New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Npcap: Monitor mode capture dies after malformed packet delivered #404
Comments
It looks like it might be an alignment problem. The bad packet starts with 7 bytes: |
Thanks for the reply. I'm not seeing a whole lot of similarity between those two sets of 7 bytes, and I wasn't able to find them in a similar beacon frame from the same AP. I've attached another capture, which contains three packets:
|
In an effort to get better diagnostics, I have left detailed directions on #90 to run Windows Driver Verifier, which may produce a crash dump that we can debug. Please follow the directions and let us know how it works: https://github.com/nmap/nmap/issues/1036#issuecomment-337450644 |
Followed the instructions, didn't get a BSOD when the malformed packet came through. Tried it a couple times just to make sure. |
Only the BPF header must be contiguous. By treating Radiotap header specially, we ended up with uninitialized bytes at the beginning of 802.11 frames, and an equivalent amount truncated from the end. Also, we were not considering the length of the Radiotap header in checking if there was enough free space in the circular buffer. This could lead to overlapping/overwriting frames that should be dropped instead. Possibly related issues: * nmap/nmap#1001 * nmap/nmap#1028 * nmap/nmap#1036
Unfortunately, I didn't find the (possible/untested) fix for this until after Npcap 0.95 was released, so you'll have to wait a bit until I can get it tested and packaged. Npcap 0.95 still has this bug. |
Npcap 0.96 has been released, which ought to solve this issue. Please let us know so we can close this issue. https://nmap.org/npcap/ |
I'm afraid this has not fixed the issue. The behavior is the same as initially reported. I can attach fresh copies of the diag/install logs if you like, but I didn't see anything too interesting in them (and they do report that the version is 0.96). |
Good news: I'm no longer able to reproduce this problem. I'm not sure what's changed in the last 10 days - maybe somehow my system was holding onto Npcap 0.95. Thanks for the fix! |
@SapientGuardian Thanks for confirming this. Since WiFi capture works without crashing, could you do us a huge favor and report your network card, OS, and level of support on the WiFi Adapters page at SecWiki.org? If you'd rather reply here or via email, that's fine, too, and we can handle the formatting:
Thanks so much! |
Certainly. Just waiting for my account to get approved. |
@dmiller-nmap I never got account approval, so here's the data requested: Adapter: Alfa AWUS036H |
@SapientGuardian I'd like to check if the adapter you used is this one? Thanks! |
@natiya I don't see a version number on mine, but it looks like the picture. |
@SapientGuardian ok, thanks! Anyway, when you plug it in, doesn't have a GUI? Maybe there it says something |
No GUI, sorry. |
@SapientGuardian so how do you configure it in order to receive WiFi? |
Just the built-in Windows wifi interface that isn't specific to any adapter. |
@SapientGuardian I've tried the adapter you've got and there is Monitor Mode in Wireshark but all the packets are malformed. Are yours correctly captured? Is there anything that you installed/uninstalled such as WinPcap or something else? |
Hello,
I am experiencing an issue capturing 802.11 traffic in monitor mode using Npcap: After a seemingly arbitrary number of packets have been captured successfully (I've observed anywhere from 200 to 20000), a malformed packet will be delivered, and then no more packets will be seen until the capture is restarted.
The malformed packet appears to contain a valid radiotap header with legitimate data, but it is prefixed with other data (possibly suggesting some sort of buffer overflow). You can see in "bad.png" that there's a broadcast frame very similar to the one in "good.png", but it's 8 bytes in.
I have reproduced this problem with an Alfa AWUS036H and a Linksys WUSB600N USB adapter, on a custom built desktop and on a Surface Pro 4. On both systems, I have observed the problem using Wireshark and using a custom application that utilizes SharpPcap. Both systems are running Windows 10 with all mainline (not insider) updates applied. Both systems are running Npcap 0.94 in non-winpcap-compatible mode.
I have attached the DiagReport, install.log, and NPFInstall.log files from the desktop.
NpcapIssue.zip
The text was updated successfully, but these errors were encountered: