[Snort-users] [ANNOUNCE] WinPcap 3.1 has been released - FAILS with SNORT - READ...

Ron iago at ...13401...
Sat Aug 6 15:59:28 EDT 2005


It doesn't appear that it's actually used anywhere:

iago at ...13415...:~/downloads/snort-2.3.3$ grep -r "PacketGetNetInfo" *
src/win32/WIN32-Includes/libnet/PACKET32.H:  This structure is used by
the PacketGetNetInfoEx() function to return the IP addresses associated
with
src/win32/WIN32-Includes/libnet/PACKET32.H:BOOLEAN
PacketGetNetInfo(LPTSTR AdapterName, PULONG netp, PULONG maskp);
src/win32/WIN32-Includes/libnet/PACKET32.H:BOOLEAN
PacketGetNetInfoEx(LPTSTR AdapterName, npf_if_addr* buffer, PLONG NEntries);
Binary file src/win32/WIN32-Libraries/Packet.lib matches
Binary file src/win32/WIN32-Prj/LibnetNT.dll matches

Shouldn't be too hard to fix?

Michael Steele wrote:
> All Windows users of WinPCap:
> 
> <Grabbed this off the net>
> 
> Using Snort under Windows XP with Winpcap 3.1 installed causes an error:
> "Entry point not found- The procedure entry point PacketGetNetInfo could not
> be located in the DDL packet.dll".
> 
> After contacting the vendors support, they told me, that "PacketGetNetInfo"
> is no more present in Winpcap 3.1 and won't be there any more. Since Snort
> calls PacketGetNetInfo, there are two solutions:
> 
> 1. Use Winpcap 3.0. But since 3.1 introduced nice features (esp. for 
> DSL-Users) it should only be a temporary workaround. 
> 
> 2. Modify Snort so that it works with that (and future) versions of winpcap.
> 
> Just a hint for those users who aren't able to start snort with winpcap 3.1
> and don't know, why ;)
> 
> Kindest regards,
> Michael...
> 
> WINSNORT.com Management Team Member
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Gianluca
> Varenni
> Sent: Friday, August 05, 2005 2:18 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] [ANNOUNCE] WinPcap 3.1 has been released
> 
> After more than two years of hard work, the final version of WinPcap 3.1 is
> available from today in the download section of the WinPcap website,
> http://www.winpcap.org/install/.
> This new release represents an important milestone for the project: major
> improvements and bug fixes have been carried out during this long period of
> time, and the result is the most stable and reliable version of WinPcap in
> its history. Thanks to all the users that contributed to this result by
> submitting bug reports and thoroughly testing the several betas that were
> made available.
> 
> Gianluca Varenni
> WinPcap Team
> 
> 
> 
> Changelog from WinPcap 3.1 beta4
> ================================
> 
> - New installation script based on the NSIS installer. The new installer
>   should be able to detect any previous version of WinPcap, remove it on
>   request and install the new version, decreasing the number of situations
>   in which a reboot is necessary. Moreover, by connecting to the WinPcap
>   website, the installer is able to tell the user if more recent versions of
>   WinPcap are available.
> 
> - wpcap.dll has been updated to libpcap 0.9.3 from http://www.tcpdump.org.
> 
> - General cleanup of the documentation (now aligned to libpcap 0.9.3).
> 
> - Modified the documentation, so that packet.dll is no longer available in
>   the standard developer's pack.
> 
> - Added to the developer's pack a set of libpcap-compatible samples,
>   suitable to be compiled against vanilla libpcap
> 
> - Exported the following new functions from wpcap.dll: pcap_list_datalinks()
>   and pcap_dump_ftell().
> 
> - Removed pcap_file() from the exports because of incompatibilities with the
>   Microsoft C runtime (CRT).
> 
> - General cleanup of the existing samples.
> 
> - Renamed the NdisWanAdapter to GenericDialupAdapter, to make the use of
>   this adapter more clear for the users.
> 
> - Removed some useless files in the source tree and in the documentation.
> 
> - Bug fixing:
>   + Fixed several bugs in the kernel BPF filter function when the packet is
>     stored into two not contiguous buffers. This bug shows up as missing
> packets
>     in the capture while the machine is using personal firewalls and certain
>     antivirus softwares.
>   + Fixed a problem related to the NetMon COM component initialization. This
>     bug caused random access violation errors while listing the adapters.
>   + Removed a duplicated initialization of an event in the driver.
>   + Added a check in packet.dll that prevents listing and opening of
>     FireWire adapters, since they have a broken interface with NDIS and can
>     cause blue screens.
>   + Fixed a memory leak in PacketGetAdaptersIPH().
>   + Fixed a check that could cause PacketSendPackets() to crash packet.dll.
>   + Minor fixes.
> 
> =========
> 
> 
> Changelog from WinPcap 3.1 beta3 to WinPcap 3.1 beta4
> =====================================================
> 
> - wpcap.dll has been updated to libpcap 0.8.3 from http://www.tcpdump.org.
> 
> - Added a note in the documentation that states that the kernel dump feature
>   is disabled due to incompatibilities with the new kernel buffer.
> 
> - Minor fixes to the documentation
> 
> - Removed some useless files.
> 
> - Bug fixing:
>   + Fixed a bug related to COM initialization in WanPacket, by which
