Nmap Project's Windows packet capture and transmission library
OTHER License
Bot releases are hidden (Show)
Published by dmiller-nmap about 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix an integer underflow in the amount of free buffer space available leading
to excessive memory consumption. Fixes #223.
Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.
Replaced object pool/slab allocator with Windows lookaside lists, improving
performance by avoiding spinlocks and allowing the system to adjust memory
consumption.
Published by dmiller-nmap about 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix a runaway memory leak triggered by low-resources condition leading to
system hangs. Fixes #213.
Fix a BSoD crash in NPF_Read
in some high-traffic cases. Fixes #206.
Fix a handle leak in Packet.dll when enumerating interfaces. Fixes #26.
Fix an inconsistency between return value and IRP completion status in
NPF_Read
when an adapter is removed. Driver Verifier would cause a bugcheck
(BSoD) in this case, and pcap API functions would not detect an error.
Fixes #217
Improved performance by reusing allocated packet data buffers and
implementing DISPATCH_LEVEL
tracking throughout the driver to speed up lock
acquisition.
When upgrading from compatible recent versions (currently Npcap 0.9985 and
newer), the installer will unpack a new Uninstall.exe
and NPFInstall.exe
prior to removing the existing installation. This resolves issues with the
uninstallation process such as were common in Npcap 0.9991 through 0.9994.
Upgraded build system to VisualStudio 2019 and WDK 10.0.18362.0
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_Read
when NDIS filter module is detached from the
adapter. Fixes #194
On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10
WFP compatibility, supporting network stack improvements like RSC.
Fixes #196.
Correctly obey maximum frame size for an adapter by querying
OID_GEN_MAXIMUM_TOTAL_SIZE
instead of using MTU, which does not include
space for the link layer header. Fixes #186.
Fix detection of processes using Npcap resources during uninstall or upgrade.
The fix for #2015 had broken this so such
processes were not terminated, leading to failed installations.
Obey snaplen (pcap_set_snaplen()
) even if a packet filter is not set. This
is a backported change from upstream libpcap that corrects a deficiency that
has been present in all previous versions of WinPcap and Npcap.
Fixes #201.
Improvements to object pool/slab allocator to allow nonpaged memory to be
freed when not in use.
When installing Npcap OEM in silent mode, avoid running C:\Uninstall.exe
if no existing Npcap installation is present.
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_ReleaseOpenInstanceResources
due to miscounting of
number of open Loopback capture instances. Fixes #185.
Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing a
data structure that already contained packet data.
Fix a crash in NPFInstall.exe
that happened when trying to rebind Npcap to
the network stack as part of some installations. Reported by Microsoft App
Assure ISV Outreach Team.
When multiple packets are indicated in a single FilterReceiveNetBufferLists
callback, only get a single timestamp for all of them. Avoids extra calls to
KeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended up
measuring Npcap processing delay, not actual packet arrival time.
Fix a potential NULL pointer deref issue in Objpool.h
macros if an
allocation were to fail and return a NULL pointer.
Fix parsing of pnputil.exe
output that resulted in Npcap drivers not being
cleared from the DriverStore before installing or upgrading. This led to
older drivers being preferred in some cases, such as installing an unsigned
driver in test mode.
Move all capture- and injection-related initialization code out of
NPF_OpenAdapter
, improving efficiency of operations like listing adapters
or performing OID requests without starting a full capture.
Added SAL annotations to most driver functions to improve static analysis.
Found one issue related to using a NULL NDIS handle in an allocation
function, which is not supported on Windows 7.
Allow driver to load even if there is a problem initializing loopback capture
or injection functions. The loopback capture device will simply be
unavailable in that case.
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_DoInternalRequest
triggered by suspending the
system while a capture is running. Added source annotations to allow static
analysis to catch bugs like this in the future. Fixes #181.
Fix a bug introduced in Npcap 0.9992 which caused loopback capture to fail if
any loopback capture had been previously started and finished.
Fix packet length calculation for loopback capture. The packet length was
being counted twice, leading to junk data being appended to captured packets.
If installation fails for any reason other than a failure to uninstall the
previous version of Npcap, the current version's uninstaller will be used to
clean up any partial installation. The only remaining files will be the
install.log
and NPFInstall.log
in the Npcap installation directory.
Fixes #170
Replaced ReadWriteLock mechanisms with improved NDIS_RW_LOCK_EX
new in NDIS
6.20 for improved performance.
Moved object pool for captured packets from the filter module (adapter)
object to the open instance (pcap handle) to allow memory to be recovered
after a capture is closed.
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Npcap issues are now tracked on their own Github Issues
page, separate from Nmap issues. Many existing
issues have been migrated, and issue numbers may have changed.
Rewrote the kernel packet capture buffer code again to avoid requiring a
separate worker thread. Instead, captured packets are held directly in a
synchronized queue. The worker thread introduced in Npcap 0.9991 was unable
to keep up with the volume of packet requests, leading to buffer bloat and
reduced performance.
Avoid initializing loopback capture-related functions and processing packets
as soon as an adapter is opened. This will improve performance since adapters
are opened as part of listing adapters.
Fix a crash in NPFInstall.exe when terminating processes which are using
Npcap resources. This could lead to failed installations and message windows
about "A LWF & WFP driver installation tool has stopped working."
Update Npcap from NDIS 6.10 to NDIS 6.20, which limits its compatibility to
Windows 7 and higher. Closes #167.
Fix a bug in Npcap 0.9991 which prevented packets from being captured until a
BPF filter had been set. Fixes #168 (migrated
from nmap/nmap#2037).
Allow capture statistics and captured packets remaining in the buffer to be
retrieved when an adapter is removed. Fixes nmap/nmap#2036.
Use WMI instead of the Windows 10-only Get-NetAdapter
Powershell cmdlet in
the DiagReport tool. Fixes nmap/nmap#611.
Published by dmiller-nmap over 4 years ago
Installer, SDK, and debug symbols available from https://npcap.org/#download
Switched our code signing certificate back to DigiCert after some users found
older Windows versions could not validate the signature on our driver for
versions 0.9985 through 0.9990. The driver is again dual-signed with SHA-1
and SHA-2 certificates. See #2012
Major changes to management of Npcap driver's circular packet buffer,
switching from per-CPU unshared segments to a single worker thread managing a
queue of work items. This improves buffer utilization, reduces the amount of
time spent processing in the network stack, and should reduce packet loss.
See #1967.
Several performance-related improvements to the NDIS filter driver: Switched
from SpinLocks to ReadWriteLocks for several crucial shared data structures,
which will improve performance by reducing resource contention on
multiprocessor systems, and introduced an object-pool allocation pattern for
several frequently-used short-lifetime objects, improving performance by
reducing memory allocations.
Again restore "unused" NDIS filter callbacks which cause Windows 7 to lose
connectivity when they are removed. See #1998.
Include debug symbols for wpcap.dll
in our debug symbols zip file at
https://npcap.org/#download . Fixes #1844.
Fixed #1996: heap corruption in
NPFInstall.exe
since Npcap 0.9989 leading to hung installs when the "raw
802.11 traffic" option was checked.
Fixed #2014: Npcap OEM silent install
produced a dialog when installing over an existing installation of the same
version.
Uninstaller improvements related to removing the installation directory,
properly killing processes using Npcap DLLs, not leaving a partial
installation if a step fails. Fixes #2013
and #2015.
Published by dmiller-nmap over 4 years ago
Installer, SDK, and debug symbols available from https://npcap.org/#download
Improve compatibility with WinPcap's behavior regarding injected traffic.
WinPcap uses inefficient loopback to capture all outbound traffic, but allows
PacketSetLoopbackBehavior()
to avoid this for injected traffic. Because of
Npcap's more efficient design, injected traffic was never looped back up to
protocol drivers, causing problems for some users who relied on this behavior.
Now, injected traffic follows the same path as with WinPcap, though ordinary
traffic is unaffected. For highest efficiency without loopback, use
PacketSetLoopbackBehavior(PACKET_DISABLE_LOOPBACK)
. Fixes #1343,
#1929, and GNS3/gns3-gui#2936
No longer honor NDIS_PACKET_TYPE_ALL_LOCAL
set via PacketSetHwFilter()
.
This packet filter causes all local traffic to be routed through an unoptimized
loopback path within NDIS, which was necessary to capture outgoing traffic in
WinPcap but is no longer needed in Npcap. Instead, this value will be treated as
NDIS_PACKET_TYPE_DIRECTED | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST
.
Fix a bug that caused TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
to fall back to
TIMESTAMPMODE_QUERYSYSTEMTIME
even when KeQuerySystemTimePrecise()
was
available. Fix by Mauro Levra in PR#23.
Installer will now install an intermediate CA cert that was missing from some
systems, which is needed to verify the driver's digital signature. Only
affects Windows versions prior to Windows 10.
Backport a fix from libpcap needed to properly support
NdisMediumWirelessWan
. See #1573.
Include experimental support for AirPcap cards if airpcap.dll
(not
included) is installed.
Published by dmiller-nmap over 4 years ago
Installer, debug symbols, and SDK available from https://npcap.org/#download
Fix a BSOD crash in NPF_OpenAdapter
due to reading past the end of a
string. Fixes #1924
Fix a BSOD crash (NULL pointer dereference) in NPF_Restart
.
Fixes #1964.
Fix a memory leak in the Loopback WFP filter. Additionally, WFP callbacks
will be unregistered when all loopback captures are closed, reducing impact
of related code when not in use. Fixes #1966.
New Packet.DLL function PacketSetTimestampMode()
allows a user program to
set the method used to timestamp packets as they arrive. See #1775.
Supported modes are:
TIMESTAMPMODE_SINGLE_SYNCHRONIZATION
- default monotonic timestamps basedKeQueryPerformanceCounter()
TIMESTAMPMODE_QUERYSYSTEMTIME
- low-precision wall clock time based onKeQuerySystemTime()
TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
- high-precision wall clock timeKeQuerySystemTimePrecise()
, new in this release and onlyRemove some problematic timestamp modes:
TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP
and
TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP
were undocumented;
TIMESTAMPMODE_RDTSC
was x86-only and not suitable for multi-processor
systems. See #1829.
The Npcap SDK 1.05 will be released to include the new
PacketSetTimestampMode()
function.
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
If a capture is in progress when the system is suspended, it will continue
without interruption after the system is woken. This also prevents capture
interruptions when the OS makes certain network stack changes.
Fixes #1903.
If the npcap driver is stopped, Packet.dll will attempt to start it
automatically. This feature requires Administrator privilege and had been
removed in Npcap 0.9983. Fixes #1911.
Fix the check for fragmented packets in loopback capture.
Closes PR #22.
Eliminate clone/block/inject pattern from loopback capture except for packets
already injected by Npcap. Should fix #1529
and #1789.
Fix an issue in the Npcap OEM installer where silent mode would not detect a
failure to install the npcap driver. Fixes #1910.
Improve the installer to avoid broken installations and allow the installer
to continue if a broken installation is detected. Fixes #1935.
Formally removed support for Windows Vista and Server 2008 r1, which are no longer supported by Microsoft either. This allows us to support newer Windows WFP and NDIS features for better performance and compatibility. Folks who must still run these ancient Windows releases should use Npcap version 0.9984 from https://nmap.org/npcap/dist/?C=M;O=D. That was the last Npcap release to support the old (and less secure) SHA-128 driver signatures required by these Windows Vista/2008. Please note that Windows Server 2008 r2 and Windows 7 are still supported in this release even though they have also passed their Microsoft end-of-life dates.
Published by dmiller-nmap over 4 years ago
Installer and debug symbols available from https://npcap.org/#download
Fix an issue where Npcap begins dropping large packets, then smaller ones
until finally all packets are dropped. Our fix changes the way remaining free
space in the kernel buffer is calculated, which ought to prevent the free
space accounting from drifting from reality. Fixes
#1891.
Fix a potential race condition when opening the loopback capture adapter. If
two threads simultaneously determine that the WFP filters need to be
registered, each may open a handle to the WFP engine using the same global
pointer, leading to a double-free when the second one tries to close the
handle.
Allow Packet.dll and the npcap driver to skip loopback-related operations,
including WFP and WSK setup, if the LoopbackSupport
Registry key is set
to 0. This configuration will not be supported by the installer, but may
serve as a workaround for problems that may be related to Npcap's loopback
traffic capture and injection capability.
Ensure open handles to the Service Control Manager are closed on error in
PacketGetFileVersion. Fixes #1882.
Published by dmiller-nmap almost 5 years ago
Installer and debug symbols available at https://npcap.org/#download
Published by dmiller-nmap almost 5 years ago
NOTE: An issue was found with the Npcap 0.9985 installer that prevents it from installing on Windows 8.1 or earlier. Npcap 0.9986 resolves this issue.
Installer and debug symbols available from https://npcap.org/#download
The Nmap Project's (Insecure.Com LLC) code signing certificate has been
renewed, and no longer exists as a SHA-1 certificate. Windows Vista and
Server 2008 may therefore not recognize the digital signatures on the
filter driver so a warning may be presented upon install. Please note
that Microsoft is ending support for these operating systems in January 2020.
WinPcap API-compatible mode no longer installs a separate filter driver.
Packet.DLL will translate NPF device names so that they are all serviced by
the npcap.sys driver. The npf.sys driver has been removed. See
#1812.
Improve the speed of pcap_findalldevs
by reducing the number of calls to
GetAdaptersAddresses
, removing a redundant function call, and improving
buffer reallocation. Patch by Tomasz Moń
(#20).
Temporary DLLs unpacked during installation are now signed with our code
signing certificate.
Fixed a bug in the uninstaller preventing downgrades to prior versions of
Npcap. On 64-bit Windows, the driver file npcap.sys
was not properly
removed, and Windows would not replace it with any older version. Fixes
#1686.
Published by dmiller-nmap almost 5 years ago
Installer and debug symbols available at https://npcap.org/#download
Update libpcap to 1.9.1. See the libpcap CHANGES file for this release. This update addresses several CVE-identified vulnerabilities.
Address several code quality issues identified by Charles E. Smith of Tangible Security using Coverity source code analysis.
Fixed processing of the "enforced" value for several command-line installer options. Fixes #1719.
The DisplayName
value in the Uninstall registry key for Npcap no longer includes the version number, which has always been available in the DisplayVersion
value. Instead, it will include the product name and edition, e.g. "Npcap" or "Npcap OEM". This value will also be recorded in the Edition
value under the npcap service's Parameters registry key.
Fixed a couple of issues with the DiagReport tool used for bug report diagnostics: remove extraneous partial output lines (#1760), and avoid relying on the Server service to determine privilege level (#1757).
Published by dmiller-nmap about 5 years ago
Installer and debug symbols available from https://npcap.org/#download
Npcap can now detect newly-added network adapters without restarting the
driver. Fixes #664.
Loopback capture and injection no longer requires the Npcap Loopback Adapter
to be installed. This is a minor API change, so Nmap 7.80 and earlier will
still require the adapter to do localhost scans, but Wireshark and most other
software will not require changes. Loopback capture uses the device name
NPF_Loopback
instead of NPF_{GUID}
, where GUID
has to be looked up in
the Registry. The Npcap Loopback Adapter can still be installed by selecting
"Legacy loopback support" in the installer or using the
/loopback_support=yes
command-line option. TheLoopbackSupport
Registry
value will always be 0x00000001.
The DltNull
Registry setting and the /dlt_null
installer option are no
longer supported. Loopback capture will use the DLT_NULL
link type as
described in the tcpdump
documentation. Loopback packet
injection will also use this link type instead of requiring a dummy Ethernet
header to be constructed. The DltNull
Registry value will still be present
and set to 1
for software that consults this value.
Some operations like pcap_stats()
can now be completed even after the
adapter that was in use is removed. See #1650.
Fixed a crash that could happen when stopping the driver during a loopback
traffic capture. Fixes #1678.
Published by dmiller-nmap about 5 years ago
Installer, SDK, and debug symbols available at https://npcap.org/#download
Fix the packet statistics functionality used by pcap_stats()
, which was
broken in 0.9981. Fixes #1668.
Rework the flow of packets through the WFP callout driver that implements
loopback traffic capture. This should prevent clobbering of redirect context
data reported in #1529.
Restore the /dlt_null
installer option to default to "yes" since it has
been defaulting to "no" since Npcap 0.992. Using DLT_NULL
for loopback
capture is slightly more efficient than creating a dummy Ethernet header,
which was the default before.
Published by dmiller-nmap about 5 years ago
Installer and debug symbols available from https://npcap.org/#download . Npcap 0.997 was never publicly released; these are the changes since Npcap 0.996:
When upgrading Npcap, do not uninstall the existing Npcap until the user
clicks the Install button. Previously, the existing Npcap was uninstalled
prior to the first options screen, so that canceling the upgrade left no
working Npcap on the system.
Redefine the I/O control codes used by Npcap using the CTL_CODE
macro to
ensure proper access control and consistent parameter passing. This is not a
published API, but the change will require that Packet.DLL and the npcap
driver are the same version.
Fix a 1-byte overrun in NPFInstall.exe when killing processes with Npcap DLLs
in use.
In cases where PacketOpenAdapter is given an adapter name in UTF-16LE,
translate it to ASCII before doing string operations on it. See
#1575.
Significant reorganization of internal data structures to reduce memory use
and initialization overhead.
Published by dmiller-nmap over 5 years ago
Installer and debug symbols may be downloaded from https://npcap.org/#download
Fix a crash when stopping the npcap driver service, such as when upgrading
Npcap, DRIVER_IRQL_NOT_LESS_OR_EQUAL
in NPF_DetachAdapter
. Since Npcap
0.994 and 0.995 may crash when upgrading, the installer will offer to disable
the npcap driver service if it is running, allowing the user to reboot and
attempt the install again, avoiding a crash. Fixes #1626.
Ensure the uninstaller for the previous version of Nmap is called when
upgrading. Npcap 0.95 through 0.995 erroneously skipped this step in simple
non-silent upgrades, which could cause multiple Npcap Loopback Adapters to be
installed.
Published by dmiller-nmap over 5 years ago
Installer and debug symbols may be downloaded from https://npcap.org/#download
DRIVER_IRQL_NOT_LESS_OR_EQUAL
in NPF_NetworkClassify
introduced in Npcap 0.994. Fixes #1591.Published by dmiller-nmap over 5 years ago
Executable installer and debug symbols available at https://npcap.org/#download .
Fix the installer options screen, which would immediately proceed to
installation when you clicked on the "Support loopback traffic" option. Fixes
#1577.
Use the /F
option to SCHTASKS.EXE
in the installer so that the
npcapwatchdog
task can be successfully overwritten if it is present, though
newer uninstallers also remove the task. Fixes #1580.
Fix the CheckStatus.bat
script run by the npcapwatchdog
scheduled task to
correctly match output of reg.exe
on non-English systems. Fixes
#1582.
Improve synchronization between WFP (Loopback) and NDIS (control) functions
within the driver, which ought to improve stability during system
sleep/suspend events, particularly an access violation in
NPF_NetworkClassify
observed via Microsoft crash telemetry.