[Winpcap-users] FW: Service crash after update to WinPcap networking (II)

J. M. carpe7 at hotmail.com
Thu Apr 3 09:34:11 UTC 2014

Sent again, as I don't receive the copy from the list.
From: carpe7 at hotmail.com
To: winpcap-users at winpcap.org
Subject: FW: Service crash after update to WinPcap networking
Date: Fri, 28 Mar 2014 12:14:08 +0000

The other server has just crashed. So the problem is not restricted to a single machine.
We are thinking about updating HP NIC drivers and firmware (dated January 2011), hoping that an outdated driver/firmware could make WinPcap more prone to participate in these crashes.
There is another strange behaviour: we have applied a safety mechanism to detect malformed packets; it compares the len property of the pktHeader returned by WinPcap to the datagramSize derived from the IP datagram header. If they don't match, a log message is written, and the packet is discarded.
                    Public Const EthernetHeaderSize = 14
                    Public Const BasicIPHeaderSize = 20
                    Private _MaxDatagramSize As Integer = 65535
                    Private _MaxEthernetPacketSize As Integer = EthernetHeaderSize + Me._MaxDatagramSize
                    Dim errBuf As New StringBuilder(WinPcap.Constants.PCAP_ERRBUF_SIZE)
                    Dim session = WinPcap.Driver.pcap_open(Me._DeviceName, Me._MaxEthernetPacketSize, WinPcap.Constants.PCAP_OPENFLAG_MAX_RESPONSIVENESS + WinPcap.Constants.PCAP_OPENFLAG_NOCAPTURE_LOCAL, 1, IntPtr.Zero, errBuf)
                    While Not cancellationTokenSource.IsCancellationRequested
                        Dim pktHeader As IntPtr = IntPtr.Zero
                        Dim pktData As IntPtr = IntPtr.Zero
                        Select Case WinPcap.Driver.pcap_next_ex(session, pktHeader, pktData)
                            Case 0
                                Continue While
                            Case Is < 0
                                Throw New Exception(WinPcap.Driver.pcap_geterr(session))
                        End Select
                        Dim header = DirectCast(Marshal.PtrToStructure(pktHeader, GetType(WinPcap.pcap_pkthdr)), WinPcap.pcap_pkthdr)
                        If header.len > EthernetHeaderSize + BasicIPHeaderSize Then 'Ethernet header + IPv4 header (without options)
                            Dim datagramSize As UShort = Marshal.ReadByte(pktData, EthernetHeaderSize + 2)
                            datagramSize <<= 8
                            datagramSize = datagramSize Or Marshal.ReadByte(pktData, EthernetHeaderSize + 3)
                            If header.len >= EthernetHeaderSize + datagramSize AndAlso datagramSize <= Me._MaxDatagramSize Then
    'Process the packet
                                Logging.Write(TraceEventType.Verbose, "Discarded packet with datagramSize {0} and header.len {1}", datagramSize, header.len)
                            End If
                        End If
                    End While
Well, it is happening, very significantly I would say.
My questions are:
-- Is it common that packets are this malformed?
-- Is my understanding right that in PCAP_OPENFLAG_MAX_RESPONSIVENESS mode WinPcap delivers complete datagrams to the application (if the internal buffer is big enough)? I'm not precluding IP fragmentation, rather I wonder whether individual datagrams (be they fragments or not) are delivered as indisivible units to the application. Otherwise, the behaviour we are experiencing could be the result of WinPcap delivering a portion of a datagram, not the whole datagram; but it would be a burden for the application to aggregate the portions.
Thank you very much.
From: carpe7 at hotmail.com
To: winpcap-users at winpcap.org
Subject: Service crash after update to WinPcap networking
Date: Fri, 28 Mar 2014 10:07:37 +0000

We have updated the raw socket networking subsystem of a Windows service to WinPcap, with the following architecture:
-- One thread continuously captures on its own pcap_t calling pcap_next_ex.
-- Several threads send packets concurrently over the same interface, but each one with it own private pcap_t obtained from pcap_open. These threads call pcap_sendpacket.
Since the update, the service crashes intermittently, although only one of the two servers in a redundant cluster exhibit the problem.
We are logging the errors produced by WinPcap. For that, after pcap_sendpacket returning a negative result we call pcap_geterr.
Just before the crash, the service logs (pcap_geterr result):
send error: PacketSendPacket failed
In EventViewer, this is the detail of the crash:
Faulting application name: ...
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec4aa8e
Exception code: 0xc0000374
Fault offset: 0x00000000000c40f2
Faulting process id: 0x1d64
Faulting application start time: 0x01cf4a53bf7cfe86
Faulting application path: ...
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 0e886882-b656-11e3-b6bb-e4115be757a8
The OS is Windows Server 2008 R2 64 bits.
The WinPcap version is 4.1.3.
The question is: has someone observed this problem?
Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20140403/1c99be13/attachment.html>

More information about the Winpcap-users mailing list