Ask Your Question
0

RSC getting disabled after starting wireshark in Windows server 2019.

asked 2019-12-19 05:28:08 +0000

Hari Kishan gravatar image

updated 2019-12-19 07:27:22 +0000

grahamb gravatar image

Older question

PS C:\Users\Administrator> get-netadapterrsc


Name        IPv4Enabled  IPv6Enabled  IPv4Operational IPv6Operational IPv4FailureReason IPv6Failure
                                      State           State                             Reason
----        -----------  -----------  --------------- --------------- ----------------- ------------
Ethernet 4  True         True         True            True            NoFailure         NoFailure
Ethernet 3  True         True         True            True            NoFailure         NoFailure

RSC table after starting wireshark.

PS C:\Users\Administrator> get-netadapterrsc|format-table -wrap -autosize


Name       IPv4Enabled IPv6Enabled IPv4OperationalState IPv6OperationalState IPv4FailureReason IPv6FailureReason
----       ----------- ----------- -------------------- -------------------- ----------------- -----------------
Ethernet 4 True        True        False                False                NDISCompatibility NDISCompatibility
Ethernet 3 True        True        False                False                NDISCompatibility NDISCompatibility

The above output is complaining about the NDIS for compatibility.

I want to stop RSC gettings disabled.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-19 07:41:35 +0000

grahamb gravatar image

Wireshark installs a capture library (currently npcap, previously WinPcap) to perform the capture and this inserts itself into the network stack as an "NDIS filter driver". This driver will also enable promiscuous mode on the NIC when requested by the user setting the flag in the Wireshark capture dialog, it's possible that this might be causing the effect you see.

You could try NOT enabling promiscuous mode to see if that helps, if not, then this is another example of why performing on-machine captures should be a last resort due to the potential of introducing unexpected effects to the machine's networking stack.

As the issue is almost certainly caused by the capture library, and presuming you are using a recent version of Wireshark (3.x onwards) you should contact the npcap maintainers, nmap, for support. There is no support for WinPcap.

edit flag offensive delete link more

Comments

According to the "RSC Support for Lightweight Filters and MUX Intermediate Drivers" section of Microsoft's "Programming Considerations for RSC Drivers" page:

NDIS will disable RSC on an interface if any lightweight filter driver or MUX intermediate driver in the host stack is NDIS 6.20 or lower.

As Graham Bloice said, "...this inserts itself into the network stack as an "NDIS filter driver"". WinPcap's driver doesn't do that (it's a different sort of NDIS driver), but Npcap's does; it might be that it's currently an NDIS 6.20 or earlier driver. If you report this to the Npcap maintainers by opening an issue on the Nmap issue tracker, mention the above information.

Guy Harris gravatar imageGuy Harris ( 2019-12-19 10:29:11 +0000 )edit

The older question (in an "answer") pointed out by the OP dates back to 2014, so pre-npcap, thus it would seem that whatever WinPcap did, it affected RSC in the same way.

grahamb gravatar imagegrahamb ( 2019-12-19 11:09:55 +0000 )edit

I can't find what version of NDIS npcap is currently claiming to support, but it is using NDIS 6.20 functions, i.e. API's introduced with Win 7. It doesn't seem unreasonable that npcap has dropped support for earlier versions.

grahamb gravatar imagegrahamb ( 2019-12-19 11:26:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-12-19 05:28:08 +0000

Seen: 36 times

Last updated: Dec 19 '19