[Winpcap-users] Windows 10 support for WinPcap

Sven Kerschbaum svkers at gmail.com
Thu Feb 4 18:40:48 UTC 2016 

@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <svkers at gmail.com>:

> Hi Yang,
>
> thanks for providing me the detailed information about Npcap. I will
> definitively have a look at it and try it.
>
> Cheers,
> SK
>
>
> 2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <hsluoyz at gmail.com>:
>
>> Hi Sven,
>>
>> Npcap (https://github.com/nmap/npcap) has better performance because of
>> NDIS 6. It also has several new features:
>>
>>
>>    1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
>>    Vista and later (the legacy driver is used on XP). It's faster than the
>>    legacy *NDIS 5 Intermediate*
>>    <https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
>>    One reason is that packet data stucture has changed (fromNDIS_PACKET
>>     to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
>>    packet structure conversion.
>>    2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
>>    Administrators for safety purpose. If Npcap is installed with the option *Restrict
>>    Npcap driver's access to Administrators only* checked, when a
>>    non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
>>    Account Control (UAC)*
>>    <http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
>>    will prompt asking for Administrator privilege. Only when the end user
>>    chooses Yes, the driver can be accessed. This is similar to UNIX
>>    where you need root access to capture packets.
>>    3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
>>    used to decide whether Npcap should coexist With WinPcap or be compatible
>>    with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
>>    with WinPcap and share the DLL binary interface with WinPcap. So the
>>    applications unaware of Npcap *SHOULD* be able to use Npcap
>>    automatically if WinPcap is unavailable. The applications who knows Npcap's
>>    existence can choose to use Npcap or WinPcap first. The key about which is
>>    loaded first is *DLL Search Path*
>>    <https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
>>    With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
>>    C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
>>    So applications who want to load Npcap first must make
>>    C:\Windows\System32\Npcap\ precedent to other paths in ways such as
>>    calling*SetDllDirectory*
>>    <https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc.
>>    Another point is Npcap uses service name npcap instead of WinPcap's
>>    npf with "WinPcap Compatible Mode" OFF. So applications using net
>>    start npf for starting service must use net start npcap instead. If
>>    you want 100% compatibility with WinPcap, you should install Npcap choosing
>>    "WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible Mode).
>>    In this mode, Npcap will install its Dlls in WinPcap's
>>    C:\Windows\System32\and use the npf service name. It's notable that
>>    before installing in this mode, you must uninstall WinPcap first (the
>>    installer wizard will prompt you that).
>>    4. *Loopback Packets Capture Support*: Now Npcap is able to see
>>    Windows loopback packets using *Windows Filtering Platform (WFP)*
>>    <https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
>>    After installation, Npcap will create an adapter named Npcap Loopback
>>    Adapter for you. If you are a Wireshark user, choose this adapter to
>>    capture, you will see all loopback traffic the same way as other
>>    non-loopback adapters. Try it by typing in commands like ping
>>    127.0.0.1 (IPv4) or ping ::1 (IPv6).
>>    5. *Loopback Packets Send Support*: Besides loopback packets
>>    capturing, Npcap can also send out loopback packets based on *Winsock
>>    Kernel (WSK)*
>>    <https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
>>    A user software (e.g. Nmap) can just send packets out using Npcap
>>    Loopback Adapter like other adapters. Npcap Loopback Adapter will
>>    automatically remove the packet's Ethernet header and inject the payload
>>    into Windows TCP/IP stack, so this kind of loopback packet never go out of
>>    the machine.
>>
>>
>> I actually didn't add a function about making user software getting
>> notified about media state changes. From my knowledge I don't know there's
>> any support of such a function in libpcap. libpcap is an interface standard
>> followed by WinPcap/Npcap. However, I think you can do it using native
>> Windows APIs (like Receiving Notification of Network Events in
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
>> ). And if you have any improvement advice about Npcap, I will consider
>> it:)
>>
>>
>> Cheers,
>> Yang
>>
>>
>> On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <svkers at gmail.com> wrote:
>>
>>> Oh, I have to admit that I did not try it on an update to date Windows
>>> 10 system... Thanks for the hint that this was only an issue in early
>>> Windows 10 versions.
>>>
>>> I was also not aware of the Npcap. Thanks for pointing me to this fork!
>>> How does Npcap differ from WinPcap with respect to performance, feature? At
>>> least I am missing the possibility to get notified about media state
>>> changes (connected, disconnected) in WinPcap. Does Npcap offer such a
>>> functionality?
>>>
>>> Furthermore: Is WinPcap still under active development? Its last release
>>> was in 2013. Or I am better advised to rely on Npcap?
>>>
>>> Thank you!
>>> Best regards,
>>> SK
>>>
>>>
>>>
>>>
>>> 2016-02-04 11:08 GMT+01:00 Gisle Vanem <gvanem at yahoo.no>:
>>>
>>>> Sven Kerschbaum wrote:
>>>>
>>>> > is there already effort for getting WinPcap ready for Windows 10? As
>>>> Pascal Quantin already pointed out WinPcap does not
>>>> > run on Windows 10 due to the fact that the WinPcap driver is not an
>>>> NDIS 6 driver. Please find more information here:
>>>> > http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
>>>>
>>>> Really? All my WinPcap-based programs works fine here.
>>>> From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
>>>>
>>>>         Verified:       Signed
>>>>         Signing date:   02.49 01.03.2013
>>>>         Publisher:      Riverbed Technology
>>>>         Company:        Riverbed Technology, Inc.
>>>>         Description:    npf.sys (NT5/6 AMD64) Kernel Driver
>>>>         Product:        WinPcap
>>>>         Prod version:   4.1.0.2980
>>>>         File version:   4.1.0.2980
>>>>         MachineType:    64-bit
>>>>
>>>>
>>>> The version and 'Signing date' is in accordance with what's on
>>>> winpcap.org.
>>>> An also:
>>>>
>>>> F:\> windump -Dv
>>>> 1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF}    Descr:
>>>> Microsoft
>>>>     Addr 0: 10.0.0.11 (mask 255.255.255.0)
>>>>     MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
>>>> Native802_11, DOWN, 54Mb/s (NDIS)
>>>>
>>>> 2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC}    Descr:
>>>> Microsoft
>>>>     Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
>>>>     Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
>>>>     MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
>>>> Bluetooth, DOWN, 3Mb/s (NDIS)
>>>>
>>>> 3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607}    Descr: Realtek
>>>> Ethernet Controller
>>>>     Addr 0: 10.0.0.10 (mask 255.255.255.0)
>>>>     MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s
>>>> (NDIS)
>>>>
>>>> --------------
>>>>
>>>> I'm on Win 10. Version 1511 (OS-Build 10586.71).
>>>> Windows 10 build 10041 (as mention in that mail) is pretty old.
>>>>
>>>>
>>>>
>>>> --
>>>> --gv
>>>> _______________________________________________
>>>> Winpcap-users mailing list
>>>> Winpcap-users at winpcap.org
>>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>>
>>>
>>>
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>>
>>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20160204/e6c4edaa/attachment-0001.html>

More information about the Winpcap-users mailing list