[Winpcap-users] PacketOpenAdapter

Alex Foygel (TT) Alex.Foygel at tradingtechnologies.com
Wed Jun 25 17:03:20 GMT 2008

Sorry for going slightly off the topic, but after reading your
description (about WinPcap inserting its driver into the protocol
stack), I have a question:

If I have WinPcap installed on my box and am NOT running WinPcap (or
Wireshark, or anything else of this nature) on my box now, do I incur
any overhead because of the WinPcap driver being in my stack, as
described in your post?

Alex Foygel

-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Fish
Sent: Wednesday, June 25, 2008 11:19 AM
To: winpcap-users at winpcap.org
Subject: RE: [Winpcap-users] PacketOpenAdapter

Hash: SHA1

Wei Gao wrote:

> I am using PacketOpenAdapter (included in Packet.dll 4.0.0) to get
> Wi-Fi adapter information (including the NPF driver handle) before
> continuing my process. However PacketOpenAdapter fails when the
> adapter is added to the system after Winpcap package is installed.
> It seems that the newly added adapter is not in Winpcap adapter
> information database, so
> PacketOpenAdapter fails to find it. Is there a way to resolve this?

Yes. Keep reading. :)

> Particularly is there an API that can update Winpcap adapter
> database so I can always call it before continuing my process?

Not that I'm aware of, no.

> I am running this on WinXP SP2. Thanks!

Hopefully GV (Gianluca Varenni) will correct me if I'm wrong about
this, but as far as I know the ONLY way capture packets on a newly
installed adapter (i.e. on an adapter that was installed AFTER
WinPcap had already been previously installed) is to first uninstall
and then REINSTALL WinPcap afterwards.

The way I understand it is this: whenever WinPcap is installed, it
inserts its own protocol driver into each adapter's driver stack so
that it can sniff the packets flowing into and out of that particular
network adapter.

If you then install a brand new adapter, it of course installs
whatever set of device drivers it happens to need in order to use
that particular piece of hardware, but what it DOESN'T do is
automatically invoke WinPcap's device driver installation program.
That is to say, whenever you install a new network adapter, WinPcap
does NOT somehow "magically" know about it. (Neither WinPcap *nor*
the installation program for your new adapter is psychic after all!)

Thus whenever you install a new network adapter AFTER WinPcap has
already been installed, since WinPcap's device driver is thus NOT
inserted into that particular adapter's driver stack, there's NO
FRICKIN' WAY for WinPcap to *ever* sniff *any* traffic on that
particular adapter!

Until, that is, you first UNINSTALL and then REINSTALL WinPcap.

Once you re-install WinPcap again however [after installing your new
adapter], the WinPcap installation program is then able, at *that*
moment, to FINALLY "see" this new adapter of yours and to insert
itself into that adapter's driver stack, thereby allowing you to use
WinPcap to sniff traffic on that adapter.

Do you understand now?

The rule is (and Gianluca, please correct me if I'm wrong about

  Always, *always*, *ALWAYS*, re-install WinPcap after installing a
new network adapter -- if you want to be able to use WinPcap on that
adapter that is.

- -- 
"Fish" (David B. Trout) - fish(at)infidels.org
Fight Spam! Join CAUCE! <http://www.cauce.org/>
(Any HTML email received will be deleted unread)
PGP key fingerprints:
RSA: 6B37 7110 7201 9917 9B0D 99E3 55DB 5D58 FADE 4A52
DH/DSS: 9F9B BAB0 BA7F C458 1A89 FE26 48F5 D7F4 C4EE 3E2A

Version: PGP 8.1


Winpcap-users mailing list
Winpcap-users at winpcap.org

More information about the Winpcap-users mailing list