[Winpcap-users] Windows 10 support for WinPcap

食肉大灰兔V5 hsluoyz at gmail.com
Thu Feb 4 12:04:53 UTC 2016 

Hi Sven,

Npcap (https://github.com/nmap/npcap) has better performance because of
NDIS 6. It also has several new features:


   1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows Vista
   and later (the legacy driver is used on XP). It's faster than the
legacy *NDIS
   5 Intermediate*
   <https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx>
technique.
   One reason is that packet data stucture has changed (fromNDIS_PACKET to
   NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet
   structure conversion.
   2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
   Administrators for safety purpose. If Npcap is installed with the
option *Restrict
   Npcap driver's access to Administrators only* checked, when a non-Admin
   user tries to start a user software (Nmap, Wireshark, etc), the *User
   Account Control (UAC)*
   <http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7>
dialog
   will prompt asking for Administrator privilege. Only when the end user
   chooses Yes, the driver can be accessed. This is similar to UNIX where
   you need root access to capture packets.
   3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
   used to decide whether Npcap should coexist With WinPcap or be compatible
   with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist with
   WinPcap and share the DLL binary interface with WinPcap. So the
   applications unaware of Npcap *SHOULD* be able to use Npcap
   automatically if WinPcap is unavailable. The applications who knows Npcap's
   existence can choose to use Npcap or WinPcap first. The key about which is
   loaded first is *DLL Search Path*
   <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
   With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
   C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\. So
   applications who want to load Npcap first must make
   C:\Windows\System32\Npcap\ precedent to other paths in ways such as
   calling*SetDllDirectory*
   <https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc. Another
   point is Npcap uses service name npcap instead of WinPcap's npf with
   "WinPcap Compatible Mode" OFF. So applications using net start npf for
   starting service must use net start npcap instead. If you want 100%
   compatibility with WinPcap, you should install Npcap choosing "WinPcap
   Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this
   mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and
   use the npf service name. It's notable that before installing in this
   mode, you must uninstall WinPcap first (the installer wizard will prompt
   you that).
   4. *Loopback Packets Capture Support*: Now Npcap is able to see Windows
   loopback packets using *Windows Filtering Platform (WFP)*
   <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx>
technique.
   After installation, Npcap will create an adapter named Npcap Loopback
   Adapter for you. If you are a Wireshark user, choose this adapter to
   capture, you will see all loopback traffic the same way as other
   non-loopback adapters. Try it by typing in commands like ping
127.0.0.1 (IPv4)
   or ping ::1 (IPv6).
   5. *Loopback Packets Send Support*: Besides loopback packets capturing,
   Npcap can also send out loopback packets based on *Winsock Kernel (WSK)*
   <https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx>
technique.
   A user software (e.g. Nmap) can just send packets out using Npcap
   Loopback Adapter like other adapters. Npcap Loopback Adapter will
   automatically remove the packet's Ethernet header and inject the payload
   into Windows TCP/IP stack, so this kind of loopback packet never go out of
   the machine.


I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
). And if you have any improvement advice about Npcap, I will consider it:)


Cheers,
Yang


On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:

> Oh, I have to admit that I did not try it on an update to date Windows 10
> system... Thanks for the hint that this was only an issue in early Windows
> 10 versions.
>
> I was also not aware of the Npcap. Thanks for pointing me to this fork!
> How does Npcap differ from WinPcap with respect to performance, feature? At
> least I am missing the possibility to get notified about media state
> changes (connected, disconnected) in WinPcap. Does Npcap offer such a
> functionality?
>
> Furthermore: Is WinPcap still under active development? Its last release
> was in 2013. Or I am better advised to rely on Npcap?
>
> Thank you!
> Best regards,
> SK
>
>
>
>
> 2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:
>
>> Sven Kerschbaum wrote:
>>
>> > is there already effort for getting WinPcap ready for Windows 10? As
>> Pascal Quantin already pointed out WinPcap does not
>> > run on Windows 10 due to the fact that the WinPcap driver is not an
>> NDIS 6 driver. Please find more information here:
>> > http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
>>
>> Really? All my WinPcap-based programs works fine here.
>> From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
>>
>>         Verified:       Signed
>>         Signing date:   02.49 01.03.2013
>>         Publisher:      Riverbed Technology
>>         Company:        Riverbed Technology, Inc.
>>         Description:    npf.sys (NT5/6 AMD64) Kernel Driver
>>         Product:        WinPcap
>>         Prod version:   4.1.0.2980
>>         File version:   4.1.0.2980
>>         MachineType:    64-bit
>>
>>
>> The version and 'Signing date' is in accordance with what's on
>> winpcap.org.
>> An also:
>>
>> F:\> windump -Dv
>> 1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF}    Descr: Microsoft
>>     Addr 0: 10.0.0.11 (mask 255.255.255.0)
>>     MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
>> Native802_11, DOWN, 54Mb/s (NDIS)
>>
>> 2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC}    Descr: Microsoft
>>     Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
>>     Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
>>     MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
>> Bluetooth, DOWN, 3Mb/s (NDIS)
>>
>> 3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607}    Descr: Realtek
>> Ethernet Controller
>>     Addr 0: 10.0.0.10 (mask 255.255.255.0)
>>     MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s
>> (NDIS)
>>
>> --------------
>>
>> I'm on Win 10. Version 1511 (OS-Build 10586.71).
>> Windows 10 build 10041 (as mention in that mail) is pretty old.
>>
>>
>>
>> --
>> --gv
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/81f69e4e/attachment.html>

More information about the Winpcap-users mailing list