[Winpcap-users] [ANNOUNCE] WinPcap 4.1 has been released

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Oct 20 09:35:54 PDT 2009

As of today, WinPcap 4.1 is available in the download section of the
WinPcap website.

This release contains a large series of improvements that were gradually
added to WinPcap during the various beta's.

First of all, this version includes full support for x64 platforms, both
in the driver and in the user level libraries.
Also, the long awaited support for Windows 7 (and Windows Server 2008 R2)
has been added to the long list of supported flavors of Windows.
The installer has been greatly improved and partially rewritten to better
handle error conditions and non-standard Windows configurations.
Finally, it included the latest version of libpcap (from
http://www.tcpdump.org/) in the 1.0 branch.
Full details of the changes can be found in the change log below.

As always, we profoundly thank all the users that tested the development
versions of WinPcap 4.1. Thanks!

Gianluca Varenni
WinPcap Team

Changelog from WinPcap 4.1 beta5

- Several fixes and updates to the installer:
  + Added installation support for Windows 7 and Server 2008 R2
  + Added a new wizard page to choose if the driver should be started
    automatically on boot.
  + Fixed some issues when upgrading WinPcap on Windows Vista and Server
    2008 x64.
  + Better handle errors when Microsoft NetMon 2.x is not available.
  + Better detection of the target operating system, especially when the
    installer is run in compatibility mode.

- wpcap.dll has been updated to the 1.0 branch of libpcap from

- Updated the tools used for the compilation (WDK 6001.18002).

- Bug fixing:
  + Exported pcap_setdirection()
  + Fixed a bug in the compilation of rpcapd. This bug was causing the
    daemon not to capture any packets.

Changelog between WinPcap 4.1 beta4 and  WinPcap 4.1 beta5

- Starting from this build, WinPcap is completely compiled with Visual
  Studio 2005 SP1 (in order to have a single build environment for x86
  and x64) and WDK6000. While the projects for Visual Studio 6 are still
  available in the source package, they are no longer maintained.

- wpcap.dll has been updated to libpcap 1.0.0 from http://www.tcpdump.org.

- The new VS2005 project files for wpcap.dll and packet.dll have been
  simplified a lot (i.e. less configurations!).

- Big parts of the installer have been rewritten and cleaned up to account
  for the x64 binaries installation.

- The old WanPacket DLL has been removed. The code has been merged into

- The developer's pack includes LIB files for both x86 and x64 (for Visual
  Studio). At the moment we don't have the LIB files for Cygwin under x64.

- The samples have been ported to Visual Studio 2005, and they compile for
  both x86 and x64 architectures. The old Visual Studio 6 projects are
  still available but not actively maintained.

- Bug fixing:
  + Fixed the remote code to make it compile properly on Linux.
  + Fixed a problem with the icon in the windows control panel.
  + Fixed an installation bug under x64 for rpcapd.exe. When installing
    rpcapd on an x64 machine, the executable is located in c:\program files
    (x86), not in c:\program files.
  + Support an indefinite number of IP (v4 and v6) addresses associated with
    an adapter.
  + Check that IPv4 is bound to an adapter before getting the IPv4 addresses
    from the registry.
  + Fixed several compilation warnings in the samples.
  + Exported pcap_hopen_offline.
  + Added a missing definition of HAVE_UINT64 in the bittypes.h.
  + Fixed a bug in the filtering code for TurboCap adapters. The snaplen was
    completely ignored.

Changelog between WinPcap 4.1 beta3 and  WinPcap 4.1 beta4

- Added support for the CACE TurboCap boards within wpcap.dll.

- (from libpcap) Added the new functions pcap_create(),
  pcap_activate(), pcap_set_XXX() (still not completely documented on

- (from libpcap) Added support for various MAC addresses' syntaxes.
  Now the following syntaxes are supported:
  + 00:11:22:33:44:55
  + 00-11-22-33-44-55
  + 001122334455.

- Bug fixing:
  + Use FILE_DEVICE_SECURE_OPEN as a parameter to IoCreateDevice()
    when creating the I/O device from within the driver on the OSes
    that support it.
  + Fixed a bug in pcap_open_live() and pcap_activate(). They were
    failing if called on a local adapter with the syntax
  + Added a missing input buffer check in the read handler of the
    driver when working in statistics mode.
  + Optimized the code in the driver that handles the BIOCGSTATS
    control code (map only the needed portion of the user buffer into
    an MDL).
  + Fixed a possible memory leak in one of the error paths of the
    driver when enumerating the available adapters.
  + Cleaned up some global variable names in the driver.

