WinPcap Frequently Asked Questions
  1. How can I see if WinPcap is installed on my system? How can I remove it?
  2. After the installation, I cannot see WinPcap under the properties of my network adapter in control panel. Did anything go wrong?
  3. How can I see if WinPcap is currently running on my Win2K/XP machine?
  4. The XXX WinPcap-based application doesn't run properly on my system. Is it a WinPcap problem?
  5. Can I use WinPcap on a PPP connection?
  6. Can I use WinPcap on a VPN connection?
  7. Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP?
  8. Can I use WinPcap with Borland development tools?
  9. Can I use WinPcap with Visual Basic?
  10. Does WinPcap work in connection with personal firewalls?
  11. When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?
  12. Does WinPcap work with Java?
  13. Does WinPcap support the loopback device?
  14. On which OS can I run WinPcap?
  15. Does WinPcap work on my multiprocessor (SMP) machine?
  16. Which network adapters are supported by WinPcap?
  17. Can I use WinPcap to drop the incoming packets? Is it possible to use WinPcap to build a firewall?
  18. Is it possible to start WinPcap automatically when the system boots?
  19. I recompiled the sources of WinPcap and the result doesn't seem to work as expected.
  20. I installed Zx Sniffer on my PC, and after that, WinPcap based applications fail to work. What's wrong?
  21. My application doesn't see any traffic being sent by the machine running WinPcap.
  22. When I use one of the WinPcap-based applications, why do I see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?
  23. If I try to compile my application using the new pcap APIs provided in WinPcap 3.1beta, the compiler fails with "warning C4013: 'pcap_???' undefined" or "error C2065: 'PCAP_OPENFLAG_????' : undeclared identifier". What's the problem?
  24. If I try compile wpcap.dll with the project configuration "wpcap - Win32 Debug" or "wpcap - Win32 Release" some pcap APIs (like pcap_open()) are not exported. Is it normal?
  25. I'm trying to capture from my dialup(PPP) connection with WinPcap 3.1beta, but I cannot see any PPP adapter. What's the problem (this information applies to 2000/XP/2003 only)?
  26. How does WinPcap interfaces with Windows Networking? Does it slow down the TCP/IP stack and applications?
  27. My antivirus / antispyware detector program reports WinPcap as a virus / trojan/ spyware! Are you hackers trying to infect my computer?
  28. Does WinPcap work on Windows Vista?
  29. Whenever I try to create a WinPcap-based application with Visual Studio.NET 2002 or later, I get the error "TypeLoadException, Could not load type pcap".
  30. The WinPcap installation fails with the error message "An error occurred while installing the NPF driver ( -1 ). Please contact the WinPcap team"

Q-1:

How can I see if WinPcap is installed on my system? How can I remove it?

A: WinPcap 2.1 or newer: go to the control-panel, then open the "Add or Remove Programs" applet.  If WinPcap is present in your system, an entry called "WinPcap" will be present.  Double-click on it to uninstall WinPcap.
WinPcap 2.02 or older: go to the control-panel, then open the "Network" applet. If WinPcap is present in your system, an entry called "Packet Capture Driver" will be listed (in Windows NT you have to choose the "Services" tab). Select it and press "Remove" to uninstall WinPcap.

To be absolutely sure that WinPcap has been installed, please look at your system folder: you should find files called packet.* and wpcap.dll. Please check the file dates: these should be compatible with the WinPcap release dates. We've had reports of trojans or other malware that silently install the WinPcap driver, NPF.sys. If you've been infected by them, you'll probably see the driver file in Windows\System32\Drivers, but no entries in the "Add or Remove Programs" applet and no dlls.

IMPORTANT NOTE: sometimes, when uninstalling WinPcap version 2.02 or older from the control panel's network applet in Windows 9x, the file Windows\Packet.dll is not deleted. You must delete this file manually, otherwise version 2.1 will not work properly and could cause system crashes. 

 

Q-2: After the installation, I cannot see WinPcap under the properties of my network adapter in control panel. Did anything go wrong?

A: No, if you have a recent version of WinPcap. As Q-1 says, recent versions appear under "add/remove programs" and not under network properties.

 

Q-3: How can I see if WinPcap is currently running on my Win2K/XP/2k3 machine?

A: Click on the Start button and then on run. Type msinfo32. The System Information panel will show up. Choose Software Environment, then System Drivers. The entry NPF should appear there. If you launched a WinPcap application previously, the state should be running. Remember that WinPcap should have been run at least one time in order to appear in this list.

