It looks like it might be an alignment problem. The bad packet starts with 7 bytes: 43 5f 55 55 10 3c 00. The good packet ends with a similar 7 bytes: 43 5e 00 62 32 2f 00. Do you know if those ending bytes are expected? In other words, are they valid data for the good packet, or did they leak from memory somewhere, ending up at the end of the packet instead of the beginning as in the bad case?

Thanks for the reply. I'm not seeing a whole lot of similarity between those two sets of 7 bytes, and I wasn't able to find them in a similar beacon frame from the same AP. I've attached another capture, which contains three packets:

1. A good beacon frame from the Zoom5019 AP (doesn't look like there's overlap with the bad packet for those "misplaced" bytes)
2. A good beacon frame from another AP, which was the packet immediately preceeding the malformed packet (thought this might be useful, as proof that the last 7 bytes of this one aren't the first 7 bytes of the malformed one)
3. The malformed packet containing a beacon from Zoom5019, which killed this capture.

Samples.zip

In an effort to get better diagnostics, I have left detailed directions on #90 to run Windows Driver Verifier, which may produce a crash dump that we can debug. Please follow the directions and let us know how it works: https://github.com/nmap/nmap/issues/1036#issuecomment-337450644

Followed the instructions, didn't get a BSOD when the malformed packet came through. Tried it a couple times just to make sure.

Unfortunately, I didn't find the (possible/untested) fix for this until after Npcap 0.95 was released, so you'll have to wait a bit until I can get it tested and packaged. Npcap 0.95 still has this bug.

Npcap 0.96 has been released, which ought to solve this issue. Please let us know so we can close this issue. https://nmap.org/npcap/

I'm afraid this has not fixed the issue. The behavior is the same as initially reported. I can attach fresh copies of the diag/install logs if you like, but I didn't see anything too interesting in them (and they do report that the version is 0.96).

Good news: I'm no longer able to reproduce this problem. I'm not sure what's changed in the last 10 days - maybe somehow my system was holding onto Npcap 0.95. Thanks for the fix!

@SapientGuardian Thanks for confirming this. Since WiFi capture works without crashing, could you do us a huge favor and report your network card, OS, and level of support on the WiFi Adapters page at SecWiki.org? If you'd rather reply here or via email, that's fine, too, and we can handle the formatting:

• Adapter name/model number
• Firmware or Driver version
• Windows version
• Monitor mode box available in Wireshark?
• Capture works in monitor mode?
• No Frame Check (FCS) errors reported by Wireshark?
• Channel/frequency reported for each frame in Wireshark?
• RSSI reported for each frame in Wireshark?
• Npcap version tested
• Any extra notes or observations you have.

Thanks so much!
 

Certainly. Just waiting for my account to get approved.

@dmiller-nmap I never got account approval, so here's the data requested:

Adapter: Alfa AWUS036H
Driver: Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter, version 6.1316.1209.2009
Windows version: Windows 10 Pro 1709 build 16299.64
Monitor mode in Wireshark: Yes
Capture works in monitor mode: Yes
No FCS errors reported: Yes (no errors)
Channel/frequency reported: No (always 0)
RSSI reported: Yes (e.g. -69dBm)
Npcap version tested: 0.96

@SapientGuardian I'd like to check if the adapter you used is this one? Thanks!

@natiya I don't see a version number on mine, but it looks like the picture.

@SapientGuardian ok, thanks! Anyway, when you plug it in, doesn't have a GUI? Maybe there it says something

No GUI, sorry.

@SapientGuardian so how do you configure it in order to receive WiFi?

Just the built-in Windows wifi interface that isn't specific to any adapter.

@SapientGuardian I've tried the adapter you've got and there is Monitor Mode in Wireshark but all the packets are malformed. Are yours correctly captured? Is there anything that you installed/uninstalled such as WinPcap or something else?