[Winpcap-users] Winpcap in Intanium machine

Gianluca Varenni gianluca.varenni at cacetech.com
Fri Oct 9 08:15:02 PDT 2009 

Windbg is the only debugger for kernel debugging. Two machines are needed if 
you want to live debug the driver i.e. you want to step into the code and 
not just analyze the crash dumps.

Bugcheck code: it's the code of the error that the operating system 
detected.

In the output of !analyze -v, it's

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
with arguments
Arg1: ffffffff80000002, The exception code that was not handled
Arg2: e00001626df00834, The address that the exception occurred at
Arg3: e000016276387410, Trap Frame
Arg4: 0000000000000000

The exception code 80000002 means
a.. 0x80000002: STATUS_DATATYPE_MISALIGNMENT indicates that an unaligned 
data reference was encountered.

and it's probably because the Itanium doesn't allow unaligned access to 
memory (i.e. if you try to access a 64bit integer, its address should be 
aligned to 64bit). x86 and x64 do not have such requirement, and the WinPcap 
driver relies on that.

Also, you haven't configured windbg to make use of the microsoft symbol 
server for the symbols of your version of Windows, instructions here

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx#a (section 
called "About the microsoft Symbol server")

Before you go any further, are you really sure you want to try having 
WinPcap running on Itanium? Debugging kernel driver issues is not exactly 
trivial, it requires some certain knowledge of the Windows kernel as well 
the use of a debugger that is not exactly straight forward to use...

Have a nice day
GV


----- Original Message ----- 
From: " Renato Araújo Ferreira" <marina.peixe at terra.com.br>
To: "Gianluca Varenni" <gianluca.varenni at cacetech.com>
Cc: <winpcap-users at winpcap.org>
Sent: Thursday, October 08, 2009 7:40 PM
Subject: Re: Re: [Winpcap-users] Winpcap in Intanium machine


What I need to do the *second machine debug*? Only windbg?


