I would really appreciate help on this, it would make a great demo for job interviews, and would be an awesome skill to have. The last try: I used the raw tcpdump command as root, with and without the -p flag (without -p means run in promiscuous mode), and then analyzed the packets from the pcap file, which there were plenty of, just not any from any other machines.Ĭlearly there is something I am missing, maybe some kind of internal configuration deal. I've added the wireless SSID and password to wireshark, and applied that change, I also tried disconnecting and reconnecting my iPhone to the network several times, hoping to pick up the traffic from there. (en0 is the only internet interface on a macbook air, the other options being loopback, and peer to peer). I've tried using WireShark, with the "promiscuous" box checked, on my en0 interface. I've been following pretty diligently, but it seems like no matter what I do I cannot capture packets of other devices on my network. So I will change NPF_SetPacketFilter() and several other similar functions to not require this in the case of NDIS_STATUS_SUCCESS.I'm on a MacBook air, and I got a book form the library about wireless network security. However, Npcap should probably not be so picky when it comes to requiring this, especially since so many people are being prevented from using it because of this. The NIC card on this computer is set to promiscuous mode. Since this is a violation of the NDIS specification (a driver must set the NDIS_OID_INFORMATION.BytesRead to the number of bytes read for a set operation), this can be viewed as a bug in the Realtek driver. The same BytesProcessed != sizeof(PacketFilter) issue happens when setting any packet filter, regardless of promiscuous mode or not. NPF_SetPacketFilter: BytesProcessed != sizeof(PacketFilter), BytesProcessed = 0, sizeof(PacketFilter) = 0x4įuncBIOC_OID: Original NdisFOidRequest() Status = 0xc0000001įuncBIOC_OID: Custom NdisFOidRequest() Status = 0xe0000001 NPF_DoInternalRequest: pFiltMod(FFFFC00B179CF5D0) OID SET 0x1010e: Status = 0 NPF_OidRequestComplete: pFiltMod(FFFFC00B179CF5D0) INTERNAL_REQUEST Oid 0x1010e, Status 0 NPF_SetPacketFilter: New packet filter: 0x2b NPF_SetPacketFilter: pFiltMod=FFFFC00B179CF5D0, PacketFilter=0x20 NPF_StartUsingOpenInstance: OpenStatus = 2 MaxState = 2 Technically, there doesn't need to be a router in the equation. NPF_IoControl: Function code is 0021a820 Input size=0000000f Output size 0000000ffuncBIOC_OID: BIOCSETOID Request: Oid=0001010e, Length=00000004 Promiscuous mode monitors all traffic on the network, if it's not on it only monitors packets between the router and the device that is running wireshark. If there is a crash (BSoD), send C:\Windows\MEMORY.dmp or the latest minidump from C:\Windows\Minidump\ to me at If no crash, reboot to clear verifier settings.Attempt to capture packets on the Realtek adapter. Run the following command as Administrator: verifier.exe /bootmode oneboot /driver npcap.sys /flags 0x2209BB.Install Npcap 1.73 (I will post a debug build later that is preferable, but the standard version is fine, too).If anyone wants to help further diagnose, you can run the Windows built-in tool Driver Verifier to see if it can identify any issues and force a bugcheck (BSoD). As such, it's unlikely that this is the result of another driver misbehaving, but more likely something we need to adapt to. However, when looking at the driver downloads for Realtek chipsets, it appears that for Windows 11 they switched to a NetAdapterCx driver, which is a framework for building NIC drivers on WDF, using netadaptercx.sys to handle the NDIS interoperations. More info: I do not have a Realtek adapter here the adapter I have does not have the issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |