Nmap Project's Windows packet capture and transmission library
OTHER License
Bot releases are visible (Hide)
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
This version Npcap already supports monitor mode setting using Wireshark GUI or command line.
Capture packets in monitor mode
option in Edit Interface Settings
, your wireless adapter will turn into monitor mode immediately.dumpcap
command with -I
option, your wireless adapter will turn into monitor mode right before capturing.Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
The WlanHelper.exe
tool automatically installed to your system path after installing Npcap.
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Default options for Npcap installer GUI can be changed. An example is:
npcap-nmap-0.06-r16.exe /admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=no /winpcap_mode=no
or even simpler:
npcap-nmap-0.06-r16.exe /winpcap_mode=no
As the default option of /winpcap_mode
is yes
. Running the installer directly without options will see Install Npcap in WinPcap API-compatible Mode
CHECKED by default in the Installation Options
page.
However, the above two commands will launch the installer GUI, and in the Installation Options
page, the Install Npcap in WinPcap API-compatible Mode
option will be UNCHECKED by default.
The current installation options by default are (for both GUI and silent mode):
/admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=no /winpcap_mode=yes
Published by hsluoyz over 8 years ago
This -wifi
version Npcap is especially for the people who want to capture packets with 802.11 headers instead of Ethernet headers on their wireless adapters.
Other users who do NOT care about this feature should use a normal
version Npcap. The latest normal
version Npcap is 0.06 r14
at:
https://github.com/nmap/npcap/releases/download/v0.06-r14/npcap-nmap-0.06-r14.exe
npcap-nmap-0.06-r15-wifi2.exe
.WlanHelper.exe
with Administrator privilege. Type in the index of your wireless adapter (usually 0
) and press Enter
. Then type in 1
and press Enter
to to switch on the Monitor Mode.Wireshark
and capture on the wireless adapter, you will see all 802.11 packets (data + control + management).WlanHelper.exe
again and input the index of the adapter, then type in 0
and press Enter
to to switch off the Monitor Mode.You need to use WlanHelper.exe
tool to switch on the Monitor Mode in order to see 802.11 control and management packets
in Wireshark (also encrypted 802.11 data packets
, you need to specify the decipher key
in Wireshark in order to decrypt those packets), otherwise you will only see 802.11 data packets
.
Switching on the Monitor Mode will disconnect your wireless network from the AP, you can switch back to Managed Mode using the same WlanHelper.exe
tool.
The source code of WlanHelper.exe
tool is published at:
https://github.com/hsluoyz/WlanHelper
Managed Mode (for Linux
) = Extensible Station Mode (aka ExtSTA, for Windows
)
Monitor Mode (for Linux
) = Network Monitor Mode (aka NetMon, for Windows
)
Published by hsluoyz over 8 years ago
npcap-nmap-0.06-r14.exe
: Fixed the captured incorrect packet length (usually 2048) bug on VirtualBox VMs. Thanks Komosa for reporting this bug!
npcap-nmap-0.06-r14-wifi3.exe
: This special -wifi version Npcap will supply Native 802.11 headers with radiotap information instead of fake Ethernet headers for wireless adapters.
WlanHelper.exe
: Run this tool to switch your wireless adapter into Monitor Mode. -wifi version Npcap will do better with Monitor Mode (can see more types of packets, like QoS Null function
, CF-Poll
, etc). You can only see QoS Data
and Data
types of packets in Extensible Station Mode.
NOTICE:
If you have installed a -wifi
version Npcap before, install a normal
version again will still give you 802.11
packets instead of fake Ethernet
packets. The cause is Windows cached some driver configurations about the old version Npcap (like the -wifi
version).
The solution is:
DriverStore Explorer [RAPR]
tool from Microsoft: http://driverstoreexplorer.codeplex.com/ and run Rapr.exe
(you may need to install the correct .Net framework
to run this program).Enumerate
, select all the drivers the Pkg Provider
of which are Nmap Project
and click on Delete Package
. (Nmap doesn't have another Windows driver except Npcap, so you can feel safe to clear all Nmap driver's cache)normal
version Npcap, this time Npcap will behave correctly for wireless adapters by providing fake Ethernet
headers.