npcap

Installer and debug symbols available from https://npcap.org/#download

• Fix an integer underflow in the amount of free buffer space available leading
  to excessive memory consumption. Fixes #223.

• Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.

• Replaced object pool/slab allocator with Windows lookaside lists, improving
  performance by avoiding spinlocks and allowing the system to adjust memory
  consumption.

Installer and debug symbols available from https://npcap.org/#download

• Fix a runaway memory leak triggered by low-resources condition leading to
  system hangs. Fixes #213.

• Fix a BSoD crash in NPF_Read in some high-traffic cases. Fixes #206.

• Fix a handle leak in Packet.dll when enumerating interfaces. Fixes #26.

• Fix an inconsistency between return value and IRP completion status in
  NPF_Read when an adapter is removed. Driver Verifier would cause a bugcheck
  (BSoD) in this case, and pcap API functions would not detect an error.
  Fixes #217

• Improved performance by reusing allocated packet data buffers and
  implementing DISPATCH_LEVEL tracking throughout the driver to speed up lock
  acquisition.

• When upgrading from compatible recent versions (currently Npcap 0.9985 and
  newer), the installer will unpack a new Uninstall.exe and NPFInstall.exe
  prior to removing the existing installation. This resolves issues with the
  uninstallation process such as were common in Npcap 0.9991 through 0.9994.

• Upgraded build system to VisualStudio 2019 and WDK 10.0.18362.0

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_Read when NDIS filter module is detached from the
  adapter. Fixes #194

• On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10
  WFP compatibility, supporting network stack improvements like RSC.
  Fixes #196.

• Correctly obey maximum frame size for an adapter by querying
  OID_GEN_MAXIMUM_TOTAL_SIZE instead of using MTU, which does not include
  space for the link layer header. Fixes #186.

• Fix detection of processes using Npcap resources during uninstall or upgrade.
  The fix for #2015 had broken this so such
  processes were not terminated, leading to failed installations.

• Obey snaplen (pcap_set_snaplen()) even if a packet filter is not set. This
  is a backported change from upstream libpcap that corrects a deficiency that
  has been present in all previous versions of WinPcap and Npcap.
  Fixes #201.

• Improvements to object pool/slab allocator to allow nonpaged memory to be
  freed when not in use.

• When installing Npcap OEM in silent mode, avoid running C:\Uninstall.exe if no existing Npcap installation is present.

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_ReleaseOpenInstanceResources due to miscounting of
  number of open Loopback capture instances. Fixes #185.

• Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing a
  data structure that already contained packet data.

• Fix a crash in NPFInstall.exe that happened when trying to rebind Npcap to
  the network stack as part of some installations. Reported by Microsoft App
  Assure ISV Outreach Team.

• When multiple packets are indicated in a single FilterReceiveNetBufferLists
  callback, only get a single timestamp for all of them. Avoids extra calls to
  KeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended up
  measuring Npcap processing delay, not actual packet arrival time.

• Fix a potential NULL pointer deref issue in Objpool.h macros if an
  allocation were to fail and return a NULL pointer.

• Fix parsing of pnputil.exe output that resulted in Npcap drivers not being
  cleared from the DriverStore before installing or upgrading. This led to
  older drivers being preferred in some cases, such as installing an unsigned
  driver in test mode.

• Move all capture- and injection-related initialization code out of
  NPF_OpenAdapter, improving efficiency of operations like listing adapters
  or performing OID requests without starting a full capture.

• Added SAL annotations to most driver functions to improve static analysis.
  Found one issue related to using a NULL NDIS handle in an allocation
  function, which is not supported on Windows 7.

• Allow driver to load even if there is a problem initializing loopback capture
  or injection functions. The loopback capture device will simply be
  unavailable in that case.

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_DoInternalRequest triggered by suspending the
  system while a capture is running. Added source annotations to allow static
  analysis to catch bugs like this in the future. Fixes #181.

• Fix a bug introduced in Npcap 0.9992 which caused loopback capture to fail if
  any loopback capture had been previously started and finished.

