Npcap packet driver

As it's still in development it's not considered stable at this time. Win10Pcap is a new WinPcap-based Ethernet packet capture library. It may also be used on unlimited systems where it is only used with Nmap and/or Wireshark. WinPcap is the packet tool for link-layer network access in Windows environments. WinDump can be used to watch, diagnose and save to disk network traffic according to various complex rules. Npcap is installed as a driver with a service.

Npcap is the Nmap Project's packet sniffing library for Windows. NPcap is the Windows version of the libpcap library; it includes a driver to support capturing packets. Npcap is fully compliant, with its drivers tested and co-signed by Microsoft. Unlike original WinPcap, Win10Pcap is compatible with NDIS 6.x driver model to work stably with Windows 10.

Wireshark will not use Npcap if WinPcap is installed, so raw 802.11 WiFi capture will not be available.

The dump to disk capability can be used to save the network data to disk directly from kernel mode. The capture process relies on two main components. Windows XP and earlier are not supported; you can use WinPcap for these versions. When the kernel-level traffic logging feature of NPF is enabled, the capture driver addresses the file system directly: only two buffers and a single copy are necessary, the number of system calls is drastically reduced, therefore the performance is considerably better.

A packet filter that decides if an incoming packet has to be accepted and copied to the listening application. We fund the Npcap project by selling licenses to companies who wish to redistribute Npcap within their products. The data that pass the filter go to the counter, that keeps some variables like the number of packets and the amount of bytes accepted by the filter and updates them with the data of the incoming packets.

Nmap Packet Capture (NPcap). The free version of Npcap may be used (but not externally redistributed) on up to 5 systems. The data is sent to the network as is, without encapsulating it in any protocol, therefore the application will have to build the various headers for each packet. Most applications using NPF reject far more packets than those accepted, therefore a versatile and efficient packet filter is critical for good overall performance.

In this case Wireshark will not be able to capture traffic, only load capture files obtained from elsewhere. If the loopback adapter is missing, update to the latest version of Wireshark or use the rawcap. NPF packet filter is a bit more complex, because it determines not only if the packet should be kept, but also the amount of bytes to keep. Win10Pcap: WinPcap for Windows 10 (NDIS 6.x). dll is freely available and completely documented.

Windows CurrentVersion: 10.0. Signer name: Microsoft Windows Hardware Compatibility Publisher.

The service is named as npcap and we can print or display service status from the command line with sc command. Wireshark can use this library to capture live network data on Windows.

The source code of Packet.dll is freely available and completely documented.

Some of the filters in Win10: Service Name Description FilterClass Inf File MsBridge Microsoft MAC Bridge ms_implatform netbrdg. And there is a sequence for all filter drivers in NDIS 6 stack.

When the Npcap installation is completed successfully we will see the following screen. Please use the Nmap development mailing list (nmap-dev).

This special version of Npcap includes enterprise features such as the silent installer and commercial support as well as special license rights allowing customers to redistribute Npcap with their products or to install it on more systems within their organization with easy enterprise deployment. The improvements for each release are documented in the Npcap Changelog.

NetMon has its own equivalent of the Npcap driver; it might use the same mechanism to get 802.11 data.

The idea behind this module is shown in Figure 2: the statistics can be gathered without the need to copy the packets to the application, that simply receives and displays the results obtained from the monitoring engine. Bug reports for Npcap can also be filed on the Nmap bug tracker.

Newer Windows versions of Wireshark ship with the NPCAP capture driver which supports the loopback driver. Npcap OEM Internal Use License allows companies to use Npcap OEM internally in excess of the free/demo version's normal 5-system limitation. No buffers are allocated at kernel and user level. The libpcap file format description can be found at: Development/LibpcapFileFormat. WinPcap Has Ceased Development.

The changes in each new release are documented in the Npcap Changelog. On some OSes (like xBSD and Win32), the packet driver can be configured to capture only the initial part of any packet: this decreases the amount of data to copy to the application and therefore improves the efficiency of the capture. WinPcap compatibility: For applications that don't yet make use of Npcap's advanced features, Npcap can be installed in "WinPcap Compatible Mode."

Winpcap packet mode is the default for most capture applications.

Npcap does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack. Npcap is the NDIS 6 fork of WinPcap.

General information about the NPcap project can be found at the NPcap web site. To subscribe, please send code patches to fix bugs. Redistribution license details Npcap OEM Internal-Use License. It is based on the Winpcap / Libpcap libraries, but with improved speed, portability, security, and efficiency. The user-level application can set, with an IOCTL call (code BIOCWRITEREP), the number of times a single packet will be repeated. Both of these licenses include updates and support as well as a warranty. If you do insist upon using WinPcap, be aware that its installer was built with an old version of NSIS and as a result is vulnerable to DLL hijacking.

The latest development source is in our Github source repository. This Users' Guide covers the basics of installing, configuring, and removing Npcap, as well as how to report bugs.

If the Npcap Packet Driver is enabled under my NIC card configuration, the workstation will not connect to the network.

Npcap Users' Guide: Because Npcap is a packet capture architecture, not merely a software library, some aspects of installation and configuration may fall to the end user. The Npcap free license only allows five installs (with a few exceptions) and does not allow for any redistribution. Current implementation dumps to disk in the widely used libpcap format. The Wireshark installer will install Npcap unless the user opts not to do so.