topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Friday March 29, 2024, 10:18 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Necessary to have WinPcap driver start at boot ???  (Read 54023 times)

gdv22

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 17
    • View Profile
    • Donate to Member
Necessary to have WinPcap driver start at boot ???
« on: November 09, 2010, 03:49 AM »
Hello all,

I just installed URL Snooper on a backup clunker machine because my mobo died, and I noticed that the WinPcap installer has an option to have the WinPcap driver start at boot time (which is checked by default).

I don't recall how I had this set up on my other machine.  Is it necessary to have the WinPcap driver start at boot time?  Or if I were to uncheck this, will URL Snooper start the driver when needed (i.e., when I launch URL Snooper)?

Thanks! :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #1 on: November 09, 2010, 08:44 AM »
I don't recall that option.  URL snooper won't start it automatically (though that is a nice idea).. but you might be able to start it yourself manually before you use URL Snooper.. Try it and let me know if that works.  I can check and see if there is simple code to have URL Snooper start and stop the WinPCap driver.

gdv22

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 17
    • View Profile
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #2 on: November 11, 2010, 02:32 AM »
Thanks for your reply :), but I went ahead and installed, and now I'm at a loss on how to check this out further.  :-[

FYI, I've attached an image of the WinPcap installer option I mentioned in my OP...

...But now I can't remember for sure if I left it checked or unchecked it.  I think I left it checked, thinking there would probably be an option to change it later, but now I can't find one, and I'm not sure how to tell if the driver is loaded or not.

I don't see anything in Task Manager or Sysinternals' Process Explorer except WPCAP.DLL listed under URLSnooper.exe in Process Explorer while URL Snooper is running... ...but that's not the driver, is it?

I found npf.sys by CACE Technologies (which I think is the driver ?) listed in Sysinternals' Autoruns, but according to the Autoruns Right-click context menu's Process Explorer option, npf.sys is not currently running, even though I currently have URL Snooper running.

Process Explorer also lists \Device\NPF_{1256B1B2-8BEF-440A-8869-F2649E440072} under URLSnooper.exe while URL Snooper is running, but now I'm getting in way over my head and don't know what, if anything, to do with that ???

So what is the WinPcap driver, how can I tell if it is loading at bootup, and how would I change it (i.e., other than maybe running the installer again, or uninstalling and re-installing)?

Thanks again! :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #3 on: November 11, 2010, 09:54 AM »
ok, i see the option -- didn't notice when they added that.

the wpcap.dll is going to be what interfaces with the system driver i think.

does url snooper work if you install winpcap and tell it not to run at boot time?

gdv22

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 17
    • View Profile
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #4 on: November 13, 2010, 02:51 AM »
Sorry to be so long getting back to you... ..been jammed up with other matters.

Yes, I wouldn't have seen the WinPcap installer option either, except this was a fresh URL Snooper install on a fresh Windows install on an old machine, so it didn't already have WinPcap on it [and for other readers (since you undoubtedly know :P), the URL Snooper installer only installs WinPcap if it's not already on the system].

I'm not a programmer, so I'm stretching my personal KB here, but what is the (likely) name of the system driver you referred to that wpcap.dll interfaces with?  (I'm assuming you know, as the programmer.)  I guess it's not the npf.sys by CACE Technologies I mentioned, since that apparently isn't loaded and running when URL Snooper is.  The WinPcap installation log indicates the WinPcap installer checked for and found npptools.dll, netnm.inf, and nmnt.sys, so I thought maybe nmnt.sys (a Microsoft Netmon NT Driver) might be the system driver you meant, but according to Autoruns and Process Explorer, it isn't running when URL Snooper is either.  So like I said before, I haven't been able to find anything that seems to be the driver.

I had hoped to figure this out without uninstalling and re-installing WinPcap and URLSnooper, but if you don't know any other way, I'll try to do that as soon as I get a chance and post back with the results.

Thanks! :)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #5 on: November 13, 2010, 03:47 AM »
Ok from what i see searching around, WinPCap uses two services: nm and npf, which seem to be started automatically when you start sniffing if they are not already running.

So i think the answer is that you do not need them running at boot time.

gdv22

  • Participant
  • Joined in 2010
  • *
  • default avatar
  • Posts: 17
    • View Profile
    • Donate to Member
Re: Necessary to have WinPcap driver start at boot ???
« Reply #6 on: November 14, 2010, 02:49 AM »
Thanks!

I'll try to look at that a little more as soon as I get a chance and get back to you later if I learn anything worth reporting or have any more questions. :)