 

Q-4: The XXX WinPcap-based application doesn't run properly on my system. Is it a WinPcap problem?

A: Try Windump. In particular, "windump -D" reports the list of valid adapters and shows if WinPcap is able to detect correctly your hardware. If WinDump works, the problem is in the XXX program and not in WinPcap, so contact the authors of XXX for help.

 

Q-5: Can I use WinPcap on a PPP connection?

A: Windows NT4. It's not possible to capture on PPP/VPN connections on this operating system.

Windows 2000/XP (x86)/2003 (x86). these systems have limitations in the NDIS binding process that prevent a protocol driver from working properly on WAN adapters. WinPcap 3.1 and newer offer limited support for capturing on dial-up adapters using a wrapper over the Microsoft NetMon driver.
NOTES:

  • it is possible to capture control packets (LCP and NCP) using the "Generic Dialup" or "Generic NdisWan" adapter (which is always listed even if no dialup connections are available). Control frames are captured as Ethernet encapsulated PPP frames.
  • the PPP protocol is translated by the OS into a fake Ethernet. You'll see Ethernet frames and not PPP frames.
  • transmission is not supported.
  • filtering and statistics gathering is done at user level.

Windows XP (x64)/2003 (x64). It's not possible to capture on PPP/VPN connections on these operating systems.

Windows Vista and more recent. It's not possible to capture on PPP/VPN connections on these operating systems.

 

Q-6: Can I use WinPcap on a VPN connection?

A: If you use standard Windows VPNs, yes, with the restrictions explained in Q5. A Windows VPN is treated by the OS as a dial-up connection, so everything explained in Q5 applied here too. Third party VPN implementation: some of them are not detected because of their unclean NDIS intermediate driver structure.

 

Q-7: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

 

Q-8: Can I use WinPcap with Borland development tools?

A: Note first of all that we support only Microsoft Visual C++, so we are not able to provide help about other compilers.

If you want to use to Use WinPcap under C++ Builder (version 5.0), you have to use the program COFF2OMF.EXE which can be find  in the directory of BORLAND. This program gives the possibility to convert Packet.lib and wpcap.lib (which are in the Visual C++ standart, COFF) to the OMF standart, the one of C++ Builder. For more information type COFF2OMF in the Help of C++ Builder.
Syntax (in a DOS console) : 

COFF2OMF input.lib output.lib

In this case case Input.lib = wpcap.lib or packet.lib
 

Q-9: Can I use WinPcap with Visual Basic?

A: We don't support Visual Basic and we are not able to provide help on this subject because we don't know enough about it. BeeSync has developed an ActiveX control that integrates the WinPcap packet capture functionality with Visual Basic or any other programming environment supporting Microsoft ActiveX technology. You can find it at http://www.beesync.com/products.html.

 

Q-10: Does WinPcap work in connection with personal firewalls?

A: We got several reports saying that WinPcap does not work well if a personal firewall is installed on the same machine as WinPcap. The typical problem is the impossibility to capture all or part of the traffic from an adapter, but some users reported strange behaviors (like some packets disappearing) on the transmit side too.
Most of the times, the problem is caused by non-standard interactions between the firewall and the network stack of the OS, so there not a lot to do on our side; the suggested remedy consists in uninstalling the firewall.
Note: uninstalling, and not disabling, because some firewalls (like ZoneAlarm) keep having strange behaviors even when they are disabled.

 

Q-11: When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?

A: In at least some cases, this appears to be the result of PGPnet running on the network interface on which you're capturing; turn it off on that interface.

 

Q-12: Does WinPcap work with Java?

A: We do not directly support Java. However you can find a Java wrapper at http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html and http://jnetpcap.com /.

 

Q-13: Does WinPcap support the loopback device?

A: No. Only physical interfaces are supported. This is a limitation of Windows and not of WinPcap.

 

Q-14: On which OS can I run WinPcap?