>     WanAdapters were not working correctly if the calling thread was using
>     COM with a different threading model.
>   + Fixed a problem in AddAdapterIPH(), by which no adapter was actually
>     added with this function because of a UNICODE/ASCII mismatch. Basically,
>     AddAdapterIPH received an ASCII adapter name, and tried to open it with
>     PacketOpenAdapterNPF, which accepts UNICODE strings, only.
>   + Fixed a bug in the remote capture code due to concurrency issues when
>     spawning a new thread
>   + Fixed a problem related to the generation of grammar files with flex
>     in the CygWin makefile.
>   + Fixed a couple of memory leaks in PacketGetAdapterNames().
>     PacketGetAdapterNames() seems to be still leaky, but the source of the
>     leak seems to be a leaky API in the Microsoft IpHelperAPI, at least on
>     WinXP SP1.
>   + Added some code that frees the global list of adapters when packet.dll
>     is unloaded (i.e. when DllMain is called with DLL_PROCESS_DETACH)
>   + Fixed a bug that caused the adapters not to be listed on terminal
>     services. The bug was caused by the lack of the "\\global" prefix in
>     front of the adapter names.
>   + Fixed a bug related to adapter opening in the pcap_filter example. Fixed
>     the usage string that was wrong.
>   + Fixed a bug in the JIT code of the driver that could potentially cause a
>     BSOD if two threads try to set a filter (that will be jitted) at the
>     same time.
>   + Fixed a bug by which the driver fails to return any packet with a read
>     after an IOCTL_SETBUFFER has changed the buffer size. The bug is due to
>     some missing counter resets.
>   + Fixed some debugging messages in the NT driver that were not macroed
>     with IF_LOUD
> 
> =========
> 
> 
> Changelog from WinPcap 3.1 beta2 to WinPcap 3.1 beta3
> =====================================================
> 
> - Bug fixing:
>   + Fixed a bug related to device listing if TCP/IP is not installed: on
>     2000/XP if TCP is not installed, it reported "you must install TCP/IP",
>     and this was plain wrong.
>   + Added PacketSetSnapLen() under Win9x. Without this function, wpcap.dll
>     fails to load on Win9x.
>   + PacketGetAdapterNames() has been rewritten under Win9x, in order to
>     comply to the correct behavior specified in the documentation.
> 
> =========
> 
> 
> Changelog from WinPcap 3.1 beta to WinPcap 3.1 beta2
> =====================================================
> 
> - Added some code to show a fake NdisWan adapter, useful to capture LCP/NCP
>   packets. This adapter is always listed on 2000/XP/2003 (if you have enough
>   privileges), even if you don't have any PPP/VPN/... connection
>   established.
> 
> - Added a check in the installer, so that the installation fails if you
>   don't have administrator privileges.
> 
> - Added a check so that NdisWan adapters  (PPP, VPN, ...) are listed only if
>   you can capture from them.
> 
> - Added a new sample program, which gets the MAC address of an interface
>   using packet.dll
> 
> - Modified the access to the global list of adapters in packet.dll under
>   NT4/2000/XP/2003. Now packet.dll should be thread-safe.
> 
> - Bug fixing:
>   + fixed some resource leaks in the remote capture daemon (rpcapd).
>   + fixed a couple of resource leaks in packet.dll.
>   + fixed some meaningless last error messages set by PacketOpenAdapter
>     (e.g. "The operation completed successfully").
>   + fixed a shortcoming in pcap_findalldevs, by which the adapters where not
>     listed if they couldn't fit into a 8kB buffer.
>   + fixed a memory leak in pcap_lookupdev.
>   + fixed some bugs related to adapters listing:
>     * some adapters were not listed, especially if some registry keys are
>       messed up.
>     * in some situations the listing failed with the message "Attempt to
>       release a mutex not owned by caller"
>     * if PacketGetAdapterNames() failed, it returned the wrong number of
>       needed bytes for the input buffer.
>   + fixed a buffer overrun in npf.sys that caused crashes (BSODs) when
>     there are too many adapters in the registry.
>   + fixed a bug in npf.sys that caused blue screens (BSODs) when you try to
>     send "jumbo" packets, i.e. packets bigger than the maximum frame size
>     for the selected link type.
>   + minor bug fixes.
> 
> =========
> 
> 
> Changelog from WinPcap 3.01 alpha to WinPcap 3.1 beta
> =====================================================
> 
> - Support for capture on NdisWan, with the following features:
>   + Based on the NetMon API, does NOT use NPF.sys
>   + Works with PPP (dial-up) and VPN links
>   + Works on Windows 2000 and XP, only
>   + Packet transmission is not supported
>   + packet filtering is done at user level
> 
> - wpcap.dll has been updated to libpcap 0.8.1 from www.tcpdump.org.
> 
> - Support for DAG cards, based on the Windows version of the 2.5 Endace Dag
>   driver.
> 
> - The method used by the driver to timestamp packets can now be changed
>   without recompiling the driver, modifying a registry key:
>        HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
>   Possible values are
>    - 0 (default) -> Timestamps generated through KeQueryPerformanceCounter,
