[Snort-users] [ANNOUNCE] WinPcap 3.1 has been released - FAILS with SNORT - READ...

Michael Steele michaels at ...9077...
Sat Aug 6 15:50:16 EDT 2005


All Windows users of WinPCap:

<Grabbed this off the net>

Using Snort under Windows XP with Winpcap 3.1 installed causes an error:
"Entry point not found- The procedure entry point PacketGetNetInfo could not
be located in the DDL packet.dll".

After contacting the vendors support, they told me, that "PacketGetNetInfo"
is no more present in Winpcap 3.1 and won't be there any more. Since Snort
calls PacketGetNetInfo, there are two solutions:

1. Use Winpcap 3.0. But since 3.1 introduced nice features (esp. for 
DSL-Users) it should only be a temporary workaround. 

2. Modify Snort so that it works with that (and future) versions of winpcap.

Just a hint for those users who aren't able to start snort with winpcap 3.1
and don't know, why ;)

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
Pick up your FREE Windows or UNIX Snort installation guides
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Gianluca
Varenni
Sent: Friday, August 05, 2005 2:18 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] [ANNOUNCE] WinPcap 3.1 has been released

After more than two years of hard work, the final version of WinPcap 3.1 is
available from today in the download section of the WinPcap website,
http://www.winpcap.org/install/.
This new release represents an important milestone for the project: major
improvements and bug fixes have been carried out during this long period of
time, and the result is the most stable and reliable version of WinPcap in
its history. Thanks to all the users that contributed to this result by
submitting bug reports and thoroughly testing the several betas that were
made available.

Gianluca Varenni
WinPcap Team



Changelog from WinPcap 3.1 beta4
================================

- New installation script based on the NSIS installer. The new installer
  should be able to detect any previous version of WinPcap, remove it on
  request and install the new version, decreasing the number of situations
  in which a reboot is necessary. Moreover, by connecting to the WinPcap
  website, the installer is able to tell the user if more recent versions of
  WinPcap are available.

- wpcap.dll has been updated to libpcap 0.9.3 from http://www.tcpdump.org.

- General cleanup of the documentation (now aligned to libpcap 0.9.3).

- Modified the documentation, so that packet.dll is no longer available in
  the standard developer's pack.

- Added to the developer's pack a set of libpcap-compatible samples,
  suitable to be compiled against vanilla libpcap

- Exported the following new functions from wpcap.dll: pcap_list_datalinks()
  and pcap_dump_ftell().

- Removed pcap_file() from the exports because of incompatibilities with the
  Microsoft C runtime (CRT).

- General cleanup of the existing samples.

- Renamed the NdisWanAdapter to GenericDialupAdapter, to make the use of
  this adapter more clear for the users.

- Removed some useless files in the source tree and in the documentation.

- Bug fixing:
  + Fixed several bugs in the kernel BPF filter function when the packet is
    stored into two not contiguous buffers. This bug shows up as missing
packets
    in the capture while the machine is using personal firewalls and certain
    antivirus softwares.
  + Fixed a problem related to the NetMon COM component initialization. This
    bug caused random access violation errors while listing the adapters.
  + Removed a duplicated initialization of an event in the driver.
  + Added a check in packet.dll that prevents listing and opening of
    FireWire adapters, since they have a broken interface with NDIS and can
    cause blue screens.
  + Fixed a memory leak in PacketGetAdaptersIPH().
  + Fixed a check that could cause PacketSendPackets() to crash packet.dll.
  + Minor fixes.

=========


Changelog from WinPcap 3.1 beta3 to WinPcap 3.1 beta4
=====================================================

- wpcap.dll has been updated to libpcap 0.8.3 from http://www.tcpdump.org.

- Added a note in the documentation that states that the kernel dump feature
  is disabled due to incompatibilities with the new kernel buffer.

- Minor fixes to the documentation

- Removed some useless files.

