I have an odd situation and will try to explain with detail what I am seeing and would really appreciate some help fixing this. On 2 pc's my setup is Windows 7 Ultimate, Service Pack 1 and have WinPcap 4.1.2 and Windows 7 Professional, SP1 and WinPcap 4.1.2 on a third pc. The PC's with Windows 7 Ultimate, Service Pack have Symantec EndPoint Protection version 11.0.6005.562 and the Windows 7 Professional, SP1 pc has Symantec EndPoint Protection version 11.0.7000.975 Prior to several months ago all was working fine. As I mentioned before these applications were working on all my pc's up until some months ago. Again I need to state that Wireshark can work fine. I have tried all reasonable combinations of pcap_open, pcap_open_live and using the classis pcap_loop vs pcap_next_ex and nothing seems to open up the reception of data. I looked at the source code to wireshark (e.g. dumpcap.c) and I am using the same api calls. I should note that this errant behavior seems to be independent of the network interface I use. I have 4 different NIC's in my setup (yes a lot) and all behave the same. I am at a loss to explain or fix what is happening. asked 19 Dec '12, 07:40 eckorsberg |
2 Answers:
I suggest to uninstall Symantec EndPoint Protection and then see what happens. SEP has a bad history of interfering with network traffic. Regards answered 19 Dec '12, 08:24 Kurt Knochner ♦ |
As Wireshark is also using WinPcap and does indeed see packets, might your user rights have changed in a way that your own application does not have enough rights anymore to do the capturing? answered 19 Dec '12, 08:29 SYN-bit ♦♦ I have my UAC set to minimal setting and this has not changed. When running Wireshark, does that process execute with different rights than my own application? Is there a way to manually 'upgrade' or alter the explicit rights to my .exe application file? (19 Dec '12, 09:38) eckorsberg |
Unfortunately our corporate IT setup prevents uninstalling Symantec EndPoint Protection. But again I have a pc running Symantec EndPoint Protection in which my application works fine so I know that in some configuration my application works alongside Symantec EndPoint Protection.
It might work in some configuration. But do you know it is the same configuration? I still recommend to uninstall SEP, as I'm pretty convinced that is SEP causing the problems.
BTW: Are you sure that the WinPcap service is started while your own application is running? If it is not started, you will have problems getting any data.
Please run this command before you start your own application:
You should see:
If it is not running, start it from an elevated DOS box.
Yes this is what I see SERVICE_NAME: npf TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
O.K. then back to SEP. Did you talk to your IT department about uninstalling SEP, just for a test?