nmap
Failure to Capture Virtual Adapter - winpcap can capture but npcap does not
Describe the bug Older versions of wireshark and winpcap can capture traffic for a VPN adapter Citrix provides with their Citrix Gateway product, the newer versions show the adapter as being selectable but it captures no traffic using npcap
To Reproduce Steps to reproduce the behavior:
- Use Wireshark Version 4.2.5 (v4.2.5-0-g4aa814ac25a1) and Npcap version 1.78
- Run as administrator
- Select the Citrix Virtual Adapter to capture traffic
- Observe a lack of packets being captured
- Use Wireshark Version 4.0.8 and winpcap 4.1.3
- run as administrator
- Select the citrix virtual adapter to capture traffic
- observe traffic captured
Expected behavior Traffic should be displayed and captured in the newer versions of wireshark and npcap
Screenshots
No traffic
traffic with older version and winpcap 4.1.3
Diagnostic information
-
Windows version from
winver(e.g. Windows 11 Version 21H2, OS Build 22000.795) Version 22H2 (OS Build 19045.4412) -
Output of DiagReport DiagReport-20240530-095347.txt
-
Any special hardware or software that may be relevant: VPN, firewall, antivirus, virtualization (SR-IOV passthrough, etc). Citrix Gateway Plug-in version 20.11.3.1
Additional context Updated wireshark info Version 4.2.5 (v4.2.5-0-g4aa814ac25a1). Copyright 1998-2024 Gerald Combs [email protected] and contributors. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822), with GLib 2.78.0, with Qt 6.5.3, with libpcap, with zlib 1.3.0, with PCRE2, with Lua 5.2.4 (with UfW patches), with GnuTLS 3.8.4 and PKCS #11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.61.0, with nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.11.5, with libsmi 0.5.0, with QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with Minizip, with binary plugins. Running on 64-bit Windows 10 (22H2), build 19045, with 11th Gen Intel(R) Core(TM) i9-11950H @ 2.60GHz (with SSE4.2), with 31953 MB of physical memory, with GLib 2.78.0, with Qt 6.5.3, with Npcap version 1.78, based on libpcap version 1.10.4, with PCRE2 10.42 2022-12-11, with c-ares 1.27.0, with GnuTLS 3.8.4, with Gcrypt 1.10.2-unknown, with nghttp2 1.61.0, with nghttp3 1.0.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with dark display mode, without HiDPI, with QPA plugin "windows", with LC_TYPE=English_United States.utf8, binary plugins supported.
Wireshark 4.0.8 info Version 4.0.8 (v4.0.8-0-g81696bb74857).
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.36, build 32537), with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with SpeexDSP (using bundled resampler), with Minizip, with binary plugins.
Running on 64-bit Windows 10 (22H2), build 19045, with 11th Gen Intel(R) Core(TM) i9-11950H @ 2.60GHz (with SSE4.2), with 31953 MB of physical memory, with GLib 2.72.3, with PCRE2 10.40 2022-04-14, with Qt 5.15.2, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with c-ares 1.18.1, with GnuTLS 3.6.3, with Gcrypt 1.10.1, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode, without HiDPI, with LC_TYPE=English_United States.utf8, binary plugins supported.
looks like that also works to capture traffic with 4.2.5 and winpcap 4.1.3
looks like that also works to capture traffic with 4.2.5 and winpcap 4.1.3
So an Npcap issue, not a Wireshark issue.
looks to be the case yes - but am i not in the right place for that - its the github repo for npcap right?
changed the title of the issue to reflect
its the github repo for npcap right?
Right, so this is, indeed, the right place to report Npcap issues.
awesome, thanks, and sorry for any misleading information, just wanted to stay true to my test scenario for working vs non-working, please let me know if you need any other additional details
is it possible to provide more debug information to help solve this bug?
What debug information would be helpful?
is it possible to provide more debug information to help solve this bug?
What debug information would be helpful?
I dont know, i am asking - hoping a quick writeup would follow. I am also interested in getting this to work. (winPcap does work with ICMP only)
same for me, any news here?
Hi, i think i used pktmon (navtive windows tool) - and i think it did show more traffic.
Thanks folks. Will anyone still experiencing this please let us know your Npcap version number and what sort of (virtual) adapter software you are using? We did include support for SR-IOV virtual adapters in Npcap Version 1.80. If it is Citrix, please send us the results of "powershell: get-netadapter -name "Citrix Virtual Adapter" | select *". Thank you.
I am still seeing this issue with the following information.
