Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nmap -P0 reboots Windows XP
From: Loris Degioanni <loris.degioanni () gmail com>
Date: Wed, 08 Mar 2006 12:54:52 -0800

Let's try to clarify a bit.

IRQL_NOT_LESS_OR_EQUAL is one of the most common Windows kernel 
bugchecks, and  doesn't normally have anything to do with corrupted 
memory. It just tells you "one of the component of the OS kernel, most 
probably a driver, did something wrong, and therefore the OS will stop".

The most probable cause of the error, if this happens while you use 
nmap, is the kernel driver that nmap uses to send and receive raw 
network frames, i.e. WinPcap's NPF.sys. In most cases, in fact, you can 
see if the fault is in winpcap by checking if around the bottom of the 
blue screen you see somewhere "npf.sys".

If the fault is in winpcap, first of all you should make sure you are 
using the latest version of the driver, which can be found at 
http://www.winpcap.org/install/default.htm. If the problem persists with 
the latest version, you can report the bug to the developers as 
explained at http://www.winpcap.org/contact.htm, under "Need to report a 


Casey Williams wrote:
I haven't experienced this with Nmap, however I *have* experienced this with the port scanner I'm 
writing, (which also uses WinPCap).  I don't know for certain what causes it, but I have a hunch 
that is has to do with the WinPCap driver being unloaded from memory at program termination.  The 
only time I've got this BSOD with my scanner is when I close the program, which seems consistent 
with your results also.  I've looked into debugging the crash dump that Windows leaves behind 
with the Windows debugging tools, but debugging the kernel is a bit over my head.  (I have all 
the tools, any help would be much appreciated! :)

If you take this discussion off list, please keep me in the loop!


I didn't know you could do that. I googled it, turned it off and got a BSOD:


So I googled that and saw that it sometimes comes up because of hardware
failure. I installed some more RAM in that box last week, but haven't had any
problems with it. It's a lesser used box that dual-boots Windows and Linux,
but both have been used for normal things and have worked fine.

I took the RAM out, tried nmap about 20 times and Windows didn't reboot at
all. So the RAM was apparently the root of the problem, but winpcap/nmap was
the thing that caused it.

Now I'm off to see what I can do about this.....

Sent through the nmap-dev mailing list

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]