- Bug fixing:
  + Fixed a bug related to COM initialization in WanPacket, by which
    WanAdapters were not working correctly if the calling thread was using
    COM with a different threading model.
  + Fixed a problem in AddAdapterIPH(), by which no adapter was actually
    added with this function because of a UNICODE/ASCII mismatch. Basically,
    AddAdapterIPH received an ASCII adapter name, and tried to open it with
    PacketOpenAdapterNPF, which accepts UNICODE strings, only.
  + Fixed a bug in the remote capture code due to concurrency issues when
    spawning a new thread
  + Fixed a problem related to the generation of grammar files with flex
    in the CygWin makefile.
  + Fixed a couple of memory leaks in PacketGetAdapterNames().
    PacketGetAdapterNames() seems to be still leaky, but the source of the
    leak seems to be a leaky API in the Microsoft IpHelperAPI, at least on
    WinXP SP1.
  + Added some code that frees the global list of adapters when packet.dll
    is unloaded (i.e. when DllMain is called with DLL_PROCESS_DETACH)
  + Fixed a bug that caused the adapters not to be listed on terminal
    services. The bug was caused by the lack of the "\\global" prefix in
    front of the adapter names.
  + Fixed a bug related to adapter opening in the pcap_filter example. Fixed
    the usage string that was wrong.
  + Fixed a bug in the JIT code of the driver that could potentially cause a
    BSOD if two threads try to set a filter (that will be jitted) at the
    same time.
  + Fixed a bug by which the driver fails to return any packet with a read
    after an IOCTL_SETBUFFER has changed the buffer size. The bug is due to
    some missing counter resets.
  + Fixed some debugging messages in the NT driver that were not macroed
    with IF_LOUD

=========


Changelog from WinPcap 3.1 beta2 to WinPcap 3.1 beta3
=====================================================

- Bug fixing:
  + Fixed a bug related to device listing if TCP/IP is not installed: on
    2000/XP if TCP is not installed, it reported "you must install TCP/IP",
    and this was plain wrong.
  + Added PacketSetSnapLen() under Win9x. Without this function, wpcap.dll
    fails to load on Win9x.
  + PacketGetAdapterNames() has been rewritten under Win9x, in order to
    comply to the correct behavior specified in the documentation.

=========


Changelog from WinPcap 3.1 beta to WinPcap 3.1 beta2
=====================================================

- Added some code to show a fake NdisWan adapter, useful to capture LCP/NCP
  packets. This adapter is always listed on 2000/XP/2003 (if you have enough
  privileges), even if you don't have any PPP/VPN/... connection
  established.

- Added a check in the installer, so that the installation fails if you
  don't have administrator privileges.

- Added a check so that NdisWan adapters  (PPP, VPN, ...) are listed only if
  you can capture from them.

- Added a new sample program, which gets the MAC address of an interface
  using packet.dll

- Modified the access to the global list of adapters in packet.dll under
  NT4/2000/XP/2003. Now packet.dll should be thread-safe.

- Bug fixing:
  + fixed some resource leaks in the remote capture daemon (rpcapd).
  + fixed a couple of resource leaks in packet.dll.
  + fixed some meaningless last error messages set by PacketOpenAdapter
    (e.g. "The operation completed successfully").
  + fixed a shortcoming in pcap_findalldevs, by which the adapters where not
    listed if they couldn't fit into a 8kB buffer.
  + fixed a memory leak in pcap_lookupdev.
  + fixed some bugs related to adapters listing:
    * some adapters were not listed, especially if some registry keys are
      messed up.
    * in some situations the listing failed with the message "Attempt to
      release a mutex not owned by caller"
    * if PacketGetAdapterNames() failed, it returned the wrong number of
      needed bytes for the input buffer.
  + fixed a buffer overrun in npf.sys that caused crashes (BSODs) when
    there are too many adapters in the registry.
  + fixed a bug in npf.sys that caused blue screens (BSODs) when you try to
    send "jumbo" packets, i.e. packets bigger than the maximum frame size
    for the selected link type.
  + minor bug fixes.

=========


Changelog from WinPcap 3.01 alpha to WinPcap 3.1 beta
=====================================================

- Support for capture on NdisWan, with the following features:
  + Based on the NetMon API, does NOT use NPF.sys
  + Works with PPP (dial-up) and VPN links
  + Works on Windows 2000 and XP, only
  + Packet transmission is not supported
  + packet filtering is done at user level

- wpcap.dll has been updated to libpcap 0.8.1 from www.tcpdump.org.

- Support for DAG cards, based on the Windows version of the 2.5 Endace Dag
  driver.