A: WinPcap can run on all the main Win32 operating systems: Windows 95, 98, ME, NT4, 2000, XP, 2003, Vista, 2008, Windows 7, 2008R2

The overall situation is the following one:

  • Windows 95,98, ME: Support for Windows 95/98/ME has been dropped starting from WinPcap 4.0 beta3. The source packages still include the code base for those operating systems, but the setup executable will refuse to install. The last versions supporting such operating systems are WinPcap 3.1 (stable) and WinPcap 4.0 beta2 (unstable), however they are no longer supported by the WinPcap team, so if you encounter any problem you are on your own.
  • Windows XP/2003: WinPcap 2.3 or newer is required.
  • Windows XP/2003 (x64): WinPcap 3.2 alpha1 or newer is required. Capture from dialup/VPN adapters is not supported on 64 bit platforms.
  • Vista/2008 (x86): WinPcap 3.1 should work, but with limited functionality. PPP is not supported, and IPv6 addresses are not listed. We strongly suggest upgrading to WinPcap 4.0 or newer for better support on Windows Vista. Please refer to FAQ Q-28 for more details on Vista support.
  • Vista/2008 (x64): WinPcap 4.0 or newer is required.
  • Windows 7/2008R2: WinPcap 4.1 or newer is required.

 

Q-15: Why doesn't WinPcap work on my multiprocessor (SMP) machine?

A: Support for SMP machines has been included starting from version 3.0. Please update your installation of WinPcap.

 

Q-16: Which network adapters are supported by WinPcap?

A: The WinPcap device driver was developed to work primarily with Ethernet (10/100/1000) adapters. Support for other MACs was added during the development, but Ethernet remains the most tested one.
The overall situation is:

  • Windows 95/98/ME: the packet driver works ok on Ethernet networks. It works also on PPP WAN links, but with some limitations (for example it is not able to capture the LCP and NCP packets). FDDI, ARCNET, ATM and Token Ring should be supported, however we did not test them because we do not have the hardware.
  • Windows NT4/2000/XP/2003/Vista/2008/Win7/2008R2: the packet driver works ok on Ethernet networks. As for dial-up adapters and VPN connections, read Q5 and Q6.  As in Win9x,  FDDI, ARCNET, ATM and Token Ring are supported, but not tested by us.
  • Wireless adapters: these adapters may present problems, because they are not properly supported by the Windows Kernel. Some of them are not detected, other don't support promiscuous mode. In the best case, WinPcap is able to see an Ethernet emulation and not the real transiting packets: this means that the 802.11 frames are transformed into fake Ethernet frames before being captured, and that control frames are not received.

    For real wireless capture, CACE Technologies offers the AirPcap adapter, specifically designed to sniff 802.11 traffic, including control frames, management frames and power information. AirPcap at this time is the only solution for capturing raw 802.11 traffic with WinPcap. More details can be found on the AirPcap product page.

 

Q-17: Can I use WinPcap to drop the incoming packets? Is it possible to use WinPcap to build a firewall?

A: No. WinPcap is implemented as a protocol, therefore it is able to capture the packets, but it can't be used to drop them before they reach the applications. The filtering capabilities of WinPcap work only on the sniffed packets. In order to intercept the packets before the TCP/IP stack, you must create an intermediate driver.

 

Q-18: Is it possible to start WinPcap automatically when the system boots?

A: You can change the start settings of the NPF service to "automatic" or "system". A way to do this is changing the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START). This works only in Windows NTx.

NOTE: starting with WinPcap 4.1, by default WinPcap starts when the system boot.

 

Q-19: I recompiled the sources of WinPcap and the result doesn't seem to work as expected.

A: If you used Microsoft Visual Studio 6, try to install the service pack 5 and compile again.

 

Q-20: I installed Zx Sniffer on my PC, and after that, WinPcap based applications fail to work. What's wrong?

A: Zx Sniffer uses a custom packet capture driver that is very similar to WinPcap, which conflicts with WinPcap. You have to uninstall ZxSniffer to make WinPcap working.

 

Q-21: My application doesn't see any traffic being sent by the machine running WinPcap.

A: If you are running some form of VPN client software, it might be causing this problem; people have seen this problem when they have Check Point's VPN software installed on their machine. If that's the cause of the problem, you will have to remove the VPN software in order to make the application see outgoing packets.

 

Q-22: When I use one of the WinPcap-based applications, why do I see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

A: This might be because the interface on which you're capturing is plugged into a switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports - only broadcast and multicast traffic will be sent to all ports.

Note that even if your machine is plugged into a hub, the "hub" may be a switched hub, in which case you're still on a switched network.

Note also that on the Linksys Web site, they say that their auto-sensing hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only", which would indicate that if you sniff on a 10Mb port, you will not see traffic coming sent to a 100Mb port, and vice versa. This problem has also been reported for Netgear dual-speed hubs, and may exist for other "auto-sensing" or "dual-speed" hubs.

Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single port to sniff all traffic. You would have to check the documentation for the switch to see if this is possible and, if so, to see how to do this. See, for example:

Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box of that sort, that has a switch with some number of Ethernet ports into which you plug machines on your network, and another Ethernet port used to connect to a cable or DSL modem, you can, at least, sniff traffic between the machines on your network and the Internet by plugging the Ethernet port on the router going to the modem, the Ethernet port on the modem, and the machine on which you're running tcpdump into a hub (make sure it's not a switching hub, and that, if it's a dual-speed hub, all three of those ports are running at the same speed.

If your machine is not plugged into a switched network or a dual-speed hub, or it is plugged into a switched network but the port is set up to have all traffic replicated to it, the problem might be that the network interface on which you're capturing doesn't support "promiscuous" mode, or because your OS can't put the interface into promiscuous mode. Normally, network interfaces supply to the host only:

  • packets sent to one of that host's link-layer addresses;
  • broadcast packets;
  • multicast packets sent to a multicast address that the host has configured the interface to accept.

Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. Tcpdump will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified. However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.

If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.

You should ask the vendor of your network interface whether it supports promiscuous mode. If it does, you should ask whoever supplied the driver for the interface (the vendor, or the supplier of the OS you're running on your machine) whether it supports promiscuous mode with that network interface.

In the case of token ring interfaces, the drivers for some of them, on Windows, may require you to enable promiscuous mode in order to capture in promiscuous mode. Ask the vendor of the card how to do this, or see, for example, this information on promiscuous mode on some Madge token ring adapters (note that those cards can have promiscuous mode disabled permanently, in which case you can't enable it).

In the case of wireless LAN interfaces, it appears that, when those interfaces are promiscuously sniffing, they're running in a significantly different mode from the mode that they run in when they're just acting as network interfaces (to the extent that it would be a significant effor for those drivers to support for promiscuously sniffing and acting as regular network interfaces at the same time), so it may be that Windows drivers for those interfaces don't support promiscuous mode.
For real wireless capture, Riverbed offers the AirPcap adapter, specifically designed to sniff 802.11 traffic, including control frames, management frames and power information. AirPcap at this time is the only solution for capturing raw 802.11 traffic with WinPcap. More details can be found on the AirPcap product page.

 

Q-23: If I try to compile my application using the new pcap APIs provided in WinPcap 3.1beta, the compiler fails with "warning C4013: 'pcap_???' undefined" or "error C2065: 'PCAP_OPENFLAG_????' : undeclared identifier". What's the problem?

A: The following new pcap APIs provided in WinPcap 3.1beta work only if "HAVE_REMOTE" is defined:

  • pcap_open()
  • pcap_findalldevs_ex()
  • pcap_createsrcstr()
  • pcap_parsesrcstr()
  • pcap_setsampling()
  • pcap_remoteact_accept()
  • pcap_remoteact_list()
  • pcap_remoteact_close()
  • pcap_remoteact_cleanup()

You can define HAVE_REMOTE

  • in your source/header files, with #define HAVE_REMOTE, before including pcap.h
  • through a compiler/project option

 

Q-24: If I try compile wpcap.dll with the project configuration "wpcap - Win32 Debug" or "wpcap - Win32 Release" some pcap APIs (like pcap_open()) are not exported. Is it normal?

A: Yes, this is normal. Some pcap APIs (the ones listed in FAQ Q-23) are compiled and exported only in the "wpcap - Win32 ??? REMOTE ???" configurations, because they depend on the remote capture stuff.

 

Q-25: I'm trying to capture from my dialup(PPP) connection with WinPcap 3.1beta, but I cannot (capture from)/see any PPP adapter. What's the problem (this information applies to 2000/XP/2003 only)?

A: First of all, WinPcap 3.1 uses the Microsoft NetMon driver to capture from dialup and VPN connection. This driver is installed automatically with the WinPcap setup. You can see this driver by looking at the properties of each network card or dialup connection (tab "General" or "Networking", depending on the adapter, it's listed as "Network Monitor Driver"). If you have accidentally removed this driver from your machine, you can reinstall it by issuing the following command (with administrator privileges) from the WinPcap installation folder, which is \Program Files\WinPcap:

NetMonInstaller.exe i

Secondly, in order to capture, you must have "Power Users" or "Administrators" privileges on Windows 2000 and XP, and "Power Users + Network Configuration Operations" or "Administrators" privileges on Windows Server 2003. If you do not have such privileges, WinPcap 3.1beta will list such adapters, but you won't be able to open them (with pcap_openXXX or PacketOpenAdapter).

