Forum Discussion
ATP sensor on Server 2016 DC crashing.
Tony escamilla I am not aware of any code in the product that is installing npcap automatically.
For now the only option I know is deploying it manually.
As for why it fails, it depends on the out put in the logs.
If you have a support ticket open already then they should be able to tell why the failure is happening.
But I don't think you will find that AATP automatically installed npcap...
One thing to note so i did a complete new install of the sensor. There was no Npcap or winpcap or wireshark installed on the system. It worked fine initially. about an hour later looks to be the updater service kicks in and right around the same time npcap 0.9982 gets installed and these errors begin to happen. Now i have also experimented with me manually installing npcap but same exact issues happened. The sensor doesn't like it.
Here is some info from the logs
Microsoft.tri.sensor.updater.log:
2020-01-22 22:48:48.2754 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:48:48.2754 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.2710422]
2020-01-22 22:50:48.7122 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:50:48.7122 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.4341168]
2020-01-22 22:52:49.0582 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:52:49.0582 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.3380506]
Microsoft.tri.sensor-errors.log
2020-01-22 22:47:26.5764 Error FrameReader`1 CaptureFrames exception, exiting
Microsoft.Tri.Sensor.FrameReaderException: Failed reading frame [resultCode=-1 message=read error: PacketReceivePacket failed]
at bool Microsoft.Tri.Sensor.FrameReader<TCaptureDevice>.TryReadFrame(out DateTime time, out BufferSlice bufferSlice)
at bool Microsoft.Tri.Sensor.NetworkListener.ParseFrame(FrameReader frameReader)
at void Microsoft.Tri.Sensor.NetworkListener.CaptureFrames(LiveFrameReader[] liveFrameReaders)
2020-01-22 22:47:47.3509 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
at List<WinPcapDevice> SharpPcap.WinPcap.WinPcapDeviceList.Devices(string rpcapString, RemoteAuthentication remoteAuthentication)
at void SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at WinPcapDeviceList SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()
at new Microsoft.Tri.Sensor.NetworkListener(IBufferPool bufferPool, IConfigurationManager configurationManager, IMetricManager metricManager, INetworkAdaptersManager networkAdaptersManager, IParsingOrchestrator parsingOrchestrator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2020-01-22 22:48:02.9984 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
any ideas.
- EliOfekJan 22, 2020Microsoft
Can you share in a private message:
What is the workspace ID ?
What is the machine name?
What version of the sensor package are you using ? is it the latest?
I want to focus on it and see what telemetries it is sending.
Does it also happen on a fresh machine or only on this one?
The updater service kicks in every 30 sec or so, and only does something if it finds a new version at the back end, which happens mostly once a week unless we need to patch something quickly, so unless you are using an old package, the updater should not really do anything post running for the first time until we really release a new version. (newest today is 2.106)
- Tony escamillaJan 28, 2020Copper Contributor
Thanks for the assist. I guess to help others. In my case a 3rd party app was pushing out Nmap and along with it came Npcap. I hadn't noticed because it wasn't by the typical methods of installs we utilize. As well as there was no trace of Nmap itself. Once I ran ProcMon once again with some slight modifications to the filter as suggested by EliOfek I was able to find the culprit and fix my issue. The problem is now gone and I have documentation for historical sake.
Thanks again.