Start trace with size > 1MB fails (err=87) #13
Comments
|
Off the top of my head I would suggest looking at AllocateToPA and seeing
if that's what's failing. I think ipt.sys directly allocates a TOPA of the
size you specify, and depending on your CPU capabilities, there might be a
limit there.
Best regards,
Alex Ionescu
…On Mon, Dec 6, 2021 at 8:48 AM Marcel ***@***.***> wrote:
Hi Alex,
I was wondering why starting a trace with size > 1MB fails on my machine
(Windows 10 Pro, Build 10.0.19043):
PS C:\Users\ipt\Desktop\Masterthesis\ipt> ./ipttool.exe --start 11488 3200000 0x0
/------------------------------------------\
|=== Windows 10 RS5 1809+ IPT Test Tool ===|
|=== Copyright (c) 2018 Alex Ionescu ===|
|=== http://github.com/ionescu007 ===|
|=== http://www.windows-internals.com ===|
\------------------------------------------/
[*] Size will be aligned to a power of 2
[+] Using size: 2097152 bytes
[+] Tracing Options:
Match by: Any process
Trace mode: User-mode only
Timing packets: No Packets
[-] Failed to start a trace (err=87)
However, specifying a size <= 1MB works:
PS C:\Users\ipt\Desktop\Masterthesis\ipt> ./ipttool.exe --start 11488 1600000 0x0
/------------------------------------------\
|=== Windows 10 RS5 1809+ IPT Test Tool ===|
|=== Copyright (c) 2018 Alex Ionescu ===|
|=== http://github.com/ionescu007 ===|
|=== http://www.windows-internals.com ===|
\------------------------------------------/
[*] Size will be aligned to a power of 2
[+] Using size: 1048576 bytes
[+] Tracing Options:
Match by: Any process
Trace mode: User-mode only
Timing packets: No Packets
[+] Trace for PID 11488 started
Regarding your soure code ( ipttool.c
<http://../blob/master/ipttool/ipttool.c#L40> , libipt.h
<http://../blob/master/inc/libipt.h#L77> ) it should be possible to
specifiy a range between 4KB and 128MB. I also checked CheckOption in
ìpt.sys and it seems like specifying a range between 4KB - 128MB should
be valid. Unfortunately, I do not have the time to debug the kernel driver.
Are you aware of this bug or do you have any idea what could be the reason
for this?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#13>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABOEQ6B7CUZC2VSSA64B3QTUPS5MHANCNFSM5JOVMY7Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Alex,
I was wondering why starting a trace with size > 1MB fails on my machine (Windows 10 Pro, Build 10.0.19043):
However, specifying a size <= 1MB works:
Regarding your soure code ( ipttool.c , libipt.h ) it should be possible to specifiy a range between 4KB and 128MB. I also checked
CheckOptioninìpt.sysand it seems like specifying a range between 4KB - 128MB should be valid. Unfortunately, I do not have the time to debug the kernel driver.Are you aware of this bug or do you have any idea what could be the reason for this?
The text was updated successfully, but these errors were encountered: