Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nmap crash under Vista
From: "Gianluca Varenni" <gianluca.varenni () gmail com>
Date: Thu, 1 Nov 2007 09:48:24 -0700


can you please try running nmap with the tracing version of packet.dll 
available here


and send me the generated winpcap_debug.txt file? (Make sure to download the 
right version of packet.dll matching your WinPcap version and the OS 

I'd like to understand what's going on on the WinPcap side. Also, can you 
try to run wireshark on the same adapter on vista and see if you can capture 


----- Original Message ----- 
From: "Rob Nicholls" <robert () everythingeverything co uk>
To: <nmap-dev () insecure org>
Sent: Wednesday, October 31, 2007 5:32 PM
Subject: RE: Nmap crash under Vista


I've done a little bit of research in my spare time after bob's original
email about using nmap on Vista with a wireless network card, and it 
that nmap's failing because pcap can't open the wireless adapter (connect
scans work okay).

I've tried WinPcap 4.0.1 with SOC7 and the latest WinPcap beta (4.1) with
SOC8, and I get the same error. I get an error in 4.11 too, but it 
immediately about getinterfaces, rather than failing to open the adapter:

nmap -vv

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2007-10-24 23:57 
ight Time
getinterfaces: intf_loop() failed

nmap -vv

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-24 23:57 GMT
Initiating Ping Scan at 23:57
Scanning [2 ports]
pcap_open_live(net0, 100, 0, 2) FAILED. Reported error: Error opening
adapter: T
he system cannot find the device specified. (20).  Will wait 5 seconds 
nmap -vv -P0

If I avoid using WinPcap, it's able to perform the scan:

nmap -vv -P0 -sT

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:01 GMT
Initiating Parallel DNS resolution of 1 host. at 00:01
Completed Parallel DNS resolution of 1 host. at 00:01, 0.07s elapsed
Initiating Connect Scan at 00:01
Scanning [1705 ports]
Discovered open port 3389/tcp on
Discovered open port 139/tcp on
Connect Scan Timing: About 12.04% done; ETC: 00:05 (0:03:39 remaining)
Increasing send delay for from 0 to 5 due to 11 out of 13
dropped p
robes since last increase.
Discovered open port 135/tcp on
Discovered open port 445/tcp on
Completed Connect Scan at 00:04, 156.59s elapsed (1705 total ports)
Host appears to be up ... good.
Interesting ports on
Not shown: 1701 filtered ports
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv

So it looks like anything that relies upon WinPcap is failing on Vista, 
not sure why, but it looks like it's having trouble with the interface. I
initially got weird behaviour using --iflist (this may just be a
coincidence?), but after disabling all of the other network adapters (LAN, 
couple of VMWare ones), SOC7 then presented the wireless interface. NB: I
still get the intf_loop() error in 4.11.

nmap --iflist

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:24 GMT
DEV  (SHORT) IP/MASK         TYPE     UP   MAC
net0 (net0)  (null)/0        other    down
eth0 (eth0)  (null)/0        ethernet up   D0:84:20:52:41:53
eth1 (eth1)  (null)/0        ethernet up   D0:84:20:52:41:53
eth2 (eth2)  (null)/0        ethernet up   D0:84:20:52:41:53
eth3 (eth3)  (null)/0        ethernet up   D0:84:20:52:41:53
eth4 (eth4)  (null)/0        ethernet down 00:19:B9:7F:5E:39
eth5 (eth5)  (null)/0        ethernet down 00:1A:6B:3E:59:93
eth6 (eth6)  (null)/0        ethernet down 00:50:56:C0:00:01
eth7 (eth7)  (null)/0        ethernet down 00:50:56:C0:00:08
eth8 (eth8)  (null)/0        ethernet down 00:1A:6B:3E:59:93
ppp0 (ppp0)  (null)/0        other    up
ppp1 (ppp1)  (null)/0        other    up
lo0  (lo0)     loopback up
net0 (net0) other    up
net1 (net1)  (null)/0        other    up
net2 (net2)  (null)/0        other    up
net0 (net0)  (null)/0        other    up
net1 (net1)  (null)/0        other    up
net2 (net2)  (null)/0        other    up
net3 (net3)  (null)/0        other    up

net2 \Device\NPF_{D744CB9D-F791-4C60-AA04-851443B57BD4}
net3 \Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}

DST/MASK           DEV  GATEWAY    net0 lo0       lo0 lo0   net0 net0      net0        lo0        net0        lo0          net0

You might have spotted that net0 seems to be listed as both down (on the
first line, no IP) and up (with an IP address) further down the list. 
re-enabling all the network adapters, I still got all of the interfaces
listed correctly in SOC7.

I can see a device labelled "Microsoft" (Microsoft:
\Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}) in Wireshark, which 
the right IP address and is showing packets being captured and suggests
WinPcap/Wireshark is coping with Vista's presentation of the wireless card
(which, IIRC, is different to how it's presented under XP/2003). The odd
thing is the device's ID appears to be that of "net3" in nmap's --iflist
output, which doesn't have an IP address assigned to it. Trying to force 
to use net0 (or net1-3), in a last ditch attempt to fool it into using the
one that's up, doesn't appear to work either.

Does anyone have any other ideas/suggestions I can try? If any fixes are
committed to SVN, I'm quite happy to compile and test it whenever I've got 
few spare minutes.


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org 

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]