[Winpcap-users] Windows 10 support for WinPcap
Sven Kerschbaum
svkers at gmail.com
Thu Feb 4 18:40:48 UTC 2016
@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <svkers at gmail.com>:
> Hi Yang,
>
> thanks for providing me the detailed information about Npcap. I will
> definitively have a look at it and try it.
>
> Cheers,
> SK
>
>
> 2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <hsluoyz at gmail.com>:
>
>> Hi Sven,
>>
>> Npcap (https://github.com/nmap/npcap) has better performance because of
>> NDIS 6. It also has several new features:
>>
>>
>> 1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
>> Vista and later (the legacy driver is used on XP). It's faster than the
>> legacy *NDIS 5 Intermediate*
>> <https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
>> One reason is that packet data stucture has changed (fromNDIS_PACKET
>> to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
>> packet structure conversion.
>> 2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
>> Administrators for safety purpose. If Npcap is installed with the option *Restrict
>> Npcap driver's access to Administrators only* checked, when a
>> non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
>> Account Control (UAC)*
>> <http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
>> will prompt asking for Administrator privilege. Only when the end user
>> chooses Yes, the driver can be accessed. This is similar to UNIX
>> where you need root access to capture packets.
>> 3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
>> used to decide whether Npcap should coexist With WinPcap or be compatible
>> with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
>> with WinPcap and share the DLL binary interface with WinPcap. So the
>> applications unaware of Npcap *SHOULD* be able to use Npcap
>> automatically if WinPcap is unavailable. The applications who knows Npcap's
>> existence can choose to use Npcap or WinPcap first. The key about which is
>> loaded first is *DLL Search Path*
>> <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
>> With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
>> C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
>> So applications who want to load Npcap first must make
>> C:\Windows\System32\Npcap\ precedent to other paths in ways such as
>> calling*SetDllDirectory*
>> <https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc.
>> Another point is Npcap uses service name npcap instead of WinPcap's
>> npf with "WinPcap Compatible Mode" OFF. So applications using net
>> start npf for starting service must use net start npcap instead. If
>> you want 100% compatibility with WinPcap, you should install Npcap choosing
>> "WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible Mode).
>> In this mode, Npcap will install its Dlls in WinPcap's
>> C:\Windows\System32\and use the npf service name. It's notable that
>> before installing in this mode, you must uninstall WinPcap first (the
>> installer wizard will prompt you that).
>> 4. *Loopback Packets Capture Support*: Now Npcap is able to see
>> Windows loopback packets using *Windows Filtering Platform (WFP)*
>> <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
>> After installation, Npcap will create an adapter named Npcap Loopback
>> Adapter for you. If you are a Wireshark user, choose this adapter to
>> capture, you will see all loopback traffic the same way as other
>> non-loopback adapters. Try it by typing in commands like ping
>> 127.0.0.1 (IPv4) or ping ::1 (IPv6).
>> 5. *Loopback Packets Send Support*: Besides loopback packets
>> capturing, Npcap can also send out loopback packets based on *Winsock
>> Kernel (WSK)*
>> <https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
>> A user software (e.g. Nmap) can just send packets out using Npcap
>> Loopback Adapter like other adapters. Npcap Loopback Adapter will
>> automatically remove the packet's Ethernet header and inject the payload
>> into Windows TCP/IP stack, so this kind of loopback packet never go out of
>> the machine.
>>
>>
>> I actually didn't add a function about making user software getting
>> notified about media state changes. From my knowledge I don't know there's
>> any support of such a function in libpcap. libpcap is an interface standard
>> followed by WinPcap/Npcap. However, I think you can do it using native
>> Windows APIs (like Receiving Notification of Network Events in
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
>> ). And if you have any improvement advice about Npcap, I will consider
>> it:)
>>
>>
>> Cheers,
>> Yang
>>
>>
>> On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:
>>
>>> Oh, I have to admit that I did not try it on an update to date Windows
>>> 10 system... Thanks for the hint that this was only an issue in early
>>> Windows 10 versions.
>>>
>>> I was also not aware of the Npcap. Thanks for pointing me to this fork!
>>> How does Npcap differ from WinPcap with respect to performance, feature? At
>>> least I am missing the possibility to get notified about media state
>>> changes (connected, disconnected) in WinPcap. Does Npcap offer such a
>>> functionality?
>>>
>>> Furthermore: Is WinPcap still under active development? Its last release
>>> was in 2013. Or I am better advised to rely on Npcap?
>>>
>>> Thank you!
>>> Best regards,
>>> SK
>>>
>>>
>>>
>>>
>>> 2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:
>>>
>>>> Sven Kerschbaum wrote:
>>>>
>>>> > is there already effort for getting WinPcap ready for Windows 10? As
>>>> Pascal Quantin already pointed out WinPcap does not
>>>> > run on Windows 10 due to the fact that the WinPcap driver is not an
>>>> NDIS 6 driver. Please find more information here:
>>>> > http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
>>>>
>>>> Really? All my WinPcap-based programs works fine here.
>>>> From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
>>>>
>>>> Verified: Signed
>>>> Signing date: 02.49 01.03.2013
>>>> Publisher: Riverbed Technology
>>>> Company: Riverbed Technology, Inc.
>>>> Description: npf.sys (NT5/6 AMD64) Kernel Driver
>>>> Product: WinPcap
>>>> Prod version: 4.1.0.2980
>>>> File version: 4.1.0.2980
>>>> MachineType: 64-bit
>>>>
>>>>
>>>> The version and 'Signing date' is in accordance with what's on
>>>> winpcap.org.
>>>> An also:
>>>>
>>>> F:\> windump -Dv
>>>> 1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr:
>>>> Microsoft
>>>> Addr 0: 10.0.0.11 (mask 255.255.255.0)
>>>> MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
>>>> Native802_11, DOWN, 54Mb/s (NDIS)
>>>>
>>>> 2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr:
>>>> Microsoft
>>>> Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
>>>> Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
>>>> MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
>>>> Bluetooth, DOWN, 3Mb/s (NDIS)
>>>>
>>>> 3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
>>>> Ethernet Controller
>>>> Addr 0: 10.0.0.10 (mask 255.255.255.0)
>>>> MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s
>>>> (NDIS)
>>>>
>>>> --------------
>>>>
>>>> I'm on Win 10. Version 1511 (OS-Build 10586.71).
>>>> Windows 10 build 10041 (as mention in that mail) is pretty old.
>>>>
>>>>
>>>>
>>>> --
>>>> --gv
>>>> _______________________________________________
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/e6c4edaa/attachment-0001.html>
More information about the Winpcap-users
mailing list