• Fix packet length calculation for loopback capture. The packet length was
  being counted twice, leading to junk data being appended to captured packets.

• If installation fails for any reason other than a failure to uninstall the
  previous version of Npcap, the current version's uninstaller will be used to
  clean up any partial installation. The only remaining files will be the
  install.log and NPFInstall.log in the Npcap installation directory.
  Fixes #170

• Replaced ReadWriteLock mechanisms with improved NDIS_RW_LOCK_EX new in NDIS
  6.20 for improved performance.

• Moved object pool for captured packets from the filter module (adapter)
  object to the open instance (pcap handle) to allow memory to be recovered
  after a capture is closed.

Installer and debug symbols available from https://npcap.org/#download

• Npcap issues are now tracked on their own Github Issues
  page, separate from Nmap issues. Many existing
  issues have been migrated, and issue numbers may have changed.

• Rewrote the kernel packet capture buffer code again to avoid requiring a
  separate worker thread. Instead, captured packets are held directly in a
  synchronized queue. The worker thread introduced in Npcap 0.9991 was unable
  to keep up with the volume of packet requests, leading to buffer bloat and
  reduced performance.

• Avoid initializing loopback capture-related functions and processing packets
  as soon as an adapter is opened. This will improve performance since adapters
  are opened as part of listing adapters.

• Fix a crash in NPFInstall.exe when terminating processes which are using
  Npcap resources. This could lead to failed installations and message windows
  about "A LWF & WFP driver installation tool has stopped working."

• Update Npcap from NDIS 6.10 to NDIS 6.20, which limits its compatibility to
  Windows 7 and higher. Closes #167.

• Fix a bug in Npcap 0.9991 which prevented packets from being captured until a
  BPF filter had been set. Fixes #168 (migrated
  from nmap/nmap#2037).

• Allow capture statistics and captured packets remaining in the buffer to be
  retrieved when an adapter is removed. Fixes nmap/nmap#2036.

• Use WMI instead of the Windows 10-only Get-NetAdapter Powershell cmdlet in
  the DiagReport tool. Fixes nmap/nmap#611.

Installer, SDK, and debug symbols available from https://npcap.org/#download

• Switched our code signing certificate back to DigiCert after some users found
  older Windows versions could not validate the signature on our driver for
  versions 0.9985 through 0.9990. The driver is again dual-signed with SHA-1
  and SHA-2 certificates. See #2012

• Major changes to management of Npcap driver's circular packet buffer,
  switching from per-CPU unshared segments to a single worker thread managing a
  queue of work items. This improves buffer utilization, reduces the amount of
  time spent processing in the network stack, and should reduce packet loss.
  See #1967.

• Several performance-related improvements to the NDIS filter driver: Switched
  from SpinLocks to ReadWriteLocks for several crucial shared data structures,
  which will improve performance by reducing resource contention on
  multiprocessor systems, and introduced an object-pool allocation pattern for
  several frequently-used short-lifetime objects, improving performance by
  reducing memory allocations.

• Again restore "unused" NDIS filter callbacks which cause Windows 7 to lose
  connectivity when they are removed. See #1998.

• Include debug symbols for wpcap.dll in our debug symbols zip file at
  https://npcap.org/#download . Fixes #1844.

• Fixed #1996: heap corruption in
  NPFInstall.exe since Npcap 0.9989 leading to hung installs when the "raw
  802.11 traffic" option was checked.

• Fixed #2014: Npcap OEM silent install
  produced a dialog when installing over an existing installation of the same
  version.

• Uninstaller improvements related to removing the installation directory,
  properly killing processes using Npcap DLLs, not leaving a partial
  installation if a step fails. Fixes #2013
  and #2015.

Installer, SDK, and debug symbols available from https://npcap.org/#download

• Improve compatibility with WinPcap's behavior regarding injected traffic.
  WinPcap uses inefficient loopback to capture all outbound traffic, but allows
  PacketSetLoopbackBehavior() to avoid this for injected traffic. Because of
  Npcap's more efficient design, injected traffic was never looped back up to
  protocol drivers, causing problems for some users who relied on this behavior.
  Now, injected traffic follows the same path as with WinPcap, though ordinary
  traffic is unaffected. For highest efficiency without loopback, use
  PacketSetLoopbackBehavior(PACKET_DISABLE_LOOPBACK). Fixes #1343,
  #1929, and GNS3/gns3-gui#2936

• No longer honor NDIS_PACKET_TYPE_ALL_LOCAL set via PacketSetHwFilter().
  This packet filter causes all local traffic to be routed through an unoptimized
  loopback path within NDIS, which was necessary to capture outgoing traffic in
  WinPcap but is no longer needed in Npcap. Instead, this value will be treated as
  NDIS_PACKET_TYPE_DIRECTED | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST.

• Fix a bug that caused TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE to fall back to
  TIMESTAMPMODE_QUERYSYSTEMTIME even when KeQuerySystemTimePrecise() was
  available. Fix by Mauro Levra in PR#23.

• Installer will now install an intermediate CA cert that was missing from some
  systems, which is needed to verify the driver's digital signature. Only
  affects Windows versions prior to Windows 10.

• Backport a fix from libpcap needed to properly support
  NdisMediumWirelessWan. See #1573.

• Include experimental support for AirPcap cards if airpcap.dll (not
  included) is installed.

Installer, debug symbols, and SDK available from https://npcap.org/#download

• Fix a BSOD crash in NPF_OpenAdapter due to reading past the end of a
  string. Fixes #1924

• Fix a BSOD crash (NULL pointer dereference) in NPF_Restart.
  Fixes #1964.

• Fix a memory leak in the Loopback WFP filter. Additionally, WFP callbacks
  will be unregistered when all loopback captures are closed, reducing impact
  of related code when not in use. Fixes #1966.

• New Packet.DLL function PacketSetTimestampMode() allows a user program to
  set the method used to timestamp packets as they arrive. See #1775.
  Supported modes are:

  • TIMESTAMPMODE_SINGLE_SYNCHRONIZATION - default monotonic timestamps based
    on KeQueryPerformanceCounter()
  • TIMESTAMPMODE_QUERYSYSTEMTIME - low-precision wall clock time based on
    KeQuerySystemTime()
  • TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE - high-precision wall clock time
    based on KeQuerySystemTimePrecise(), new in this release and only
    available on Windows 8 and newer. See #1407.

• Remove some problematic timestamp modes:
  TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP and
  TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP were undocumented;
  TIMESTAMPMODE_RDTSC was x86-only and not suitable for multi-processor
  systems. See #1829.

• The Npcap SDK 1.05 will be released to include the new
  PacketSetTimestampMode() function.

Installer and debug symbols available from https://npcap.org/#download

• If a capture is in progress when the system is suspended, it will continue
  without interruption after the system is woken. This also prevents capture
  interruptions when the OS makes certain network stack changes.
  Fixes #1903.

• If the npcap driver is stopped, Packet.dll will attempt to start it
  automatically. This feature requires Administrator privilege and had been
  removed in Npcap 0.9983. Fixes #1911.

• Fix the check for fragmented packets in loopback capture.
  Closes PR #22.

• Eliminate clone/block/inject pattern from loopback capture except for packets
  already injected by Npcap. Should fix #1529
  and #1789.

• Fix an issue in the Npcap OEM installer where silent mode would not detect a
  failure to install the npcap driver. Fixes #1910.

• Improve the installer to avoid broken installations and allow the installer
  to continue if a broken installation is detected. Fixes #1935.

• Formally removed support for Windows Vista and Server 2008 r1, which are no longer supported by Microsoft either. This allows us to support newer Windows WFP and NDIS features for better performance and compatibility. Folks who must still run these ancient Windows releases should use Npcap version 0.9984 from https://nmap.org/npcap/dist/?C=M;O=D. That was the last Npcap release to support the old (and less secure) SHA-128 driver signatures required by these Windows Vista/2008. Please note that Windows Server 2008 r2 and Windows 7 are still supported in this release even though they have also passed their Microsoft end-of-life dates.

