[Winpcap-users] Windows 10 support for WinPcap
Sven Kerschbaum
svkers at gmail.com
Thu Feb 4 15:31:34 UTC 2016
Hi Yang,
thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.
Cheers,
SK
2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <hsluoyz at gmail.com>:
> Hi Sven,
>
> Npcap (https://github.com/nmap/npcap) has better performance because of
> NDIS 6. It also has several new features:
>
>
> 1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
> Vista and later (the legacy driver is used on XP). It's faster than the
> legacy *NDIS 5 Intermediate*
> <https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
> One reason is that packet data stucture has changed (fromNDIS_PACKET
> to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
> packet structure conversion.
> 2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
> Administrators for safety purpose. If Npcap is installed with the option *Restrict
> Npcap driver's access to Administrators only* checked, when a
> non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
> Account Control (UAC)*
> <http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
> will prompt asking for Administrator privilege. Only when the end user
> chooses Yes, the driver can be accessed. This is similar to UNIX where
> you need root access to capture packets.
> 3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
> used to decide whether Npcap should coexist With WinPcap or be compatible
> with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
> with WinPcap and share the DLL binary interface with WinPcap. So the
> applications unaware of Npcap *SHOULD* be able to use Npcap
> automatically if WinPcap is unavailable. The applications who knows Npcap's
> existence can choose to use Npcap or WinPcap first. The key about which is
> loaded first is *DLL Search Path*
> <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
> With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
> C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
> So applications who want to load Npcap first must make
> C:\Windows\System32\Npcap\ precedent to other paths in ways such as
> calling*SetDllDirectory*
> <https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc. Another
> point is Npcap uses service name npcap instead of WinPcap's npf with
> "WinPcap Compatible Mode" OFF. So applications using net start npf for
> starting service must use net start npcap instead. If you want 100%
> compatibility with WinPcap, you should install Npcap choosing "WinPcap
> Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this
> mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and
> use the npf service name. It's notable that before installing in this
> mode, you must uninstall WinPcap first (the installer wizard will prompt
> you that).
> 4. *Loopback Packets Capture Support*: Now Npcap is able to see
> Windows loopback packets using *Windows Filtering Platform (WFP)*
> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
> After installation, Npcap will create an adapter named Npcap Loopback
> Adapter for you. If you are a Wireshark user, choose this adapter to
> capture, you will see all loopback traffic the same way as other
> non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4)
> or ping ::1 (IPv6).
> 5. *Loopback Packets Send Support*: Besides loopback packets
> capturing, Npcap can also send out loopback packets based on *Winsock
> Kernel (WSK)*
> <https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
> A user software (e.g. Nmap) can just send packets out using Npcap
> Loopback Adapter like other adapters. Npcap Loopback Adapter will
> automatically remove the packet's Ethernet header and inject the payload
> into Windows TCP/IP stack, so this kind of loopback packet never go out of
> the machine.
>
>
> I actually didn't add a function about making user software getting
> notified about media state changes. From my knowledge I don't know there's
> any support of such a function in libpcap. libpcap is an interface standard
> followed by WinPcap/Npcap. However, I think you can do it using native
> Windows APIs (like Receiving Notification of Network Events in
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
> ). And if you have any improvement advice about Npcap, I will consider
> it:)
>
>
> Cheers,
> Yang
>
>
> On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:
>
>> Oh, I have to admit that I did not try it on an update to date Windows 10
>> system... Thanks for the hint that this was only an issue in early Windows
>> 10 versions.
>>
>> I was also not aware of the Npcap. Thanks for pointing me to this fork!
>> How does Npcap differ from WinPcap with respect to performance, feature? At
>> least I am missing the possibility to get notified about media state
>> changes (connected, disconnected) in WinPcap. Does Npcap offer such a
>> functionality?
>>
>> Furthermore: Is WinPcap still under active development? Its last release
>> was in 2013. Or I am better advised to rely on Npcap?
>>
>> Thank you!
>> Best regards,
>> SK
>>
>>
>>
>>
>> 2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:
>>
>>> Sven Kerschbaum wrote:
>>>
>>> > is there already effort for getting WinPcap ready for Windows 10? As
>>> Pascal Quantin already pointed out WinPcap does not
>>> > run on Windows 10 due to the fact that the WinPcap driver is not an
>>> NDIS 6 driver. Please find more information here:
>>> > http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
>>>
>>> Really? All my WinPcap-based programs works fine here.
>>> From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
>>>
>>> Verified: Signed
>>> Signing date: 02.49 01.03.2013
>>> Publisher: Riverbed Technology
>>> Company: Riverbed Technology, Inc.
>>> Description: npf.sys (NT5/6 AMD64) Kernel Driver
>>> Product: WinPcap
>>> Prod version: 4.1.0.2980
>>> File version: 4.1.0.2980
>>> MachineType: 64-bit
>>>
>>>
>>> The version and 'Signing date' is in accordance with what's on
>>> winpcap.org.
>>> An also:
>>>
>>> F:\> windump -Dv
>>> 1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
>>> Addr 0: 10.0.0.11 (mask 255.255.255.0)
>>> MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
>>> Native802_11, DOWN, 54Mb/s (NDIS)
>>>
>>> 2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
>>> Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
>>> Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
>>> MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
>>> Bluetooth, DOWN, 3Mb/s (NDIS)
>>>
>>> 3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
>>> Ethernet Controller
>>> Addr 0: 10.0.0.10 (mask 255.255.255.0)
>>> MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s
>>> (NDIS)
>>>
>>> --------------
>>>
>>> I'm on Win 10. Version 1511 (OS-Build 10586.71).
>>> Windows 10 build 10041 (as mention in that mail) is pretty old.
>>>
>>>
>>>
>>> --
>>> --gv
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/8ab5c23e/attachment-0001.html>
More information about the Winpcap-users
mailing list