>           less reliable on SMP/HyperThreading machines,
>           precision = some microseconds
>    - 2 -> Timestamps generated through KeQuerySystemTime,
>    more reliable on SMP/HyperThreading machines,
>           precision = scheduling quantum (10/15 ms)
>    - 3 -> Timestamps generated through the i386 instruction RDTSC,
>           less reliable on SMP/HyperThreading/SpeedStep machines,
>           precision = some microseconds
> 
> - The driver is now started by the SCM with GENERIC_READ privileges rather
>   than ALL_ACCESS. This allows not-administrator users to start and run
>   WinPcap.
> 
> - Changes to the wpcap.dll API:
>   + pcap_findalldevs() and pcap_findalldevs_ex() return IPv6 addresses
>   + pcap_findalldevs_ex() is now able to list local adapters, remote
>     adapters, and the list of capture files present in a given folder.
> 
> - Changes/additions to the Packet.dll API:
>   + The code to gather interface information has been mostly rewritten, in
>     order to be more modular and source independent. IP Helper API is now
>     used in addition to registry scanning.
>   + PacketGetNetInfoEx() now returns IPv6 addresses besides IPv4 ones.
>   + modified the format of the npf_if_addr structure, that
>     PacketGetNetInfoEx() uses to return the network address of an
>     interface. In order to provide enough space for an IPv6 address,
>     npf_if_addr is now made of three struct sockaddr_storage rather than
>     three struct sockaddr.
>     Since the former is 128 bytes while the latter is 16 bytes, old
>     applications will not be compatible with the new PacketGetNetInfoEx().
>   + PacketGetAdapterNames() now returns the names of the adapter in ASCII
>     rather than in Unicode.
>     Since the main purpose of PacketGetAdapterNames() is feeding data to
>     pcap_findalldevs() and since pcap_findalldevs() needs ASCII names, the
>     new PacketGetAdapterNames() avoids a conversion in wpcap.dll and
>     uniforms the data format with the one of Windows 9x (this potentially
>     simplifies the code of the applications). As a consequence to
>     this modification, old applications won't work properly with the new
>     PacketGetAdapteNames() on NT/2k/XP/2k3.
>   + PacketOpenAdapter() now takes an ascii adapter rather than a UNICODE
>     one. This is a consequence of the fact that PacketGetAdapterNames()
>     returns ASCII strings: they can be immediately passed to
>     PacketOpenAdapter(). (note: internal conversion is provided so that a
>     UNICODE adapter name will be correctly opened, however the prototype
>     changes and this could generate warning when compiling old
>     applications)
>   + For the same reason, PacketGetNetInfoEx() takes an ASCII adapter
>     string rather than a UNICODE one. Internal conversion is provided for
>     backward compatibility in this case, too.
>   + PacketGetVersion() now retrieves the version number from the dll
>     binary.
>   + Added a PacketGetDriverVersion() function that returns the version
>     number of NPF.sys.
> 
> - Packet sampling
>   + added the capability to perform packet sampling instead of just packet
>     capture. This feature can be turned on through the new
>     pcap_setsampling() function.
>   + This feature is available on local captures, offline captures, and
>     remote captures.
>   + Please note that this feature is highly experimental.
> 
> - Remote capture
>   + Improved support on FreeBSD and Linux.
>   + Fixed a bug in UDP data trasfer
>   + Support for packet sampling (only if the remote daemon runs on a Win32
>     machine; it does not work on Linux and FreeBSD).
> 
>   - Updated the documentation
>    + Many examples have been rewritten in order to use the new pcap_open()
>      and pcap_findalldevs_ex() functions.
> 
> =========
> 
> 
> Changelog from WinPcap 3.0 to WinPcap 3.01 alpha
> ================================================
> 
> - Modified interface for function pcap_findalldevs_ex in order to support
>   local files listing
> 
> - pcap_findalldevs_ex supports local device, remote device, and local file
>   listing
> 
> - Updated makefiles in order to compile on UNIX
> 
> - Support for remote capture (and remote daemon) in Linux and BSD (in
>   addiction to Win32)
> 
> - Simplified architecture for the remote capture; now pthreads are needed
>   only by the rpcapd daemon; standard libpcap does no longer need phtreads
> 
> - Added initial support for remote packet sampling (local packet sampling is
>   still to be done)
> 
> - pcap_fileno returns a valid description also in case of a remote capture,
>   so that the 'select()' function can be used to check if packets are
>   waiting to be read
> 
> - Improved docs
> 
> - Started modifying the Developer's Pack examples in order to use the new
>   system calls (pcap_open, pcap_findalldevs_ex, etc), although this process
>   has not been completed
> 
> - Bug fixing:
>   + Fixed a bug that prevented the remote capture (active mode) working in
>     Windows XP
>   + Fixed a bug that caused the driver not to list any adapter under
>     NT4/2k/XP/2k3.
> 
> =========
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 




More information about the Snort-users mailing list