Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test
From: Jim Young <jyoung@xxxxxxx>
Date: Tue, 4 Aug 2015 04:23:56 +0000
Hello Yang,

While testing Npcap 0.03-r3 I stumbled into one reproducible issue but I
also triggered a crash (which I am currently unable to reproduce).

The reproducible issue involves capturing on the Npcap loopback interface and
then starting a cmd shell and pinging the loopback address as follows:

ping -t -l 65500 127.0.0.1

The first several ping requests and responses are seen and captured but after
several seconds I started seeing "[Malformed Packets]" of length 14.  A pair of
Malformed packets were seen each second.  When I stopped the ping, the Malformed
Packets stopped.  I stopped and restarted Wireshark but the same thing happened. 

I then wanted to reboot the system to see if I could still replicate this Malformed
Packet issue.

After the system rebooted I double-clicked on the Wireshark icon but it did not
immediately start.  I thought that I had not double-clicked on it properly so I
double-clicked on the Wireshark icon a second time and then the system crashed
with the following Bug Check Message:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

I tried several times to reproduce this particular crash but so far with no luck
although I can easily reproduce the issue with Malformed Packets of length 14.

Here's the WinDBG log from the MEMORY.DMP file created the latest crash:

<snip>
3: kd> .symfix C:\Symbols
3: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
.........................................
Loading User Symbols
.....................................
Loading unloaded module list
.........
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000ffffffff, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff801fb0acb7c, address which referenced memory

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for npf.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for packet.dll -

READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 00000000ffffffff

CURRENT_IRQL:  2

FAULTING_IP:
ndis!ndisQueueOidRequest+ec
fffff801`fb0acb7c 803e05          cmp     byte ptr [rsi],5

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  dumpcap.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME:  ffffd000dc7b5080 -- (.trap 0xffffd000dc7b5080)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffe00167a89080
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801fb0acb7c rsp=ffffd000dc7b5210 rbp=ffffd000dc7b5310
 r8=0000000000000000  r9=0000000000000003 r10=0000000000000000
r11=fffff801fb0a954b r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
ndis!ndisQueueOidRequest+0xec:
fffff801`fb0acb7c 803e05          cmp     byte ptr [rsi],5 ds:00000000`00000000=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80111fd27e9 to fffff80111fc6ca0

STACK_TEXT: 
ffffd000`dc7b4f38 fffff801`11fd27e9 : 00000000`0000000a 00000000`ffffffff 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`dc7b4f40 fffff801`11fd103a : 00000000`00000000 ffffe001`69600000 00000000`00169600 fffffa80`035d1c00 : nt!KiBugCheckDispatch+0x69
ffffd000`dc7b5080 fffff801`fb0acb7c : ffffe001`6960a660 fffff801`11eb79b1 00000000`00000600 00000000`00000801 : nt!KiPageFault+0x23a
ffffd000`dc7b5210 fffff801`fb0ad4ce : ffffe001`67aaa760 00000000`000001fe 00000000`00000000 ffffe001`69600078 : ndis!ndisQueueOidRequest+0xec
ffffd000`dc7b53b0 fffff801`fbe1a1d1 : ffffe001`69600098 ffffe001`69600000 ffffe001`69600098 ffffe001`69600000 : ndis!NdisFOidRequest+0xc2
ffffd000`dc7b5470 fffff801`fbe1a51f : ffffe001`656efcc0 ffffe001`670d0db0 ffffe001`670d0ce0 ffffe001`69600000 : npf+0x21d1
ffffd000`dc7b54b0 fffff801`12298dd1 : 00000000`000000a5 ffffd000`dc7b57e1 00000000`00000000 00000000`00000040 : npf+0x251f
ffffd000`dc7b54e0 fffff801`1231fdc4 : 00000000`00000000 00000000`00000000 ffffe001`656efb40 ffffe001`656efb40 : nt!IopParseDevice+0x6c1
ffffd000`dc7b5700 fffff801`122ad6b3 : 00000000`00000000 ffffd000`dc7b58a8 00000000`00000040 ffffe001`61a6c080 : nt!ObpLookupObjectName+0x784
ffffd000`dc7b5830 fffff801`122c64db : 00000000`00000001 ffffe001`679c0738 00000000`00000001 00000000`00000020 : nt!ObOpenObjectByName+0x1e3
ffffd000`dc7b5960 fffff801`122c615c : 000000a5`08c0c848 00000000`c0100080 000000a5`08c0c8a0 ffffe001`67de48c0 : nt!IopCreateFile+0x36b
ffffd000`dc7b5a00 fffff801`11fd24b3 : ffffe001`67a89080 ffffd000`dc7b5b80 ffffd000`dc7b5aa8 000000a5`08c0c7f0 : nt!NtCreateFile+0x78
ffffd000`dc7b5a90 00007ffe`5e78171a : 00007ffe`5bc081aa 000000a5`08c0c980 00000000`00000000 00000000`0000006c : nt!KiSystemServiceCopyEnd+0x13
000000a5`08c0c7c8 00007ffe`5bc081aa : 000000a5`08c0c980 00000000`00000000 00000000`0000006c 00007ffe`5e72086d : ntdll!NtCreateFile+0xa
000000a5`08c0c7d0 00007ffe`5bc07e7a : 00000000`00000000 000000a5`08c0c9f0 00000000`c0000000 00000000`00000000 : KERNELBASE!CreateFileInternal+0x314
000000a5`08c0c950 00007ffe`5bc0b3d1 : 00000000`00000000 0000647f`a05090dc 000000a5`0aab0000 00000000`00ae10cc : KERNELBASE!CreateFileW+0x66
000000a5`08c0c9b0 00000000`00ae5166 : 000000a5`08d04960 ffffffff`ffffffff 00000000`00af9540 000000a5`08c0cea8 : KERNELBASE!CreateFileA+0x61
000000a5`08c0ca10 000000a5`08d04960 : ffffffff`ffffffff 00000000`00af9540 000000a5`08c0cea8 00000000`00000003 : packet+0x5166
000000a5`08c0ca18 ffffffff`ffffffff : 00000000`00af9540 000000a5`08c0cea8 00000000`00000003 00000000`00000000 : 0x000000a5`08d04960
000000a5`08c0ca20 00000000`00af9540 : 000000a5`08c0cea8 00000000`00000003 00000000`00000000 00000000`00000000 : 0xffffffff`ffffffff
000000a5`08c0ca28 000000a5`08c0cea8 : 00000000`00000003 00000000`00000000 00000000`00000000 00000000`00aea341 : packet!PacketGetNetType+0x13050
000000a5`08c0ca30 00000000`00000003 : 00000000`00000000 00000000`00000000 00000000`00aea341 000000a5`08c0cfa8 : 0x000000a5`08c0cea8
000000a5`08c0ca38 00000000`00000000 : 00000000`00000000 00000000`00aea341 000000a5`08c0cfa8 00000000`ffffffda : 0x3


STACK_COMMAND:  kb

FOLLOWUP_IP:
npf+21d1
fffff801`fbe1a1d1 8bf0            mov     esi,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  npf+21d1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npf

IMAGE_NAME:  npf.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55bf12a7

FAILURE_BUCKET_ID:  AV_npf+21d1

BUCKET_ID:  AV_npf+21d1

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_npf+21d1

FAILURE_ID_HASH:  {018c08e5-8cd5-951b-e0e0-8baf1868eb2b}

Followup: MachineOwner
---------

Please let me know if you need to see the complete MEMORY.DMP.

Best regards,

Jim Y.