[Winpcap-users] Winpcap in Intanium machine
Renato Araújo Ferreira
marina.peixe at terra.com.br
Thu Oct 8 19:40:24 PDT 2009
What I need to do the *second machine debug*? Only windbg?
On Qui 08/10/09 21:29 , "Gianluca Varenni" gianluca.varenni at cacetech.com sent:
> You cannot debug with Visual Studio. You need to use Windbg.
>
>
>
> In windbg you can use the watch window to watch the contents of a variable.
>
> What is the bugcheck code?
>
>
>
> If you have used "analyze -v" after the crash, please post the entire
> output
> of !analyze -v
>
>
>
> GV
>
>
>
>
>
>
>
> ----- Original Message -----
>
> From: " Renato Araújo Ferreira" mar
> ina.peixe at terra.com.br>
> To: users at winpc
> ap.org>
> Sent: Thursday, October 08, 2009 1:54 PM
>
> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
>
>
>
>
>
> > the rigth stack:
>
> >
>
> > NPF!GetTimeKQPC [time_calls.h @ 373]
>
> > NPF!NPF_tap [read.c @ 607]
>
> > NDIS
>
> >
>
> > this line of time_calls.h:
>
> >
>
> > dst->tv_usec = data->start[0].tv_usec +
>
> > (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);
> >
>
> > I will look for an way to read the content of variable. Is there any
> known
> > way to run this dump in visual studio and see the content of these
>
> > variables?
>
> >
>
> > Thanks,
>
> >
>
> > Renato A. Ferreira
>
> >
>
> > On Qui 08/10/09 16:56 , Renato Araújo Ferreira mar
> ina.peixe at terra.com.br
> > sent:
>
> >> The smalldump combined with the npf.pdb generated a stack trace like
> >> follow
>
> >> GetTimeKQPC
>
> >> NPF_tap
>
> >> NDIS
>
> >>
>
> >> with a memory exaust error.... I don't remember the correct spelling
> >> because it did not make sense in source code so I didn't care to copy
> the
> >> information...
>
> >> I think that because the pdb file was not the same from the sys file
> >> build,
>
> >> as I compiled too many times before combine them. After I recompiled
> >> again
>
> >> to be sure to use the sys/pdb generate at same build and analyse the
> >> rigth
>
> >> infromation, but is not generating the symbols anymore and I don't
> know
> >> why.
>
> >> Now I'm trying a kernel dump option, that takes a long time to be
>
> >> generated. The small dump is fast and take a few kilobytes. There are
>
> >> only
>
> >> this two options.
>
> >>
>
> >> On Qui 08/10/09 11:28 , "Gianluca Varenni" gianluca.varenni at cacetech.com
> >> sent:>
>
> >> >
>
> >> > ----- Original Message -----
>
> >> >
>
> >> > From: " Renato Araújo Ferreira" mar
>
> >> > ina.pe
>
> >> ixe at terra.co
> m.br>> To: users at winpc
> >> > ap.org>
>
> >> > Sent: Wednesday, October 07, 2009 9:21 PM
>
> >> >
>
> >> > Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > > After send that last message I tried to run windump again without
> any
> >> > > parameter (that make It dump first interface of list) and this
>
> >> machine>
>
> >> > > crashed again, but with another error from another SYS file (I
>
> >> didn't> save
>
> >> > > the information). At this second try the crash dump was disabled
> by
> >> me> due
>
> >> > > to 36GB of ram size (a long time to dump), but I still have the
> first
> >> one>
>
> >> > > that generated the message that in last message.>
>
> >> > >
>
> >> >
>
> >> >
>
> >> >
>
> >> > If you enable just kernel memory dump, the memory dump is much
> smaller
> >> than>
>
> >> > 36GB. On a normal x86/x64 machine freshly booted, it's usually
>
> >> below> 100MB.
>
> >> >
>
> >> >
>
> >> > > I used before the gdb tool to debug core files under solaris, but
> I
> >> never>
>
> >> > > did something like it under windows. I will try to start with
>
> >> debuging>
>
> >> > > tools tomorow. Do you have any tip?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Well, the first thing you do is loading the memory dump and issue
> >> >
>
> >> > "!analyze -v" on the windbg command line.