 

Q-26: How does WinPcap interfaces with Windows Networking? Does it slow down the TCP/IP stack and applications?

A: Inside the Windows kernel, WinPcap runs as a protocol driver. It's at the same level of tcpip.sys, and like the TCP/IP stack it receives the packets from the underlying NIC driver, but only when at least one WinPcap-based tool is capturing. This means that when WinPcap is installed but not capturing, the impact on the system is nonexistent.
Note in particular that the WinPcap driver is loaded inside the kernel only when the first capture application opens an adapter after a machine boot.

When WinPcap runs, it doesn't directly interact with TCP/IP. However especially under high network loads, the WinPcap activity (in particular the one at software interrupt level) will impact on TCP/IP responsiveness.

Note: To unload the WinPcap driver (under Windows NT4, 2000, XP and 2003), the following command can be used:

net stop npf

 

Q-27: My antivirus / antispyware program reports WinPcap as a virus / trojan/ spyware! Are you hackers trying to infect my computer?

A: WinPcap is not a virus. WinPcap is an industry standard library used by many tools, several of which commercial, and developed by a respected team of people. However, since it's free and since it's an easy and powerful way to receive and transmit low-level network traffic, it seems that some virus writers used it too. As a result, at least once a month we have somebody complaining its antivirus program tells him that WinPcap is a virus. Your antivirus program should detect the virus itself, not the libraries used by it. It's like saying the MS Winsock is a virus because some trojans use sockets to send or receive data on the network.
So, please contact your antivirus company and tell them to fix the problem.

 

Q-28: Does WinPcap work on Windows Vista?

A:WinPcap 3.1: The installer is able to correctly detect and install the product on Microsoft Windows Vista Beta1 (x86). However WinPcap has not been fully tested on this newly released operating system, since Windows Vista Beta1 was released less than two weeks before WinPcap 3.1. No other builds of Vista have been tested.
Additionally, the support for this operating system is limited. In particular, these are the known limitations:

  • Capturing from dialup/VPN adapters is disabled.
  • No support for IPv6 (update: WinPcap 4.0 beta3).
  • WinPcap can fail listing the adapters if the TCP/IP protocol stack is not enabled.

WinPcap 4.0 beta2: The installer is able to correctly detect and install the product on Microsoft Windows Vista Beta2 (x86). No other builds of Vista (RC1, RC2) have been tested.
Additionally, the support for this operating system is limited. In particular, these are the known limitations:

  • Capturing from dialup/VPN adapters is disabled.
  • No support for IPv6 (update: WinPcap 4.0 beta3).
  • WinPcap can fail listing the adapters if the TCP/IP protocol stack is not enabled.

WinPcap 4.0 beta3: The installer is able to correctly detect and install the product on Microsoft Windows Vista RTM (x86). No other builds of Vista (BETA1, BETA2, RC1, RC2) have been tested. Moreover, capturing from dialup/VPN adapters is not supported.

WinPcap 4.0 or newer: The installer is able to correctly detect and install the product on Microsoft Windows Vista RTM (x86 and x64). No other builds of Vista (BETA1, BETA2, RC1, RC2) have been tested. Moreover, capturing from dialup/VPN adapters is not supported.

Previous WinPcap versions: No support for Vista.

Windows Vista (x64): WinPcap 4.0 or newer is required.

 

Q-29: Whenever I try to create a WinPcap-based application with Visual Studio.NET 2002 or later, I get the error "TypeLoadException, Could not load type pcap".

A: You are using Managed C++ (i.e. you executable is targeted to the .NET CLR, Common Language Runtime).

The problem is due to the fact that the standard WinPcap include file "pcap.h" contains only a forward declaration of "struct pcap", but not the actual definition of it. As a consequence, the Managed C++ compiler does not emit any metadata for that type, since there's no definition for it.

There are two solutions to the problem:

  1. Include "pcap-int.h" instead of "pcap.h". This includes the actual definition for the type "struct pcap"
  2. Add a fake definition of "struct pcap". The simplest one is "struct pcap{};".

 

Q-30: The WinPcap installation fails with the error message "An error occurred while installing the NPF driver ( -1 ). Please contact the WinPcap team".

A: This error is usually caused by an antivirus or antimalware software that incorrectly detects the WinPcap kernel driver (NPF) as malware. This is because in the past some malware tools have been developed over the WinPcap library.

The workaround is to disable such antivirus/antimalware programs while installing WinPcap.

Last modified: Monday, October 19, 2009 13.15