[Winpcap-users] Odd behavior on failure to receive data fromwinPcap in some cases

UMU zhengm at chinanetcenter.com
Mon Dec 17 18:19:06 PST 2012

Wireshark is open source, you can read its code...

From: Edward C Korsberg 
Sent: Monday, December 17, 2012 11:34 PM
To: winpcap-users at winpcap.org 
Subject: [Winpcap-users] Odd behavior on failure to receive data fromwinPcap in some cases

I have an odd situation and will try to explain with detail what I am seeing and would really appreciate some help fixing this. 

On 2 pc's my setup is Windows 7 Ultimate, Service Pack 1 and have WinPcap 4.1.2 
and Windows 7 Professional, SP1 and WinPcap 4.1.2 on a third pc. 
The PC's with Windows 7 Ultimate, Service Pack have Symantec EndPoint Protection version 11.0.6005.562 
and the Windows 7 Professional, SP1 pc has  Symantec EndPoint Protection version 11.0.7000.975 

Prior to several months ago all was working fine.  
But then on 2 of my 3 PC's (win7 Ultimate & symantec 11.0.6005.562) I started having problems receiving data via the WinPcap API. 
In my applications I can open a connection/handle to an interface and I can successfully transmit data over this interface but all attempts to read/receive data result in the application being blocked. 
However I can open Wireshark and successfully receive data on these same pc's and interfaces. 

As I mentioned before these applications were working on all my pc's up until some months ago.  
I suspect our corporate IT department pushed (via the evil Altiris application) some security patch on my pc and then after rebooting these applications no longer worked in the aforementioned receive mode. 
Again I need to state that Wireshark can work fine and I assume that Wireshark is using the same underlying WinPcap dll/interfaces as my application but maybe wireshark has some secret back door interface I am not aware of. 

I have tried all reasonable combinations of pcap_open, pcap_open_live and using the classis pcap_loop vs pcap_next_ex and nothing seems to open up the reception of data. 
Symantec EndPoint Protection has the runtime option of disabling protection and I have tried this but there is no change in behavior. 

I should note that this errant behavior seems to be independent of the network interface I use.  I have 4 different NIC's in my setup (yes a lot) and all behave the same. 

My suspicion is that this is related to Symantec EndPoint Protection but then I cannot explain why Wirehark would not also be affected by this. 

Ed Korsberg
Rockwell Automation
Mayfield Heights, Ohio 44124
440-646-4456 (phone)
440-646-3076 (fax)
eckorsberg at ra.rockwell.com 

Winpcap-users mailing list
Winpcap-users at winpcap.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20121218/12765d5a/attachment.html>

More information about the Winpcap-users mailing list