[Winpcap-users] Windows 10 support for WinPcap

Sven Kerschbaum svkers at gmail.com
Thu Feb 4 15:31:34 UTC 2016


Hi Yang,

thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.

Cheers,
SK


2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <hsluoyz at gmail.com>:

> Hi Sven,
>
> Npcap (https://github.com/nmap/npcap) has better performance because of
> NDIS 6. It also has several new features:
>
>
>    1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
>    Vista and later (the legacy driver is used on XP). It's faster than the
>    legacy *NDIS 5 Intermediate*
>    <https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
>    One reason is that packet data stucture has changed (fromNDIS_PACKET
>     to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
>    packet structure conversion.
>    2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
>    Administrators for safety purpose. If Npcap is installed with the option *Restrict
>    Npcap driver's access to Administrators only* checked, when a
>    non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
>    Account Control (UAC)*
>    <http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
>    will prompt asking for Administrator privilege. Only when the end user
>    chooses Yes, the driver can be accessed. This is similar to UNIX where
>    you need root access to capture packets.
>    3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
>    used to decide whether Npcap should coexist With WinPcap or be compatible
>    with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
>    with WinPcap and share the DLL binary interface with WinPcap. So the
>    applications unaware of Npcap *SHOULD* be able to use Npcap
>    automatically if WinPcap is unavailable. The applications who knows Npcap's
>    existence can choose to use Npcap or WinPcap first. The key about which is
>    loaded first is *DLL Search Path*
>    <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
>    With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
>    C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
>    So applications who want to load Npcap first must make
>    C:\Windows\System32\Npcap\ precedent to other paths in ways such as
>    calling*SetDllDirectory*
>    <https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc. Another
>    point is Npcap uses service name npcap instead of WinPcap's npf with
>    "WinPcap Compatible Mode" OFF. So applications using net start npf for
>    starting service must use net start npcap instead. If you want 100%
>    compatibility with WinPcap, you should install Npcap choosing "WinPcap
>    Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this
>    mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and
>    use the npf service name. It's notable that before installing in this
>    mode, you must uninstall WinPcap first (the installer wizard will prompt
>    you that).
>    4. *Loopback Packets Capture Support*: Now Npcap is able to see
>    Windows loopback packets using *Windows Filtering Platform (WFP)*
>    <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
>    After installation, Npcap will create an adapter named Npcap Loopback
>    Adapter for you. If you are a Wireshark user, choose this adapter to
>    capture, you will see all loopback traffic the same way as other
>    non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4)
>    or ping ::1 (IPv6).
>    5. *Loopback Packets Send Support*: Besides loopback packets
>    capturing, Npcap can also send out loopback packets based on *Winsock
>    Kernel (WSK)*
>    <https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
>    A user software (e.g. Nmap) can just send packets out using Npcap
>    Loopback Adapter like other adapters. Npcap Loopback Adapter will
>    automatically remove the packet's Ethernet header and inject the payload
>    into Windows TCP/IP stack, so this kind of loopback packet never go out of
>    the machine.
>
>
> I actually didn't add a function about making user software getting
> notified about media state changes. From my knowledge I don't know there's
> any support of such a function in libpcap. libpcap is an interface standard
> followed by WinPcap/Npcap. However, I think you can do it using native
> Windows APIs (like Receiving Notification of Network Events in
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
> ). And if you have any improvement advice about Npcap, I will consider
> it:)
>
>
> Cheers,
> Yang
>
>
> On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:
>
>> Oh, I have to admit that I did not try it on an update to date Windows 10
>> system... Thanks for the hint that this was only an issue in early Windows
>> 10 versions.
>>
>> I was also not aware of the Npcap. Thanks for pointing me to this fork!
>> How does Npcap differ from WinPcap with respect to performance, feature? At
>> least I am missing the possibility to get notified about media state
>> changes (connected, disconnected) in WinPcap. Does Npcap offer such a
>> functionality?
>>
>> Furthermore: Is WinPcap still under active development? Its last release
>> was in 2013. Or I am better advised to rely on Npcap?
>>
>> Thank you!
>> Best regards,
>> SK
>>
>>
>>
>>
>> 2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:
>>
>>> Sven Kerschbaum wrote:
>>>
>>> > is there already effort for getting WinPcap ready for Windows 10? As
>>> Pascal Quantin already pointed out WinPcap does not
>>> > run on Windows 10 due to the fact that the WinPcap driver is not an
>>> NDIS 6 driver. Please find more information here:
>>> > http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
>>>
>>> Really? All my WinPcap-based programs works fine here.
>>> From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
>>>
>>>         Verified:       Signed
>>>         Signing date:   02.49 01.03.2013
>>>         Publisher:      Riverbed Technology
>>>         Company:        Riverbed Technology, Inc.
>>>         Description:    npf.sys (NT5/6 AMD64) Kernel Driver
>>>         Product:        WinPcap
>>>         Prod version:   4.1.0.2980
>>>         File version:   4.1.0.2980
>>>         MachineType:    64-bit
>>>
>>>
>>> The version and 'Signing date' is in accordance with what's on
>>> winpcap.org.
>>> An also:
>>>
>>> F:\> windump -Dv
>>> 1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF}    Descr: Microsoft
>>>     Addr 0: 10.0.0.11 (mask 255.255.255.0)
>>>     MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
>>> Native802_11, DOWN, 54Mb/s (NDIS)
>>>
>>> 2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC}    Descr: Microsoft
>>>     Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
>>>     Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
>>>     MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
>>> Bluetooth, DOWN, 3Mb/s (NDIS)
>>>
>>> 3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607}    Descr: Realtek
>>> Ethernet Controller
>>>     Addr 0: 10.0.0.10 (mask 255.255.255.0)
>>>     MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s
>>> (NDIS)
>>>
>>> --------------
>>>
>>> I'm on Win 10. Version 1511 (OS-Build 10586.71).
>>> Windows 10 build 10041 (as mention in that mail) is pretty old.
>>>
>>>
>>>
>>> --
>>> --gv
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/8ab5c23e/attachment-0001.html>


More information about the Winpcap-users mailing list