Forum Discussion
ATP sensor on Server 2016 DC crashing.
I have had this issue pop up recently. Lots of 1008 errors and the ATP sensor wouldn't start and would error in the ATP portal for no communication. Server 2012R2
1008, Perflib
The Open Procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
The Open Procedure for service "Lsa" in DLL "C:\Windows\System32\Secur32.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
The Open Procedure for service ".NETFramework" in DLL "C:\Windows\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
Looking in the log located at "C:\Program Files\Azure Advanced Threat Protection Sensor\2.105.7563.11519\Logs\Microsoft.Tri.Sensor.log" I see this error
2020-01-22 12:31:49.1675 Warn PcapLibraryHelper Verify [Packet.dll-ProductName=WinPcap Packet.dll-ProductVersion=4.1.0.2980 wpcap.dll-ProductName=WinPcap wpcap.dll-ProductVersion=4.1.0.2980]
2020-01-22 12:31:49.4018 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
at List<WinPcapDevice> SharpPcap.WinPcap.WinPcapDeviceList.Devices(string rpcapString, RemoteAuthentication remoteAuthentication)
at void SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at WinPcapDeviceList SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()
at new Microsoft.Tri.Sensor.NetworkListener(IBufferPool bufferPool, IConfigurationManager configurationManager, IMetricManager metricManager, INetworkAdaptersManager networkAdaptersManager, IParsingOrchestrator parsingOrchestrator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
I downloaded and installed npcap, restarted the sensor and everything cleared up.
Is there an issue with the ATP sensors install of WinPcap?
Microsoftjomalin , the sensor should work fine with both most of the time.
Currently the default is winpcap, and if you require nic teaming support then we need npcap,
but you can work with npcap just fine even without teaming.
We are also considering at some point to make npcap the default and not winpcap.
As to why winpcap did not work for your case, it's hard to tell, usually it means there is another product installed that is also using winpcap but with a configuration we do not support.
If you would like to research it a support call might be in order, but if npcap just work for you, I guess that would be a waste of your time...
Eli
I actually get the same errors as jomalin but with one exception on these servers and it is mixture as some are 2012 R2 and others are 2016. I also never have installed WinPcap. I wasn't planning on installing npcap either as it doesn't look like it requires it unless i have a physical server and require NIC teaming. In my case all the servers (4) are running on VMware so the only requirement is the change on the NIC adapter being used. As for npcap it seems that my installs work fine until the update process goes out and looks for updates and that is where all hell breaks loose. the ATP sensor process stops and then never comes back on. NpCap then gets installed which it seems is coming from the sensor but I have not been able to trace where that install is coming from. What makes it even more weird is that it is only affecting 4 out of the more than 10 DCs we have in our environment. Should I install Winncap to see if all works fine then. I do have a support ticket opened with support but we are just stumped as to why npcap is just being installed on these and not the rest.
- EliOfek
Tony escamilla I am not aware of any code in the product that is installing npcap automatically.
For now the only option I know is deploying it manually.
As for why it fails, it depends on the out put in the logs.
If you have a support ticket open already then they should be able to tell why the failure is happening.
But I don't think you will find that AATP automatically installed npcap...
One thing to note so i did a complete new install of the sensor. There was no Npcap or winpcap or wireshark installed on the system. It worked fine initially. about an hour later looks to be the updater service kicks in and right around the same time npcap 0.9982 gets installed and these errors begin to happen. Now i have also experimented with me manually installing npcap but same exact issues happened. The sensor doesn't like it.
Here is some info from the logs
Microsoft.tri.sensor.updater.log:
2020-01-22 22:48:48.2754 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:48:48.2754 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.2710422]
2020-01-22 22:50:48.7122 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:50:48.7122 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.4341168]
2020-01-22 22:52:49.0582 Error ServiceControllerExtension ChangeServiceStatus failed to change service status [name=AATPSensor status=Running Exception=System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
at Microsoft.Tri.Infrastructure.ServiceControllerExtension.ChangeServiceStatus(String name, ServiceControllerStatus status, TimeSpan timeout, Nullable`1 awaitedStatus)]
2020-01-22 22:52:49.0582 Debug SoftwareUpdater RunTaskAsync Task completed [name=CheckSoftwareUpdatesAsync Elapsed=00:01:00.3380506]Microsoft.tri.sensor-errors.log
2020-01-22 22:47:26.5764 Error FrameReader`1 CaptureFrames exception, exiting
Microsoft.Tri.Sensor.FrameReaderException: Failed reading frame [resultCode=-1 message=read error: PacketReceivePacket failed]
at bool Microsoft.Tri.Sensor.FrameReader<TCaptureDevice>.TryReadFrame(out DateTime time, out BufferSlice bufferSlice)
at bool Microsoft.Tri.Sensor.NetworkListener.ParseFrame(FrameReader frameReader)
at void Microsoft.Tri.Sensor.NetworkListener.CaptureFrames(LiveFrameReader[] liveFrameReaders)
2020-01-22 22:47:47.3509 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.
at List<WinPcapDevice> SharpPcap.WinPcap.WinPcapDeviceList.Devices(string rpcapString, RemoteAuthentication remoteAuthentication)
at void SharpPcap.WinPcap.WinPcapDeviceList.Refresh()
at WinPcapDeviceList SharpPcap.WinPcap.WinPcapDeviceList.get_Instance()
at new Microsoft.Tri.Sensor.NetworkListener(IBufferPool bufferPool, IConfigurationManager configurationManager, IMetricManager metricManager, INetworkAdaptersManager networkAdaptersManager, IParsingOrchestrator parsingOrchestrator, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy)
at object lambda_method(Closure, object[])
at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate()
at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes)
at new Microsoft.Tri.Sensor.SensorModuleManager()
at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager()
at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync()
at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task)
at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
2020-01-22 22:48:02.9984 Error WinPcapDeviceList SharpPcap.PcapException: No interfaces found! Make sure libpcap/WinPcap is properly installed on the local machine.any ideas.