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > But I'm still afraid about DLL's. Why a wrong/problematic DLL
> could
> >> not>
>
> >> > > crash a driver that it need to access?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Because a driver should protect itself against bogus input from
> user
> >> level>
>
> >> > DLLs. A driver should never ever trust any data coming from user
> mode
> >> and>
>
> >> > should always validate it.
>
> >> >
>
> >> > So in the case of some problematic DLL, if the driver receives some
> >> bogus>
>
> >> > data from the DLL, it must just fail the I/O request.>
>
> >> >
>
> >> >
>
> >> > GV
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Thanks,
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Renato A. Ferreira
>
> >> >
>
> >> > >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > On Qua 07/10/09 17:43 , "Gianluca Varenni"
>
> >> > > gianluca.varenni at cacetech.com > > sent:
> >> >
>
> >> > >> The crash is due to the driver, not to mismatching DLLs. Now you
> >> will>
>
> >> > >> need
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> windbg and probably a second machine to debug the issue.>
>
> >> > >>
>
> >> >
>
> >> > >> I would start loading the crash dump in windbg and understanding
> >> what>
>
> >> > >> went
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> wrong.
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> GV
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> ----- Original Message -----
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> From: " Renato Araújo Ferreira" mar
>
> >> >
>
> >> > >> ina.pe
>
> >> > ixe at terra.co
>
> >> m.br>> >> To: users at winpc
>
> >> >
>
> >> > >> ap.org>
>
> >> >
>
> >> > >> Sent: Wednesday, October 07, 2009 1:07 PM>
>
> >> > >>
>
> >> >
>
> >> > >> Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I added the reference to IA64 in NPF.RC VERSIONINFO
>
> >> with:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #elif defined(_IA64_)
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > VALUE "FileDescription", "npf.sys (NT5/6 IA64) Kernel
>
> >> Driver"> >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > After I changed the refferences to AMD64 (appear only two
> times
> >> and> >> refers
>
> >> >
>
> >> > >> > to hUserEvent32Bit) from:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #ifdef _AMD64_
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > To:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #if defined(_AMD64_) || defined(_IA64_)>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > The compilation was sucessful, the "net start npf" works fine
> >> and> the
>
> >> > >> > interfaces is now appearing in return of "windump -D". But
> when
> >> I> tried
>
> >> > >> to
>
> >> >
>
> >> > >> > open wireshark, the interface list was OK showing all of then,
> but
> >> > >> > before
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I click at buttom to start capture (i think that was when it
> >> started> to
>
> >> > >>
>
> >> >
>
> >> > >> > count packets) the server went down with this message:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > *** STOP: 0x0000008E
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >>
> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
>
> >> >
>
> >> > >> 0)
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > *** NPF.sys - Address E00001626B738834 base at>
>
> >> > >> > E00001626B730000,
>
> >> > >>
>
> >> >
>
> >> > >> > DateStamp 4acce5bf
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I'm still trying with the DLL's (wpcap.dll and packet.dll)
> that
> >> I> got
>
> >> > >> > unpacking the installer, but they has the same name and I dont
>
> >> > >> > know
>
> >> if>
>
> >> > >> > I
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > choose the right one between vista, 2000 or amd64.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I will now try to compile these DLL's before try again.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Thanks,
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Renato A. Ferreira
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > _______________________________________________>
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users mailing list
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users at winpc
>
> >> >
>
> >> > >> ap.org
>
> >> >
>
> >> > >> > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > _______________________________________________>
>
> >> > > Winpcap-users mailing list
>
> >> >
>
> >> > > Winpcap-users at winpc
>
> >> > ap.org
>
> >> > > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >>
>
> >> _______________________________________________
>
> >> Winpcap-users mailing list
>
> >> Winpcap-users at winpc
>
> >> ap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users
> >>
>
> >
>
> > _______________________________________________
>
> > Winpcap-users mailing list
>
> > Winpcap-users at winpc
> ap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
>
>
>
>
More information about the Winpcap-users
mailing list