WinPcap internals


 NPF driver internals manual
 How to compile WinPcap
 Packet.dll -- Packet Driver API

Detailed Description

This portion of the manual describes the internal structure and interfaces of WinPcap, starting from the lowest-level module. It is targeted at people that must extend or modify this software, or to the ones interested in how it works. Therefore, developers who just want to use WinPcap in their software don't need to read it.

WinPcap structure

Quoted from the home page of winpcap:

WinPcap is an architecture for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll).

Why we use the term "architecture" rather than "library"? Because packet capture is a low level mechanism that requires a strict interaction with the network adapter and with the operating system, in particular with its networking implementation, so a simple library is not sufficient.

The following figure shows the various components of WinPcap:

Main components of WinPcap.

First, a capture system needs to bypass the operating systems's protocol stack in order to access the raw data transiting on the network. This requires a portion running inside the kernel of OS, interacting directly with the network interface drivers. This portion is very system dependent, and in our solution it is realized as a device driver, called Netgroup Packet Filter (NPF); we provide different versions of the driver for Windows 95, Windows 98, Windows ME, Windows NT 4, Windows 2000 and Windows XP. These drivers offer both basic features like packet capture and injection, as well as more advanced ones like a programmable filtering system and a monitoring engine. The first one can be used to restrict a capture session to a subset of the network traffic (e.g. it is possible to capture only the ftp traffic generated by a particular host), the second one provides a powerful but simple to use mechanism to obtain statistics on the traffic (e.g. it is possible to obtain the network load or the amount of data exchanged between two hosts).

Second, the capture system must export an interface that user-level applications will use to take advantage of the features provided by the kernel driver. WinPcap provides two different libraries: packet.dll and wpcap.dll

The first one offers a low-level API that can be used to directly access the functions of the driver, with a programming interface independent from the Microsoft OS. 

The second one exports a more powerful set of high level capture primitives that are compatible with libpcap, the well known Unix capture library. These functions enable packet capture in a manner that is independent of the underlying network hardware and operating system.

Throughout this documentation we will refer to the Packet Driver API or packet.dll as the first set of functions, whereas wpcap, wpcap.dll or libpcap will refer to the to the second one.

documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2008 CACE Technologies. All rights reserved.