[Winpcap-users] Winpcap in Intanium machine

Thu Oct 8 12:56:17 PDT 2009

The smalldump combined with the npf.pdb generated a stack trace like follow

GetTimeKQPC
NPF_tap
NDIS

with a memory exaust error.... I don't remember the correct spelling because it did not make sense in source code so I didn't care to copy the information... 

I think that because the pdb file was not the same from the sys file build, as I compiled too many times before combine them. After I recompiled again to be sure to use the sys/pdb generate at same build and analyse the rigth infromation, but is not generating the symbols anymore and I don't know why.

Now I'm trying a kernel dump option, that takes a long time to be generated. The small dump is fast and take a few kilobytes. There are only this two options.

 On Qui 08/10/09 11:28 , "Gianluca Varenni" gianluca.varenni at cacetech.com sent:
> 
> 
> ----- Original Message ----- 
> 
> From: " Renato Araújo Ferreira" mar
> ina.peixe at terra.com.br>
> To: users at winpc
> ap.org>
> Sent: Wednesday, October 07, 2009 9:21 PM
> 
> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
> 
> 
> 
> 
> 
> > After send that last message I tried to run windump again without any 
> > parameter (that make It dump first interface of list) and this machine
> 
> > crashed again, but with another error from another SYS file (I didn't
> save 
> > the information). At this second try the crash dump was disabled by me
> due 
> > to 36GB of ram size (a long time to dump), but I still have the first one
> 
> > that generated the message that in last message.
> 
> >
> 
> 
> 
> If you enable just kernel memory dump, the memory dump is much smaller than
> 
> 36GB. On a normal x86/x64 machine freshly booted, it's usually below
> 100MB.
> 
> 
> > I used before the gdb tool to debug core files under solaris, but I never
> 
> > did something like it under windows. I will try to start with debuging
> 
> > tools tomorow. Do you have any tip?
> 
> 
> 
> Well, the first thing you do is loading the memory dump and issue 
> 
> "!analyze -v" on the windbg command line.
> 
> 
> 
> >
> 
> > But I'm still afraid about DLL's. Why a wrong/problematic DLL could not
> 
> > crash a driver that it need to access?
> 
> 
> 
> Because a driver should protect itself against bogus input from user level
> 
> DLLs. A driver should never ever trust any data coming from user mode and
> 
> should always validate it.
> 
> So in the case of some problematic DLL, if the driver receives some bogus
> 
> data from the DLL, it must just fail the I/O request.
> 
> 
> 
> GV
> 
> 
> 
> 
> 
> 
> 
> >
> 
> > Thanks,
> 
> >
> 
> > Renato A. Ferreira
> 
> >
> 
> >
> 
> > On Qua 07/10/09 17:43 , "Gianluca Varenni" gianluca.varenni at cacetech.com 
> > sent:
> 
> >> The crash is due to the driver, not to mismatching DLLs. Now you will
> 
> >> need
> 
> >>
> 
> >> windbg and probably a second machine to debug the issue.
> 
> >>
> 
> >> I would start loading the crash dump in windbg and understanding what
> 
> >> went
> 
> >>
> 
> >> wrong.
> 
> >>
> 
> >>
> 
> >>
> 
> >> GV
> 
> >>
> 
> >>
> 
> >>
> 
> >> ----- Original Message ----- 
> 
> >>
> 
> >> From: " Renato Araújo Ferreira" mar
> 
> >> ina.pe
> ixe at terra.com.br>
> >> To: users at winpc
> 
> >> ap.org>
> 
> >> Sent: Wednesday, October 07, 2009 1:07 PM
> 
> >>
> 
> >> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
> 
> >>
> 
> >>
> 
> >>
> 
> >>
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > I added the reference to IA64 in NPF.RC VERSIONINFO with:
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > #elif defined(_IA64_)
> 
> >>
> 
> >> >   VALUE "FileDescription",   "npf.sys (NT5/6 IA64) Kernel Driver"
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > After I changed the refferences to AMD64 (appear only two times and
> >> refers
> 
> >> > to hUserEvent32Bit) from:
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > #ifdef _AMD64_
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > To:
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > #if defined(_AMD64_) || defined(_IA64_)
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > The compilation was sucessful, the "net start npf" works fine and
> the
> >> > interfaces is now appearing in return of "windump -D". But when I
> tried
> >> to
> 
> >> > open wireshark, the interface list was OK showing all of then, but 
> >> > before
> 
> >>
> 
> >> > I click at buttom to start capture (i think that was when it started
> to
> >>
> 
> >> > count packets) the server went down with this message:
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > *** STOP: 0x0000008E
> 
> >>
> 
> >> >
> 
> >>
> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
> 
> >> 0)
> 
> >> >
> 
> >>
> 
> >> > ***       NPF.sys - Address E00001626B738834 base at
> E00001626B730000,
> >>
> 
> >> > DateStamp 4acce5bf
> 
> >>
> 
> >> >
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > I'm still trying with the DLL's (wpcap.dll and packet.dll) that I
> got
> >> > unpacking the installer, but they has the same name and I dont know if
> 
> >> > I
> 
> >>
> 
> >> > choose the right one between vista, 2000 or amd64.
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > I will now try to compile these DLL's before try again.
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > Thanks,
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > Renato A. Ferreira
> 
> >>
> 
> >> >
> 
> >>
> 
> >> > _______________________________________________
> 
> >>
> 
> >> > Winpcap-users mailing list
> 
> >>
> 
> >> > Winpcap-users at winpc
> 
> >> ap.org
> 
> >> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >>
> 
> >>
> 
> >>
> 
> >>
> 
> >>
> 
> >
> 
> > _______________________________________________
> 
> > Winpcap-users mailing list
> 
> > Winpcap-users at winpc
> ap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> > 
> 
> 
> 
> 
> 