npcap 1.82 bugcheck crush with DRIVER_IRQL_NOT_LESS_OR_EQUAL on VMXNET3 driver #824
Description
Windows server rebooted on bugcheck. Bugcheck Analysis indicates a DRIVER_IRQL_NOT_LESS_OR_EQUAL (Stop code 0xD1) error. The driver that caused this issue is "Npcap.sys" where it crashed while
handling network packet processing, specifically in a DPC or interrupt context related to the VMware network driver (vmxnet3)
To Reproduce
Steps to reproduce the behavior:
Not always reproducible. Happened just twice. Exact circumstances are unknown. Two different servers both used VMXNET3, npcap 1.82 in one case and npcacp 1.6 in another. The data is for 1.82. Both cases OS is Windows server 2016.
Redacted bugcheck output:
00 ████████████████ ███████████████ nt!KeBugCheckEx 01 ████████████████ ███████████████ nt!KiBugCheckDispatch+0x██
02 ████████████████ ffff████7███████iPageFault+0x437 - The instruction that caused the crash is at ffff█████7███, which is within the npcap module. 03 ████████████████ ███████████████ npcap+0x72ef - functions at the top of the stack, indicating that the Npcap driver was actively executing when the fault occurred.
04 ████████████████ ███████████████ npcap+0x6808 - functions at the top of the stack, indicating that the Npcap driver was actively executing when the fault occurred. 05 ████████████████ ███████████████ npcap+0x███
06 ████████████████ ███████████████ NDIS!ndisCallReceiveHandler+0x██ 07 ████████████████ ███████████████ NDIS!NdisMIndicateReceiveNetBufferLists+0x███
08 ████████████████ ███████████████ vmxnet3+0x████ 09 ████████████████ ███████████████ vmxnet3+0x████
0a ████████████████ ███████████████ NDIS!ndisInterruptDpc+0x██ 0b ████████████████ ███████████████ nt!KiExecuteAllDpcs+0x███
0c ████████████████ ███████████████ nt!KiRetireDpcList+0x███ 0d ████████████████ ███████████████ nt!KiIdleLoop+0x██
Based on the above crashing stack, we can see that instruction that caused the crash is at ffff█████7███`, which is within the npcap module. npcap+0x72ef and npcap+0x6808 are the functions at the top of the stack, indicating that the Npcap driver was actively executing when the fault occurred.
The crash stack also shows interactions with other networking components:
vmxnet3 is involved further down the stack (vmxnet3+0x███). VMXNET3 is the high-performance network adapter driver used by VMware virtual machines.
NDIS (Network Driver Interface Specification) functions are also present, which is the Windows OS layer that handles communication between network drivers (like vmxnet3 and npcap) and the operating system.
The crash appears to have happened while npcap was processing an incoming network buffer list, likely passed up
through the vmxnet3 driver and NDIS layer (NDIS!NdisMIndicateReceiveNetBufferLists).
The action being performed was processing incoming network data in below order
- NDIS!NdisMIndicateReceiveNetBufferLists
$\rightarrow$ vmxnet3$\rightarrow$ NDIS!ndisInterruptDpc.
Npcap driver (npcap.sys) crashed while handling network packet processing, specifically in a DPC or interrupt context related to the VMware network driver
(vmxnet3).
Please tell which data you need for further investigation.