- The method used by the driver to timestamp packets can now be changed
  without recompiling the driver, modifying a registry key:
       HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
  Possible values are
   - 0 (default) -> Timestamps generated through KeQueryPerformanceCounter,
          less reliable on SMP/HyperThreading machines,
          precision = some microseconds
   - 2 -> Timestamps generated through KeQuerySystemTime,
   more reliable on SMP/HyperThreading machines,
          precision = scheduling quantum (10/15 ms)
   - 3 -> Timestamps generated through the i386 instruction RDTSC,
          less reliable on SMP/HyperThreading/SpeedStep machines,
          precision = some microseconds

- The driver is now started by the SCM with GENERIC_READ privileges rather
  than ALL_ACCESS. This allows not-administrator users to start and run
  WinPcap.

- Changes to the wpcap.dll API:
  + pcap_findalldevs() and pcap_findalldevs_ex() return IPv6 addresses
  + pcap_findalldevs_ex() is now able to list local adapters, remote
    adapters, and the list of capture files present in a given folder.

- Changes/additions to the Packet.dll API:
  + The code to gather interface information has been mostly rewritten, in
    order to be more modular and source independent. IP Helper API is now
    used in addition to registry scanning.
  + PacketGetNetInfoEx() now returns IPv6 addresses besides IPv4 ones.
  + modified the format of the npf_if_addr structure, that
    PacketGetNetInfoEx() uses to return the network address of an
    interface. In order to provide enough space for an IPv6 address,
    npf_if_addr is now made of three struct sockaddr_storage rather than
    three struct sockaddr.
    Since the former is 128 bytes while the latter is 16 bytes, old
    applications will not be compatible with the new PacketGetNetInfoEx().
  + PacketGetAdapterNames() now returns the names of the adapter in ASCII
    rather than in Unicode.
    Since the main purpose of PacketGetAdapterNames() is feeding data to
    pcap_findalldevs() and since pcap_findalldevs() needs ASCII names, the
    new PacketGetAdapterNames() avoids a conversion in wpcap.dll and
    uniforms the data format with the one of Windows 9x (this potentially
    simplifies the code of the applications). As a consequence to
    this modification, old applications won't work properly with the new
    PacketGetAdapteNames() on NT/2k/XP/2k3.
  + PacketOpenAdapter() now takes an ascii adapter rather than a UNICODE
    one. This is a consequence of the fact that PacketGetAdapterNames()
    returns ASCII strings: they can be immediately passed to
    PacketOpenAdapter(). (note: internal conversion is provided so that a
    UNICODE adapter name will be correctly opened, however the prototype
    changes and this could generate warning when compiling old
    applications)
  + For the same reason, PacketGetNetInfoEx() takes an ASCII adapter
    string rather than a UNICODE one. Internal conversion is provided for
    backward compatibility in this case, too.
  + PacketGetVersion() now retrieves the version number from the dll
    binary.
  + Added a PacketGetDriverVersion() function that returns the version
    number of NPF.sys.

- Packet sampling
  + added the capability to perform packet sampling instead of just packet
    capture. This feature can be turned on through the new
    pcap_setsampling() function.
  + This feature is available on local captures, offline captures, and
    remote captures.
  + Please note that this feature is highly experimental.

- Remote capture
  + Improved support on FreeBSD and Linux.
  + Fixed a bug in UDP data trasfer
  + Support for packet sampling (only if the remote daemon runs on a Win32
    machine; it does not work on Linux and FreeBSD).

  - Updated the documentation
   + Many examples have been rewritten in order to use the new pcap_open()
     and pcap_findalldevs_ex() functions.

=========


Changelog from WinPcap 3.0 to WinPcap 3.01 alpha
================================================

- Modified interface for function pcap_findalldevs_ex in order to support
  local files listing

- pcap_findalldevs_ex supports local device, remote device, and local file
  listing

- Updated makefiles in order to compile on UNIX

- Support for remote capture (and remote daemon) in Linux and BSD (in
  addiction to Win32)

- Simplified architecture for the remote capture; now pthreads are needed
  only by the rpcapd daemon; standard libpcap does no longer need phtreads

- Added initial support for remote packet sampling (local packet sampling is
  still to be done)

- pcap_fileno returns a valid description also in case of a remote capture,
  so that the 'select()' function can be used to check if packets are
  waiting to be read

- Improved docs

- Started modifying the Developer's Pack examples in order to use the new
  system calls (pcap_open, pcap_findalldevs_ex, etc), although this process
  has not been completed

- Bug fixing:
  + Fixed a bug that prevented the remote capture (active mode) working in
    Windows XP
  + Fixed a bug that caused the driver not to list any adapter under
    NT4/2k/XP/2k3.

=========



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








More information about the Snort-users mailing list