Tuesday, March 24, 2015

Updated: WinPcap and Wireshark problems on Windows 10 Tech Preview 10041

Update June 5, 2015: WinPcap 4.1.3 works on build 10130.

Update May 13, 2015: WinPcap 4.1.3 began to work again in Windows 10 preview 10061 and continues to operate in 10074. Hopefully, this trend continues - but I wouldn't count on it. But we still need to encourage Riverbed to update WinPcap from NDIS5 to NDIS6. Work has been done on this at NMAP and has been shared, so it would be great if WinPcap.org could expand on that work and release WinPcap fully compatible with NDIS6. Another issue is driver signing: in Windows 10 x64 that really will be changing, so it will be important for WinPcap to be updated before the RTM release - more about this here.

Update 3-27-15: Do you want to use Wireshark on Windows 10? Tweet about this problem! do a post about this issue. Bring it up at Sharkfest in June.

Update 3-26-15: This has been confirmed by others and a thread has been started here:
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004935.html
I will be posting about it on twitter: https://twitter.com/NetScanTools

Up until release 10041 all Windows 10 Tech Preview versions have appeared to run WinPcap 4.1.3 without a problem. Even the last version 9926 worked OK, but now we have a problem - a big problem.

About the test machine: Shuttle xpc, quad core cpu, 8GB RAM. Host OS is Windows 7 x64. Windows 10 x64 Enterprise 10041 is a guest OS running inside VirtualBox 4.3.26 r98988. Network Adapter in the VM is in Bridged mode. Physical network adapter in the Shuttle is Generic Marvell Yukon 88E8056 based Ethernet controller.

Here's what I did...and what happened...
On March 23 I upgraded 9926 to 10041 and then installed Wireshark x64 v1.12.4 from wireshark.org. Everything installed fine and WinPcap installed normally. I fired up Wireshark and got the message "No interface can be used for capturing in this system with the current configuration.". Pressing the Refresh Interfaces button did not fix it.


I know that Wireshark checks the status of the NPF driver before getting that far, so I thought maybe I should verify it manually in a Command Prompt. You can see that the Service Control Manager says it is RUNNING.


NetScanTools Pro. Since I wrote it, I know what checks are done where. I know that it loads wpcap.dll and packet.dll and checks the status of the NPF driver. So far so good. I go to the ARP Scanner (it uses WinPcap to send and receive packets) and pressed Do ARP Scan. I got this message. The arrow is pointing to a message that comes directly from WinPcap itself: "No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine."


I know exactly which function call returned that message: pcap_findalldevs_ex

pcap_findalldevs_ex is what you call to find all the WinPcap compatible interfaces on the system. If it fails, you're done. I poked through the Wireshark code and they are calling it too most likely on start.

Where do we go from here?
Obviously Microsoft changed something. Did they change NDIS? Or something else?

I've tried all the obvious things - changing compatibility mode, running the programs as administrator - nothing works. A driver expert (which I am not) needs to dive into the WinPcap code and figure this out - and soon!

If nothing is done Wireshark, nmap, NetScanTools Pro and any other apps depending on WinPcap for capturing and sending packets will not operate on Windows 10 if the changes Microsoft made are permanent.

What is your experience? has anyone else tried Wireshark on Windows 10 Enterprise 10041? Win10 has always worked on VirtualBox - has anyone tried Wireshark on Win10 in VMware or native boot?

10 comments:

Unknown said...

i can confirm wireshark has stopped working since new build 10041. previous build worked just fine

Stan Slonkosky said...

I notice that Microsoft released build 10049 yesterday. Does it still have the problem?

http://blogs.windows.com/bloggingwindows/2015/03/30/windows-10-technical-preview-build-10049-now-available/

Kirk Thomas said...

I'm not on the 'fastest' release track, so I don't have 10049 yet. Hopefully today, but my past experience is that once an internal networking change is made during beta, it does not reverse without lots of complaints (raw sockets for example). Bring this up at Sharkfest if you are going!

Unknown said...

Just tried this on 10049. Does not work. It does find my internal bluetooth interface, can't remember if this was the case on previous not working builds. Anyway, still doesn't work.

Anonymous said...

I also tried 10049 and does not work. Hope there is a fix soon.

Anonymous said...

The same situation is with build 10051

Anonymous said...

Same problem build 10049.
By the way for the last guy who has commented, build 10051 is just for phones so I don't what are you taliking about.

Tom said...

I just tried build 10061 and in this build it seems to work again.

DAHMANI said...

try winpcap deriver for ndis 6 by Nmap, I tried it on build 10041 and it's wirking

https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/installer/winpcap-nmap-4.1.3-NDIS6-1.2.0.exe

Unknown said...

See: https://wiki.wireshark.org/CaptureSetup/Loopback and https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-1.00.exe