Re: [Winpcap-users] Winpcap in Intanium machine> 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > I added the reference to IA64 in NPF.RC VERSIONINFO
> with:> 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > #elif defined(_IA64_)
> > 
> > >>
> > 
> > >> >   VALUE "FileDescription",   "npf.sys (NT5/6 IA64) Kernel
> Driver"> >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > After I changed the refferences to AMD64 (appear only two times
> and> >> refers
> > 
> > >> > to hUserEvent32Bit) from:
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > #ifdef _AMD64_
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > To:
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > #if defined(_AMD64_) || defined(_IA64_)> 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > The compilation was sucessful, the "net start npf" works fine
> and> the
> > >> > interfaces is now appearing in return of "windump -D". But when
> I> tried
> > >> to
> > 
> > >> > open wireshark, the interface list was OK showing all of then, but
> > >> > before
> > 
> > >>
> > 
> > >> > I click at buttom to start capture (i think that was when it
> started> to
> > >>
> > 
> > >> > count packets) the server went down with this message:> 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > *** STOP: 0x0000008E
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> >
> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
> > 
> > >> 0)
> > 
> > >> >
> > 
> > >>
> > 
> > >> > ***       NPF.sys - Address E00001626B738834 base at> E00001626B730000,
> > >>
> > 
> > >> > DateStamp 4acce5bf
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > I'm still trying with the DLL's (wpcap.dll and packet.dll) that
> I> got
> > >> > unpacking the installer, but they has the same name and I dont know
> if> 
> > >> > I
> > 
> > >>
> > 
> > >> > choose the right one between vista, 2000 or amd64.> 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > I will now try to compile these DLL's before try again.> 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > Thanks,
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > Renato A. Ferreira
> > 
> > >>
> > 
> > >> >
> > 
> > >>
> > 
> > >> > _______________________________________________> 
> > >>
> > 
> > >> > Winpcap-users mailing list
> > 
> > >>
> > 
> > >> > Winpcap-users at winpc
> > 
> > >> ap.org
> > 
> > >> > https://www.winpcap.org/mailman/listinfo/winpcap-users> >>
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >>
> > 
> > >
> > 
> > > _______________________________________________> 
> > > Winpcap-users mailing list
> > 
> > > Winpcap-users at winpc
> > ap.org
> > > https://www.winpcap.org/mailman/listinfo/winpcap-users> > 
> > 
> > 
> > 
> > 
> > 
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpc
> ap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users
> 



More information about the Winpcap-users mailing list