3

I have a NDIS light-weight filter (LWF) driver to capture all network traffic. It's open-sourced here. The installer is provided here.

The issue is that I found my filter will cause all Wi-Fi adapters can't receive any packets. I have received many complaints here: https://github.com/nmap/nmap/issues/373

The reproduce steps are:

  1. Installed this filter using the installer (npcap-0.10-r14.exe).
  2. Launch Wireshark GUI (latest stable version Wireshark 2.2.1), then only Wi-Fi connections are broken. Wired connections are not affected.
  3. During the connection loss, I try to capture packets on the no-connection Wi-Fi adapter via Wireshark, I can still see outgoing traffic, but no incoming traffic. (most outgoing traffic will be the ARP requests after a few seconds because no packets received)
  4. Wait for 90-100 seconds, then the Wi-Fi connections are recovered. Everything is fine now.
  5. Close and re-start Wireshark now will not cause this issue again.
  6. But if I restart my filter (like using net stop npcap and net start npcap) or re-install it via the installer. And repeat from step 2, then this issue happens again.

So this issue seems to only happen when the NDIS filter loads at the first time, and only happen to Wi-Fi adapters.

Then I checked the debug trace of my NDIS filter in DbgView (via installing the debug version npcap-0.10-r14-debug.exe). I saw that my ReceiveNetBufferListsHandler function NPF_TapEx is never called during the connection loss. The SendNetBufferListsHandler function NPF_SendEx is still working fine.

So I believe some things happened when launching Wireshark causes NDIS doesn't pass on the received packets. So my NDIS filter and upper Windows OS doesn't receive any incoming packets at all.

I noticed that Microsoft said Optional NDIS Lightweight Filters (LWF) could cause 90-second delay in network availability here. But it only happens when:

If an optional NDIS Lightweight Filter (LWF) driver is installed and the driver is not started, the network will not be available for up to 90-seconds.

However, my filter driver has been started by the installer, not by launching the Wireshark GUI. And this connection loss only happens to Wi-Fi connections. So I believe this is not the cause.

I'm testing this issue on Win10 14393 x64. But it seems to happen for all platforms. Does anyone have any ideas that why this issue happens? Thanks!

hsluoyz
  • 2,739
  • 5
  • 35
  • 59
  • If you're on Windows 10, then it's definitely not kb2019184 -- I fixed that in Windows 8. Unfortunately I can't think of anything else that could be the issue. – Jeffrey Tippet Nov 08 '16 at 02:33
  • @JeffreyTippet, I found the cause is OID_GEN_CURRENT_PACKET_FILTER. When I set this OID to any value after FilterAttach for a wireless adapter, the ReceiveNetBufferListsHandler() won't be called for at least 90 seconds. So currently, I forbid setting this OID to fix it. Do you know why causes it? – hsluoyz Nov 08 '16 at 04:57
  • @JeffreyTippet uhhh any ideas? – Crescent Fresh Sep 26 '21 at 02:54
  • @hsluoyz Did you find why this is caused? – OneAndOnly Apr 22 '22 at 17:01

0 Answers0