Changelog between WinPcap 4.1 beta2 and  WinPcap 4.1 beta3

- (from libpcap) Make some arguments of some pcap functions const
  pointers if that makes sense.

- (from libpcap) Add some additional checks to bpf_validate(), from

- (from libpcap) Use bpf_validate() in install_bpf_program(), so we
  validate programs even when they're being processed by userland

- (from libpcap) Get rid of BPF_MAXINSNS - we don't have a limit on
  program size in libpcap/WinPcap.

- (from libpcap) Support for the "addr1", "addr2", "addr3", and
  "addr4" link-layer address filtering keywords for 802.11.

- (from libpcap) Support for filtering over 802.11 frame types with
  the keywords "type" and "subtype".

- Bug fixing:
  + Fixed a bug when generating wireless filters in the form "link src
    host ...". The source address was not retrieved properly.
  + Added some more logic in the installer to account for errors while
    installing the Network Monitor component (NetMon). If NetMon is
    not available, we install a version of packet.dll that doesn't
    depend on it.
  + Fixed two bugs in the original OpenBSD filter validation code, one
    that caused it to reject all filters that used multiply
    instructions, and another that caused it to reject all filters
    that used divide instructions.
  + Fixed a bug in the filter engine in the driver. When the packet to
    filter is split into two buffers, under some circumstances the
    engine was not checking the right bytes in the packet.

Changelog between WinPcap 4.1 beta and  WinPcap 4.1 beta2

- Disabled support for monitor mode (also called TME, Table Management
  Extensions) in the driver. This module suffers from several security
  vulnerabilities that could result in BSODs or privilege escalation
  attacks. This fix addresses a security vulnerability reported by the
  iDefense Labs at

- Added a small script to integrate the libpcap sources into the
  WinPcap tree automatically.

- Moved the definition of all the I/O control codes to ioctls.h.

- Cleaned up and removed some build scripts for the developer's pack.

- Migrated the driver compilation environment to WDK 6000.

- Enabled PreFAST driver compilation for the x64 build.

- Added some doxygen directives to group the IOCTL codes and JIT
  definitions in proper groups.

- Integrated the IOCTL codes into one single set shared by packet.dll
  and driver.

- Modified the installer to return the win32 error code instead of -1
  in case of failure in the error messages.

- Added some #define directives to selectively disable the TME
  functionality for WAN (i.e. Netmon-assisted) devices.

- Added a VS2005 project to easily edit the files of the driver.

- Removed some useless #include directives in the driver and

- Migrated several conditional directives (#ifdef/#endif) to the
  defines of the DDK/WDK e.g. _X86_ and _AMD64_.

- Added a check to warn users that remote-ext.h should not be included

- Removed ntddndis.h from the WinPcap sources. It's included into the
  Microsoft Platform SDK.

- Removed devioctl.h from the WinPcap sources. It's included into the
  Microsoft DDK/WDK.

- Removed ntddpack.h from the WinPcap sources. It's an old header file
  from the original DDK Packet sample, and it's not used by WinPcap.

- Removed several useless files from the WinPcap developer's pack:
  + all the TME extension header files
  + devioctl.h
  + gnuc.h
  + ntddndis.h
  + ntddpack.h
  + pcap-int.h.

- Bug fixing:
  + Fixed a possible buffer overrun on x64 machines with more that 32
  + Fixed an implicit cast problem compiling the driver on x64.
  + Fixed a bug in the installer causing a mis-detection of a previous
    WinPcap installation.
  + Fixed two bugs related to memory deallocation in packet.dll. We
    were using free() instead of GlobalFreePtr(), and there was a
    missing check as to when to deallocate a chunk of memory.
  + Added a missing NULL pointer check in pcap_open().
  + Moved a misplaced #ifdef WIN32 in pcap_open().
  + Fixed a bug in the send routine of the driver that could cause a
    crash under low resources conditions.

Changelog between WinPcap 4.0.1 and  WinPcap 4.1 beta

- Added support for the Per Packet Info (PPI) link type.

- wpcap.dll has been updated to the libpcap 0.9.6 branch from

- Bug fixing:
  + Fixed a bug in pcap_open_live() by which we were silently ignoring
    a failure when switching into promiscuous mode. This fix solves
    the outstanding issue of wireless cards that fail to go into
    promiscuous mode and do not capture any packet.
  + Experimental fixes to the BPF compiler (pcap_compile()) to better
    support filters over 802.11.
  + Minor fixes to remove several PFD (PreFAST for Drivers) warnings.
  + (from libpcap 0.9.6) added additional filter operations for 802.11
    frame types
  + (from libpcap 0.9.6) fixes to discard unread packets when changing

More information about the Winpcap-users mailing list