Daniel Miller

@jtippet any clues as to what NDIS is doing in that call stack? Is there any way Npcap (a modifying LWF, but also a LWF in the undocumented `ms_medium_converter_128` FilterClass)...

@jtippet Thanks so much for the insight! We definitely have run into the early FilterAttach issue before, as evidenced by this line in DriverEntry: https://github.com/nmap/npcap/blob/f63c33439a6342223b00f1a17d7da13650a4bfff/packetWin7/npf/npf/Packet.c#L458-L459

@jtippet I believe I have figured out what is going on. We made a change a while back (4bbdb85511a937e15fe8e8566889d569a749a072) to use the "null service" in our INF for the secondary...

Here's the original StackOverflow answer explaining how the AddService lines are supposed to work and why: https://stackoverflow.com/a/39170937/1183387

Thank you for reporting this. Please send the kernel dump file (`C:\Windows\Minidump\*.dmp`) to [email protected] so that we can analyze the crash and fix this issue.

Some possibilities to research: 1. Should we be sending to the Receive data path instead of the Send data path? How does WFP handle this? Probably could watch an actual...

Npcap currently assumes that every frame has a FCS, though some hardware strips it off. I think a reasonable way forward would be to follow this procedure: 1. Filter module...

At the time we added ARM64 support, Windows did not generally support x64 emulation. That apparently changed in November: https://blogs.windows.com/windows-insider/2020/12/10/introducing-x64-emulation-in-preview-for-windows-10-on-arm-pcs-to-the-windows-insider-program/

Does this issue persist in Npcap 1.70? As @guyharris noted, libpcap 1.10 (included in Npcap 1.20 and later) provides better error reporting for this function, and Npcap 1.70 is more...

For NDIS filter drivers like Npcap, direction is determined by whether the packet is in a "send indication" or a "receive indication." NDIS calls separate callback functions for each of...