This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

WinPcap not receiving data

0

I have an odd situation and will try to explain with detail what I am seeing and would really appreciate some help fixing this.

On 2 pc's my setup is Windows 7 Ultimate, Service Pack 1 and have WinPcap 4.1.2 and Windows 7 Professional, SP1 and WinPcap 4.1.2 on a third pc. The PC's with Windows 7 Ultimate, Service Pack have Symantec EndPoint Protection version 11.0.6005.562 and the Windows 7 Professional, SP1 pc has Symantec EndPoint Protection version 11.0.7000.975

Prior to several months ago all was working fine.
But then on 2 of my 3 PC's (win7 Ultimate & symantec 11.0.6005.562) I started having problems receiving data via the WinPcap API. In my applications (either written in C or SharpPcap) I can open a connection/handle to an interface and I can successfully transmit data over this interface but all attempts to read/receive data result in the application being blocked. However (this is the weird part) I can open Wireshark and successfully receive data on these same pc's and interfaces.

As I mentioned before these applications were working on all my pc's up until some months ago.
I suspect our corporate IT department pushed (via the evil Altiris application) some security patch on my pc and then after rebooting these applications no longer worked in the aforementioned receive mode. So I upgraded one of the non-working pc's to the version of Symantec EndPoint Protection version 11.0.7000.975 on the pc that is working, but this had no affect so I presume the root cause is not due to the presence or version of Symantec. Symantec EndPoint Protection has the runtime option of disabling protection and I have tried this but there is no change in behavior.

Again I need to state that Wireshark can work fine.

I have tried all reasonable combinations of pcap_open, pcap_open_live and using the classis pcap_loop vs pcap_next_ex and nothing seems to open up the reception of data. I looked at the source code to wireshark (e.g. dumpcap.c) and I am using the same api calls.

I should note that this errant behavior seems to be independent of the network interface I use. I have 4 different NIC's in my setup (yes a lot) and all behave the same.

I am at a loss to explain or fix what is happening.

asked 19 Dec '12, 07:40

eckorsberg's gravatar image

eckorsberg
1111
accept rate: 0%


2 Answers:

0

. So I upgraded one of the non-working pc's to the version of Symantec EndPoint Protection version 11.0.7000.975

I suggest to uninstall Symantec EndPoint Protection and then see what happens. SEP has a bad history of interfering with network traffic.

Regards
Kurt

answered 19 Dec '12, 08:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Unfortunately our corporate IT setup prevents uninstalling Symantec EndPoint Protection. But again I have a pc running Symantec EndPoint Protection in which my application works fine so I know that in some configuration my application works alongside Symantec EndPoint Protection.

(19 Dec '12, 09:40) eckorsberg

But again I have a pc running Symantec EndPoint Protection in which my application works fine so I know that in some configuration

It might work in some configuration. But do you know it is the same configuration? I still recommend to uninstall SEP, as I'm pretty convinced that is SEP causing the problems.

(19 Dec '12, 11:52) Kurt Knochner ♦

BTW: Are you sure that the WinPcap service is started while your own application is running? If it is not started, you will have problems getting any data.

Please run this command before you start your own application:

sc query npf

You should see:

STATE : 4 RUNNING

If it is not running, start it from an elevated DOS box.

sc start npf

(19 Dec '12, 12:31) Kurt Knochner ♦

Yes this is what I see SERVICE_NAME: npf TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0

(20 Dec '12, 20:02) eckorsberg

O.K. then back to SEP. Did you talk to your IT department about uninstalling SEP, just for a test?

(20 Dec '12, 22:47) Kurt Knochner ♦

0

As Wireshark is also using WinPcap and does indeed see packets, might your user rights have changed in a way that your own application does not have enough rights anymore to do the capturing?

answered 19 Dec '12, 08:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I have my UAC set to minimal setting and this has not changed. When running Wireshark, does that process execute with different rights than my own application? Is there a way to manually 'upgrade' or alter the explicit rights to my .exe application file?

(19 Dec '12, 09:38) eckorsberg