[Winpcap-users] PDB file for npf.sys version 4.1.3

食肉大灰兔V5 hsluoyz at gmail.com
Wed Sep 16 15:39:24 UTC 2015 

Hi Mike,

On Wed, Sep 16, 2015 at 11:10 PM, Michael Acosta <mike.acosta at gmail.com>
wrote:

> Hi Yang,
>
> Thank you for the reply.
>
> I suppose we could try to jump through hoops to disassemble and
> otherwise hack around and try to figure out what is happening here,
> but it would be a lot more helpful if the PDB were available from the
> build that we and some of our customers actually have installed. It's
> an open-source package, so I'm not understanding the reluctance of the
> build maintainers to package or make available the actual debug
> symbols - we're not going to find any secrets that the code doesn't
> already tell us.
>

Except various Windows releases, I never see another software could keep
its symbols public as well as its package, especially for a open-source
software, it just assumes that you are capable to build it from source and
do anything you want. Maybe you could still resort to WinPcap's original
author, if lucky, maybe he still keeps the original PDB files. BTW, as what
you used is WinPcap's release version, I think you want to be provided with
release symbols instead of debug symbols, in order to make the PDB match
the binary.


>
> Since this is a rare bug, it's taken a long time to get a memory dump
> from a system in-situ; most of the time it is not feasible to have a
> customer take an extended outage to gather the information. Luckily,
> we caught this one in-house. This is something I would hope Riverbed
> would like to solve, as I've seen in the past similar issues reported
>

AFAIK, Wireshark (sponsored by Riverbed) has taken control of the WinPcap
dev work. I'm not sure if Riverbed would directly dedicate to WinPcap's
troubleshooting.


> with Wireshark due to NPF.sys. The workaround seems to be to set the
> driver to start on demand rather than on boot, but nobody seems to
> have a handle on the cause.
>
> By the way, I'm excited about your npcap project. I plan on testing
> with this to see if it's a replacement for WinPCAP 4.1.3 that is more
> stable in the ways we use it. In the future, do you plan on making the
> full build available, including symbols, on release?
>

Npcap is supported on Win7 (2008 R2) and later systems, so I think it
adapts to your scenario. You can try it on your environment and I would
like to fix any bugs if possible if you encountered any. The latest version
Npcap is 0.05:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.05.exe
And, it's not hard to include the symbols, they are just lying on my hard
disk right now, if you like, I can provide them together with the binaries
on my SVN repo:)

Cheers,
Yang



>
> Thank you again,
>
> -- Mike
>
>
> On Wed, Sep 16, 2015 at 4:14 AM, 食肉大灰兔V5 <hsluoyz at gmail.com> wrote:
> > Hi Michael,
> >
> > A seemingly viable way would be that you decompile your driver (npf.sys)
> > into C code using IDA pro, cross-searched the failing address in IDA and
> > WinPcap souce code, you will probably find the wrong line of code.
> >
> > Cheers,
> > Yang
> >
> > On Wed, Sep 16, 2015 at 11:56 AM, Michael Acosta <mike.acosta at gmail.com>
> > wrote:
> >>
> >> Hi,
> >>
> >> We've been using WinPCAP optionally to send GARP frames on Windows
> >> server (2008r2 and up), but it sometimes seems to hang in a call. It's
> >> not easily reproducible, but I managed to get a kernel memory dump
> >> today of the issue - the problem is that we do not have the symbols
> >> for 4.1.3 to see what it's doing in WINDBG.
> >>
> >> Can someone provide the symbols to me so we can see what's hanging up
> >> here? If we compile on our own, the PDB isn't going to match our
> >> running environment, and since it's not easily reproducable we're kind
> >> of light on collected kernel data, so just building our own is not an
> >> option at this point. We need to see the symbols from the version
> >> built and accessible on winpcap.org in order to make progress here.
> >>
> >> Please let me know if you need more information.
> >>
> >> Thank you,
> >>
> >> --
> >> Michael Acosta
> >> _______________________________________________
> >> Winpcap-users mailing list
> >> Winpcap-users at winpcap.org
> >> https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
> >
> >
> > _______________________________________________
> > Winpcap-users mailing list
> > Winpcap-users at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
>
>
> --
> Michael Acosta
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20150916/90cf27a3/attachment.html>

More information about the Winpcap-users mailing list