 On Qui 08/10/09 21:29 , "Gianluca Varenni" gianluca.varenni at cacetech.com 
sent:
> You cannot debug with Visual Studio. You need to use Windbg.
>
>
>
> In windbg you can use the watch window to watch the contents of a 
> variable.
>
> What is the bugcheck code?
>
>
>
> If you have used "analyze -v" after the crash, please post the entire
> output
> of !analyze -v
>
>
>
> GV
>
>
>
>
>
>
>
> ----- Original Message ----- 
>
> From: " Renato Araújo Ferreira" mar
> ina.peixe at terra.com.br>
> To: users at winpc
> ap.org>
> Sent: Thursday, October 08, 2009 1:54 PM
>
> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
>
>
>
>
>
> > the rigth stack:
>
> >
>
> > NPF!GetTimeKQPC [time_calls.h @ 373]
>
> > NPF!NPF_tap [read.c @ 607]
>
> > NDIS
>
> >
>
> > this line of time_calls.h:
>
> >
>
> > dst->tv_usec = data->start[0].tv_usec +
>
> > (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);
> >
>
> > I will look for an way to read the content of variable. Is there any
> known
> > way to run this dump in visual studio and see the content of these
>
> > variables?
>
> >
>
> > Thanks,
>
> >
>
> > Renato A. Ferreira
>
> >
>
> > On Qui 08/10/09 16:56 ,  Renato Araújo Ferreira mar
> ina.peixe at terra.com.br
> > sent:
>
> >> The smalldump combined with the npf.pdb generated a stack trace like
> >> follow
>
> >> GetTimeKQPC
>
> >> NPF_tap
>
> >> NDIS
>
> >>
>
> >> with a memory exaust error.... I don't remember the correct spelling
> >> because it did not make sense in source code so I didn't care to copy
> the
> >> information...
>
> >> I think that because the pdb file was not the same from the sys file
> >> build,
>
> >> as I compiled too many times before combine them. After I recompiled
> >> again
>
> >> to be sure to use the sys/pdb generate at same build and analyse the
> >> rigth
>
> >> infromation, but is not generating the symbols anymore and I don't
> know
> >> why.
>
> >> Now I'm trying a kernel dump option, that takes a long time to be
>
> >> generated. The small dump is fast and take a few kilobytes. There are
>
> >> only
>
> >> this two options.
>
> >>
>
> >> On Qui 08/10/09 11:28 , "Gianluca Varenni" 
> >> gianluca.varenni at cacetech.com
> >> sent:>
>
> >> >
>
> >> > ----- Original Message ----- 
>
> >> >
>
> >> > From: " Renato Araújo Ferreira" mar
>
> >> > ina.pe
>
> >> ixe at terra.co
> m.br>> To: users at winpc
> >> > ap.org>
>
> >> > Sent: Wednesday, October 07, 2009 9:21 PM
>
> >> >
>
> >> > Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > > After send that last message I tried to run windump again without
> any
> >> > > parameter (that make It dump first interface of list) and this
>
> >> machine>
>
> >> > > crashed again, but with another error from another SYS file (I
>
> >> didn't> save
>
> >> > > the information). At this second try the crash dump was disabled
> by
> >> me> due
>
> >> > > to 36GB of ram size (a long time to dump), but I still have the
> first
> >> one>
>
> >> > > that generated the message that in last message.>
>
> >> > >
>
> >> >
>
> >> >
>
> >> >
>
> >> > If you enable just kernel memory dump, the memory dump is much
> smaller
> >> than>
>
> >> > 36GB. On a normal x86/x64 machine freshly booted, it's usually
>
> >> below> 100MB.
>
> >> >
>
> >> >
>
> >> > > I used before the gdb tool to debug core files under solaris, but
> I
> >> never>
>
> >> > > did something like it under windows. I will try to start with
>
> >> debuging>
>
> >> > > tools tomorow. Do you have any tip?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Well, the first thing you do is loading the memory dump and issue
> >> >
>
> >> > "!analyze -v" on the windbg command line.
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > But I'm still afraid about DLL's. Why a wrong/problematic DLL
> could
> >> not>
>
> >> > > crash a driver that it need to access?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Because a driver should protect itself against bogus input from
> user
> >> level>
>
> >> > DLLs. A driver should never ever trust any data coming from user
> mode
> >> and>
>
> >> > should always validate it.
>
> >> >
>
> >> > So in the case of some problematic DLL, if the driver receives some
> >> bogus>
>
> >> > data from the DLL, it must just fail the I/O request.>
>
> >> >
>
> >> >
>
> >> > GV
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Thanks,
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Renato A. Ferreira
>
> >> >
>
> >> > >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > On Qua 07/10/09 17:43 , "Gianluca Varenni"
>
> >> > > gianluca.varenni at cacetech.com > > sent:
> >> >
>
> >> > >> The crash is due to the driver, not to mismatching DLLs. Now you
> >> will>
>
> >> > >> need
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> windbg and probably a second machine to debug the issue.>
>
> >> > >>
>
> >> >
>
> >> > >> I would start loading the crash dump in windbg and understanding
> >> what>
>
> >> > >> went
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> wrong.
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> GV
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> ----- Original Message ----- 
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> From: " Renato Araújo Ferreira" mar
>
> >> >
>
> >> > >> ina.pe
>
> >> > ixe at terra.co
>
> >> m.br>> >> To: users at winpc
>
> >> >
>
> >> > >> ap.org>
>
> >> >
>
> >> > >> Sent: Wednesday, October 07, 2009 1:07 PM>
>
> >> > >>
>
> >> >
>
> >> > >> Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I added the reference to IA64 in NPF.RC VERSIONINFO
>
> >> with:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #elif defined(_IA64_)
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >   VALUE "FileDescription",   "npf.sys (NT5/6 IA64) Kernel
>
> >> Driver"> >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > After I changed the refferences to AMD64 (appear only two
> times
> >> and> >> refers
>
> >> >
>
> >> > >> > to hUserEvent32Bit) from:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #ifdef _AMD64_
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > To:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #if defined(_AMD64_) || defined(_IA64_)>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > The compilation was sucessful, the "net start npf" works fine
> >> and> the
>
> >> > >> > interfaces is now appearing in return of "windump -D". But
> when
> >> I> tried
>
> >> > >> to
>
> >> >
>
> >> > >> > open wireshark, the interface list was OK showing all of then,
> but
> >> > >> > before
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I click at buttom to start capture (i think that was when it
> >> started> to
>
> >> > >>
>
> >> >
>
> >> > >> > count packets) the server went down with this message:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > *** STOP: 0x0000008E
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >>
> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
>
> >> >
>
> >> > >> 0)
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > ***       NPF.sys - Address E00001626B738834 base at>
>
> >> > >> > E00001626B730000,
>
> >> > >>
>
> >> >
>
> >> > >> > DateStamp 4acce5bf
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I'm still trying with the DLL's (wpcap.dll and packet.dll)
> that
> >> I> got
>
> >> > >> > unpacking the installer, but they has the same name and I dont
>
> >> > >> > know
>
> >> if>
>
> >> > >> > I
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > choose the right one between vista, 2000 or amd64.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I will now try to compile these DLL's before try again.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Thanks,
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Renato A. Ferreira
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > _______________________________________________>
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users mailing list
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users at winpc
>
> >> >
>
> >> > >> ap.org
>
> >> >
>
> >> > >> > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > _______________________________________________>
>
> >> > > Winpcap-users mailing list
>
> >> >
>
> >> > > Winpcap-users at winpc
>
> >> > ap.org
>
> >> > > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >>
>
> >> _______________________________________________
>
> >> Winpcap-users mailing list
>
> >> Winpcap-users at winpc
>
> >> ap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users
> >>
>
> >
>
> > _______________________________________________
>
> > Winpcap-users mailing list
>
> > Winpcap-users at winpc
> ap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
>
>
>
>

More information about the Winpcap-users mailing list