Installer and debug symbols available from https://npcap.org/#download

• Fix an issue where Npcap begins dropping large packets, then smaller ones
  until finally all packets are dropped. Our fix changes the way remaining free
  space in the kernel buffer is calculated, which ought to prevent the free
  space accounting from drifting from reality. Fixes
  #1891.

• Fix a potential race condition when opening the loopback capture adapter. If
  two threads simultaneously determine that the WFP filters need to be
  registered, each may open a handle to the WFP engine using the same global
  pointer, leading to a double-free when the second one tries to close the
  handle.

• Allow Packet.dll and the npcap driver to skip loopback-related operations,
  including WFP and WSK setup, if the LoopbackSupport Registry key is set
  to 0. This configuration will not be supported by the installer, but may
  serve as a workaround for problems that may be related to Npcap's loopback
  traffic capture and injection capability.

• Ensure open handles to the Service Control Manager are closed on error in
  PacketGetFileVersion. Fixes #1882.

Installer and debug symbols available at https://npcap.org/#download

• Fix a driver signing issue that made Npcap 0.9985 uninstallable on Windows
  versions other than Windows 10. Fixes #1856.

NOTE: An issue was found with the Npcap 0.9985 installer that prevents it from installing on Windows 8.1 or earlier. Npcap 0.9986 resolves this issue.

Installer and debug symbols available from https://npcap.org/#download

• The Nmap Project's (Insecure.Com LLC) code signing certificate has been
  renewed, and no longer exists as a SHA-1 certificate. Windows Vista and
  Server 2008 may therefore not recognize the digital signatures on the
  filter driver so a warning may be presented upon install. Please note
  that Microsoft is ending support for these operating systems in January 2020.

• WinPcap API-compatible mode no longer installs a separate filter driver.
  Packet.DLL will translate NPF device names so that they are all serviced by
  the npcap.sys driver. The npf.sys driver has been removed. See
  #1812.

• Improve the speed of pcap_findalldevs by reducing the number of calls to
  GetAdaptersAddresses, removing a redundant function call, and improving
  buffer reallocation. Patch by Tomasz Moń
  (#20).

• Temporary DLLs unpacked during installation are now signed with our code
  signing certificate.

• Fixed a bug in the uninstaller preventing downgrades to prior versions of
  Npcap. On 64-bit Windows, the driver file npcap.sys was not properly
  removed, and Windows would not replace it with any older version. Fixes
  #1686.

Installer and debug symbols available at https://npcap.org/#download

• Update libpcap to 1.9.1. See the libpcap CHANGES file for this release. This update addresses several CVE-identified vulnerabilities.

• Address several code quality issues identified by Charles E. Smith of Tangible Security using Coverity source code analysis.

• Fixed processing of the "enforced" value for several command-line installer options. Fixes #1719.

• The DisplayName value in the Uninstall registry key for Npcap no longer includes the version number, which has always been available in the DisplayVersion value. Instead, it will include the product name and edition, e.g. "Npcap" or "Npcap OEM". This value will also be recorded in the Edition value under the npcap service's Parameters registry key.

• Fixed a couple of issues with the DiagReport tool used for bug report diagnostics: remove extraneous partial output lines (#1760), and avoid relying on the Server service to determine privilege level (#1757).

Installer and debug symbols available from https://npcap.org/#download

• Npcap can now detect newly-added network adapters without restarting the
  driver. Fixes #664.

• Loopback capture and injection no longer requires the Npcap Loopback Adapter
  to be installed. This is a minor API change, so Nmap 7.80 and earlier will
  still require the adapter to do localhost scans, but Wireshark and most other
  software will not require changes. Loopback capture uses the device name
  NPF_Loopback instead of NPF_{GUID}, where GUID has to be looked up in
  the Registry. The Npcap Loopback Adapter can still be installed by selecting
  "Legacy loopback support" in the installer or using the
  /loopback_support=yes command-line option. TheLoopbackSupport Registry
  value will always be 0x00000001.

• The DltNull Registry setting and the /dlt_null installer option are no
  longer supported. Loopback capture will use the DLT_NULL link type as
  described in the tcpdump
  documentation. Loopback packet
  injection will also use this link type instead of requiring a dummy Ethernet
  header to be constructed. The DltNull Registry value will still be present
  and set to 1 for software that consults this value.

• Some operations like pcap_stats() can now be completed even after the
  adapter that was in use is removed. See #1650.

• Fixed a crash that could happen when stopping the driver during a loopback
  traffic capture. Fixes #1678.

Installer, SDK, and debug symbols available at https://npcap.org/#download

• Fix the packet statistics functionality used by pcap_stats(), which was
  broken in 0.9981. Fixes #1668.

• Rework the flow of packets through the WFP callout driver that implements
  loopback traffic capture. This should prevent clobbering of redirect context
  data reported in #1529.

• Restore the /dlt_null installer option to default to "yes" since it has
  been defaulting to "no" since Npcap 0.992. Using DLT_NULL for loopback
  capture is slightly more efficient than creating a dummy Ethernet header,
  which was the default before.

Installer and debug symbols available from https://npcap.org/#download . Npcap 0.997 was never publicly released; these are the changes since Npcap 0.996:

• When upgrading Npcap, do not uninstall the existing Npcap until the user
  clicks the Install button. Previously, the existing Npcap was uninstalled
  prior to the first options screen, so that canceling the upgrade left no
  working Npcap on the system.

• Redefine the I/O control codes used by Npcap using the CTL_CODE macro to
  ensure proper access control and consistent parameter passing. This is not a
  published API, but the change will require that Packet.DLL and the npcap
  driver are the same version.

• Fix a 1-byte overrun in NPFInstall.exe when killing processes with Npcap DLLs
  in use.

• In cases where PacketOpenAdapter is given an adapter name in UTF-16LE,
  translate it to ASCII before doing string operations on it. See
  #1575.

• Significant reorganization of internal data structures to reduce memory use
  and initialization overhead.

Installer and debug symbols may be downloaded from https://npcap.org/#download

• Fix a crash when stopping the npcap driver service, such as when upgrading
  Npcap, DRIVER_IRQL_NOT_LESS_OR_EQUAL in NPF_DetachAdapter. Since Npcap
  0.994 and 0.995 may crash when upgrading, the installer will offer to disable
  the npcap driver service if it is running, allowing the user to reboot and
  attempt the install again, avoiding a crash. Fixes #1626.

• Ensure the uninstaller for the previous version of Nmap is called when
  upgrading. Npcap 0.95 through 0.995 erroneously skipped this step in simple
  non-silent upgrades, which could cause multiple Npcap Loopback Adapters to be
  installed.

Installer and debug symbols may be downloaded from https://npcap.org/#download

• Fix a crash reported via Microsoft crash telemetry, DRIVER_IRQL_NOT_LESS_OR_EQUAL in NPF_NetworkClassify introduced in Npcap 0.994. Fixes #1591.

Executable installer and debug symbols available at https://npcap.org/#download .

• Fix the installer options screen, which would immediately proceed to
  installation when you clicked on the "Support loopback traffic" option. Fixes
  #1577.

• Use the /F option to SCHTASKS.EXE in the installer so that the
  npcapwatchdog task can be successfully overwritten if it is present, though
  newer uninstallers also remove the task. Fixes #1580.

• Fix the CheckStatus.bat script run by the npcapwatchdog scheduled task to
  correctly match output of reg.exe on non-English systems. Fixes
  #1582.

• Improve synchronization between WFP (Loopback) and NDIS (control) functions
  within the driver, which ought to improve stability during system
  sleep/suspend events, particularly an access violation in
  NPF_NetworkClassify observed via Microsoft crash telemetry.