[Winpcap-users] Windows 10 support for WinPcap

Jiyang Hu jiyang_hu at yahoo.com
Thu Feb 4 19:17:48 UTC 2016


@Sven: you need something called - Inverted Call Model
The Inverted Call Model in KMDF - OSR

|   |
|   |  |   |   |   |   |   |
| The Inverted Call Model in KMDF - OSROne of the most common questions we see from students, clients, and new Windows driver Read more |
|  |
| View on www.osr.com | Preview by Yahoo |
|  |
|   |


 

    On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <svkers at gmail.com> wrote:
 

 @Yang: It is not possible to get notifications of media state changes by the API which you proposed in your previous post. It provides only notifications about IP table changes.Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <svkers at gmail.com>:

Hi Yang,
thanks for providing me the detailed information about Npcap. I will definitively have a look at it and try it.
Cheers,SK

2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <hsluoyz at gmail.com>:

Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6. It also has several new features:
   
   - NDIS 6 Support: Npcap makes use of new LWF driver in Windows Vista and later (the legacy driver is used on XP). It's faster than the legacy NDIS 5 Intermediate technique. One reason is that packet data stucture has changed (fromNDIS_PACKET to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet structure conversion.
   - "Admin-only Mode" Support: Npcap supports to restrict its use to Administrators for safety purpose. If Npcap is installed with the option Restrict Npcap driver's access to Administrators only checked, when a non-Admin user tries to start a user software (Nmap, Wireshark, etc), the User Account Control (UAC) dialog will prompt asking for Administrator privilege. Only when the end user chooses Yes, the driver can be accessed. This is similar to UNIX where you need root access to capture packets.
   - "WinPcap Compatible Mode" Support: "WinPcap Compatible Mode" is used to decide whether Npcap should coexist With WinPcap or be compatible with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist with WinPcap and share the DLL binary interface with WinPcap. So the applications unaware of Npcap SHOULD be able to use Npcap automatically if WinPcap is unavailable. The applications who knows Npcap's existence can choose to use Npcap or WinPcap first. The key about which is loaded first is DLL Search Path. With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\. So applications who want to load Npcap first must make C:\Windows\System32\Npcap\ precedent to other paths in ways such as callingSetDllDirectory, etc. Another point is Npcap uses service name npcap instead of WinPcap's npf with "WinPcap Compatible Mode" OFF. So applications using net start npf for starting service must use net start npcap instead. If you want 100% compatibility with WinPcap, you should install Npcap choosing "WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and use the npf service name. It's notable that before installing in this mode, you must uninstall WinPcap first (the installer wizard will prompt you that).
   - Loopback Packets Capture Support: Now Npcap is able to see Windows loopback packets using Windows Filtering Platform (WFP) technique. After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
   - Loopback Packets Send Support: Besides loopback packets capturing, Npcap can also send out loopback packets based on Winsock Kernel (WSK) technique. A user software (e.g. Nmap) can just send packets out using Npcap Loopback Adapter like other adapters. Npcap Loopback Adapter will automatically remove the packet's Ethernet header and inject the payload into Windows TCP/IP stack, so this kind of loopback packet never go out of the machine.

I actually didn't add a function about making user software getting notified about media state changes. From my knowledge I don't know there's any support of such a function in libpcap. libpcap is an interface standard followed by WinPcap/Npcap. However, I think you can do it using native Windows APIs (like Receiving Notification of Network Events in https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx). And if you have any improvement advice about Npcap, I will consider it:)

Cheers,Yang

On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:

Oh, I have to admit that I did not try it on an update to date Windows 10 system... Thanks for the hint that this was only an issue in early Windows 10 versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork! How does Npcap differ from WinPcap with respect to performance, feature? At least I am missing the possibility to get notified about media state changes (connected, disconnected) in WinPcap. Does Npcap offer such a functionality?
Furthermore: Is WinPcap still under active development? Its last release was in 2013. Or I am better advised to rely on Npcap?
Thank you!Best regards,SK



2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:

Sven Kerschbaum wrote:

> is there already effort for getting WinPcap ready for Windows 10? As Pascal Quantin already pointed out WinPcap does not
> run on Windows 10 due to the fact that the WinPcap driver is not an NDIS 6 driver. Please find more information here:
> http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html

Really? All my WinPcap-based programs works fine here.
>From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':

        Verified:       Signed
        Signing date:   02.49 01.03.2013
        Publisher:      Riverbed Technology
        Company:        Riverbed Technology, Inc.
        Description:    npf.sys (NT5/6 AMD64) Kernel Driver
        Product:        WinPcap
        Prod version:   4.1.0.2980
        File version:   4.1.0.2980
        MachineType:    64-bit


The version and 'Signing date' is in accordance with what's on winpcap.org.
An also:

F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF}    Descr: Microsoft
    Addr 0: 10.0.0.11 (mask 255.255.255.0)
    MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over Native802_11, DOWN, 54Mb/s (NDIS)

2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC}    Descr: Microsoft
    Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
    Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
    MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over Bluetooth, DOWN, 3Mb/s (NDIS)

3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607}    Descr: Realtek Ethernet Controller
    Addr 0: 10.0.0.10 (mask 255.255.255.0)
    MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)

--------------

I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.



--
--gv
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users



_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users




_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users





_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/54482750/attachment-0001.html>


More information about the Winpcap-users mailing list