Also here is your requested information which i have scrubbed for sensitive information i doubt you need
Version 4.4.6 (v4.4.6-0-gaebb20483889). Copyright 1998-2025 Gerald Combs <[email protected]> and contributors. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123), with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng 2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS #11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.13.5, with libsmi 0.5.0, with Minizip-ng , with QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with binary plugins. Running on 64-bit Windows 11 (23H2), build 22631, with 11th Gen Intel(R) Core(TM) i9-11950H @ 2.60GHz (with SSE4.2), with 31953 MB of physical memory, with GLib 2.80.0, with Qt 6.5.3, with Npcap version 1.79, based on libpcap version 1.10.4, with PCRE2 10.43 2024-02-16, with c-ares 1.27.0, with GnuTLS 3.8.4, with Gcrypt 1.10.2-unknown, with nghttp2 1.62.1, with nghttp3 0.14.0, with brotli 1.0.9, with LZ4 1.9.4, with Zstandard 1.5.6, without AirPcap, with dark display mode, without HiDPI, with QPA plugin "windows", with LC_TYPE=English_United States.utf8, binary plugins supported. Check the man page and [www.wireshark.org](https://www.wireshark.org/) for more information.
MacAddress : SCRUBBED Status : Up LinkSpeed : 100 Mbps MediaType : 802.3 PhysicalMediaType : 802.3 AdminStatus : Up MediaConnectionState : Connected DriverInformation : Driver Date 2018-10-29 Version 16.12.18.616 NDIS 6.20 DriverFileName : ctxva620.sys NdisVersion : 6.20 ifOperStatus : Up ifAlias : Citrix Virtual Adapter InterfaceAlias : Citrix Virtual Adapter ifIndex : 5 ifDesc : Citrix Virtual Adapter ifName : other_32768 DriverVersion : 16.12.18.616 LinkLayerAddress : SCRUBBED Caption : Description : ElementName : InstanceID : {6581C1F0-393B-475B-8F98-DCE363DDADAF} CommunicationStatus : DetailedStatus : HealthState : InstallDate : Name : Citrix Virtual Adapter OperatingStatus : OperationalStatus : PrimaryStatus : StatusDescriptions : AvailableRequestedStates : EnabledDefault : 2 EnabledState : 5 OtherEnabledState : RequestedState : 12 TimeOfLastStateChange : TransitioningToState : 12 AdditionalAvailability : Availability : CreationClassName : MSFT_NetAdapter DeviceID : {6581C1F0-393B-475B-8F98-DCE363DDADAF} ErrorCleared : ErrorDescription : IdentifyingDescriptions : LastErrorCode : MaxQuiesceTime : OtherIdentifyingInfo : PowerManagementCapabilities : PowerManagementSupported : PowerOnHours : StatusInfo : SystemCreationClassName : CIM_NetworkPort SystemName : SCRUBBED TotalPowerOnHours : MaxSpeed : OtherPortType : PortType : RequestedSpeed : Speed : 100000000 UsageRestriction : ActiveMaximumTransmissionUnit : 1500 AutoSense : FullDuplex : True LinkTechnology : NetworkAddresses : {SCRUBBED} OtherLinkTechnology : OtherNetworkPortType : PermanentAddress : SCRUBBED PortNumber : 0 SupportedMaximumTransmissionUnit : AdminLocked : False ComponentID : ctxva620_a ConnectorPresent : False DeviceName : \Device{6581C1F0-393B-475B-8F98-DCE363DDADAF} DeviceWakeUpEnable : False DriverDate : 2018-10-29 DriverDateData : 131852448000000000 DriverDescription : Citrix Virtual Adapter DriverMajorNdisVersion : 6 DriverMinorNdisVersion : 20 DriverName : \SystemRoot\System32\drivers\ctxva620.sys DriverProvider : Citrix DriverVersionString : 16.12.18.616 EndPointInterface : False HardwareInterface : False Hidden : False HigherLayerInterfaceIndices : {37} IMFilter : False InterfaceAdminStatus : 1 InterfaceDescription : Citrix Virtual Adapter InterfaceGuid : {6581C1F0-393B-475B-8F98-DCE363DDADAF} InterfaceIndex : 5 InterfaceName : other_32768 InterfaceOperationalStatus : 1 InterfaceType : 1 iSCSIInterface : False LowerLayerInterfaceIndices : MajorDriverVersion : 4 MediaConnectState : 1 MediaDuplexState : 2 MinorDriverVersion : 2 MtuSize : 1500 NdisMedium : 0 NdisPhysicalMedium : 14 NetLuid : 282024732524544 NetLuidIndex : 32768 NotUserRemovable : False OperationalStatusDownDefaultPortNotAuthenticated : False OperationalStatusDownInterfacePaused : False OperationalStatusDownLowPowerState : False OperationalStatusDownMediaDisconnected : False PnPDeviceID : ROOT\CTXVA620_A\0000 PromiscuousMode : True ReceiveLinkSpeed : 100000000 State : 2 TransmitLinkSpeed : 100000000 Virtual : True VlanID : WdmInterface : True PSComputerName : CimClass : ROOT/StandardCimv2:MSFT_NetAdapter CimInstanceProperties : {Caption, Description, ElementName, InstanceID...} CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties