Npcap (Winpcap) This is a useful application designed to assist users to access the data link layer network in a Windows environment.
Npcap (Winpcap) Allows applications to capture and transmit network packets, and provides other useful features such as statistical networking tools, kernel level network packet filtering, and support for remote capture packets.
What is Npcap (Winpcap)?
Npcap includes a driver that expands the operating system to provide low-level network access. At the same time, a library is used to allow you to easily access low-level network layers. This library also contains the Windows version of the libpcap Unix API.
Thanks to a host of useful features, Npcap is the most effective packet filtering and capture utility of many open source tools such as: protocol analyzer, intrusion detection system, traffic generator, network monitoring tool, and network scan tool. Some networking tools like: Wireshark, Nmap, Snort is known and used throughout the online community.
Npcap (Winpcap) is released under the BSD open source license. This means that it is completely free to change and use it in conjunction with your application. The binary and source code are available here.
Main features of Npcap
- Npcap (Winpcap) for Windows 10: Npcap runs on Windows 7 and above using the new NDIS 6 Light-Weight Filter (LWF) API. It runs faster than the old NDIS 5 API that Microsoft can remove at any time. Also, the driver has an EV certificate signed by Microsoft, it can run on drivers that require more stringent registration in Windows 10 1607.
- Increased security: Npcap may limit the permission that only an administrator can recognize packets. If a non-administrator user uses Npcap via software like Nmap or Wireshark, he or she will have to switch to the User Account Control (UAC) dialog box to use the driver. It is similar to UNIX where root access usually requires packets. Npcap also enables ASLR & DEP security and driver signing to prevent tampering.
- Load loopback packets (loopback): Npcap supports detection of loopback packets using the Windows filtering platform (WFP). Once installed, Npcap will create an adapter called Npcap Loopback for you. If you are a Wireshark user select this adapter to load packets, you will see the same loopback traffic as when using a non-loopback adapter. Try it by typing commands like “ping 127.0.0.1” (IPv4) or “ping :: 1” (IPv6).
- Embed the packet loop back: Npcap also sends loopback packets using Winsock Kernel (WSK) technology. User-level software like Nping can only send packets to the outside by adpter Ncap Loopback like any adapter. Then, Npcap does a “magic” that removes the packet’s Ethernet header and places the payload on the Windows TCP / IP stack.
- Libcab API: Npcap uses the excellent Libcap library, enables Windows applications to use a portable packet capture API package, supports both Linux and Mac OS X. While Winpcap is based on LibPcap 1.0.0 since 2009, Npcap includes the latest Libcap release along with other improvements.
- Npcap compatibility: For applications that have not yet used Npcap’s premium features. Npcap can be installed in “Npcap (Winpcap) Compatible Mode.” This feature replaces any Npcap (Winpcap) installer. If compatibility mode is not selected, Npcap exists in parallel with Winpcap. Applications that only know Winpcap will continue to use it, while others may choose to use the new and faster Npcap driver.
Latest Npcap updates
- Fixed BSoD hanging in NPF_Read when the NDIS filter module was removed from the adapter.
- On Windows 10, the Npcap driver has been updated to NDIS 6.50 and is compatible with Windows 10 WFP, improving network support like RSC.
- Observe the maximum frame size for the adapter following the query OID_GEN_MAXIMUM_TOTAL_SIZE instead of using MTU, excluding spaces for the link layer header.
- Fixed bug when using Npcap resources to uninstall or upgrade.
- Follow snaplen (pcap_set_snaplen ()) even without a packet filter set up.
- Upgrades against pool / slab allocator, allowing to free memory when not in use.
- When installing Npcap OEM in silent mode, avoid running C: Uninstall.exe without exiting the current Npcap installation process.
- When upgrading Npcap, do not uninstall existing Npcap until the user clicks the Install button.
- Redefine the I / O control code used by Npcap when using the CTL_CODE macro to ensure proper control and parameter matching. This is not the exported API, but changes will require Packet.DLL and the Npcap driver of the same version.
- Fixed 1-byte overflow in NPFInstall.exe when closing processes using Npcap DLLs.
- In case the PacketOpenAdapter is named in UTF-16LE, compile it to ASCII before performing the string operations.
- Significantly rearranges the internal data structure to reduce memory usage and initialization costs.