How does Windows NCSI Passive Probing work?
Windows uses active probing to validate that internet connectivity is possible on each network interface, then updates the Network Connectivity Status Indicator (NCSI). During active probing, Windows probes several Microsoft DNS servers and uses the responses to determine an active internet connection. The computer has an active polling loop where it continually polls dns.msftncsi.com until the next packet to process becomes available.
In passive probing, live network traffic is captured and analyzed, without interfering with the network, i.e. not sending any packets out. Passive probing looks at the TTL (Time To Live) in the IP header of TCP/UDP packets which can determine how many "hops" the packet has taken to reach the computer. A packet with more than 8 hops is considered to have Internet Connectivity.
From the Windows Security Encyclopedia, passive polling is defined as:
This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
Related videos on Youtube
25 : 28
02 : 29
01 : 40
01 : 24 : 16
15 : 50
Abhishek Kumar
Updated on September 18, 2022Comments
-
Abhishek Kumar over 1 year
I am on Windows 10. When connected to a new network, Windows checks for internet connectivity using Active Probing which I know is a series of tasks. After determining internet connection Windows switches to Passive Probing until connection remains active. I can't find anything related to it anywhere. Would be helpful if someone with fair knowledge of the working sheds light. TIA.
-
Abhishek Kumar over 4 yearsAlready gone through it but it does not cover the said issue.
-
-
Abhishek Kumar over 4 yearsThanks for your response. Where does the "8 hop rule" come from? Is it a standard?
-
Paradox over 4 yearsNetwork connectivity can be defined as the probability that a given node in a network has an N-hop route. The greater the hop count, the better the network connectivity, and the more stable the network. However, the more hops there are, the less likely a packet is to be discovered. So a hop count too high will cause networks which may have network connectivity to not be discovered. But a hop count too low may cause networks with low connectivity and stability to be deemed connectable. journals.sagepub.com/doi/pdf/10.1177/1550147716683606
-
Paradox over 4 yearsThe 8 hop rule was likely influenced by this, though I am unaware of how Microsoft arrived at 8 specifically or if it is a standard.
-
Abhishek Kumar over 4 yearsI have upvoted already.
-
Jirka Hanika about 4 yearsTo configure the 8 hop rule, you can add DWORD
MinimumInternetHopCountunderHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internetin the registry, and set it to a lower hop count such as 1 or 2 if you feel you have connectivity and your network connectivity indicator doesn't think so. However, 8 should be low enough for most people freely accessing various servers on the Internet, and also high enough so that if your connectivity is cut somewhere within the same building or at your only uplink, there will be less than 8 devices between you and the silence.
