npcap

Thanks Luff Vince for reporting this bug!

npcap-nmap-0.06-r13.exe: This version fixed the bug that Win7 x86 won't install the driver than 0.06-r12 version.

npcap-nmap-0.06-r13-wifi.exe: This -wifi special version Npcap will capture Native 802.11 data packets instead of Fake Ethernet II packets. See this:

Thanks Pascal for reporting this bug!

Thanks Pascal for reporting this bug!

Thanks Pascal and Komosa for reporting this bug!

I totally rewrite the ring buffer code that copies received packets to memory. So if there're any bugs about received packets, please let me know!

R7.2: Now VMware VMnet adapters can be seen in Npcap.

R7.1: Attention: This release has been updated to R7.1, please download again!

The original R7 version has a severe bug that causes malformed packets to be captured. Please use the latest R7.1 version.

R7: An example of changing option feature for silent installation is:
npcap-nmap-0.06-r7.1.exe /S /admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=yes /winpcap_mode=yes

1. The above example shows the default value. e.g., if you doesn't specify the key /admin_only, it will take the default value no. This is the same with the GUI.
2. The keys are case-insensitive.
3. The values are case-sensitive, only two values are permitted: yes or no.

DON'T DOWNLOAD THIS!

This release has a bug that causes malformed packets to be captured. Please use the latest version.

DON'T DOWNLOAD THIS!

This release has a bug that causes malformed packets to be captured. Please use the latest version.

Improvements:

1. The uninstallation window won't close itself now.
2. Fixed the problem that the uninstallation process won't end in the Task Manager.
3. System restore point will not be created in the uninstallation phase.
4. Improved the text display of the installer.

The debug symbols of 0.06 r4 are shared with 0.06.

Now Npcap installer will create a Windows system restore point named Before Npcap %VERSION% installs before actual installation process and create a point named Before Npcap %VERSION% uninstalls before uninstallation.

NOTE: this behavior is mandatory.

The debug symbols of 0.06 r3 are shared with 0.06.

Improvements:

1. Made the loopback feature optional in the installer. This option is checked by default.
2. Improved the creating system restore point logic by removing nested creation. A modified SysRestore plug-in is used: https://github.com/hsluoyz/SysRestore

The debug symbols of 0.06 r2 are shared with 0.06.

Fixed the bug reported by yyjdelete that Npcap causes BSoD if the user tries to disable the adapter while sending packets.

Now the installer has added an option called Create a system restore point before installing Npcap. It this option is checked, Npcap installer will create a Windows system restore point named Before installing Npcap before actual installation process. Returning back to this point will roll back all changes made by Npcap.

Note: this option is NOT checked by default.

The debug symbols of 0.05 r16 are shared with 0.05 r15.

Now Npcap will release new versions shipping with the corresponding debug symbols. These PDB files will help debugging BSoDs and user-mode crashes of Npcap binaries. The file structure inside the zip is the same with the structure of binaries, which is shown below:

1. \vista: npcap.sys for Vista, Win7
2. \vista_winpcap: npf.sys for Vista, Win7 (at WinPcap Compatible Mode)
3. \win7_above: npcap.sys for Win8, Win10, Packet.dll, NPFInstall.exe, NPcapHelper.exe
4. \win7_above_winpcap: npf.sys for Win8, Win10, Packet.dll, NPFInstall.exe, NPcapHelper.exe (at WinPcap Compatible Mode)
5. wpcap.pdb, \x64\wpcap.pdb: wpcap.dll

We used the legacy SHA1 code signing cert to sign the Npcap driver in Win7, so no need for Win7 users to install KB3033929 patch any more.

PS: This version Npcap is supposed to have fixed all signing errors, so it will successfully install on all the platforms: Vista, Win7, Win8, Win8.1 and Win10 without any prerequisites.

Vista users should be able to install Npcap driver normally now.

For Win7 x64 users:
If you still get the pop-up window that said Windows requires a digitally signed driver (or get error 577 when executing net start npf), please try these steps:

1. Install the following update patch successfully. (Windows SHA-256 certificate security)
   KB3033929 for Win7: https://technet.microsoft.com/en-us/library/security/3033929.aspx
   This step should requires reboot.

Now Npcap can BLOCK the traffic instead of just inspecting packets. The Block-Rx adapters will reject all incoming packets except the ones injected by Npcap itself.

Steps for a firewall application:

1. Set the adapter you want to add the firewall to as both a Block-Rx and send-to-Rx adapter. Npcap driver needs to be restarted.
2. Use pcap_next_ex to retrieve and parse all traffic on an adapter, make a decision (Pass or Drop) based on your own way.
3. If the decision on a packet is Pass, call pcap_sendpacket to reinject the packet to the same adapter.
4. If the decision on a packet is Drop, do nothing. This packet will be dropped.

A firewall example is provided here:
https://github.com/hsluoyz/UserBridge

How to specify a Block-Rx adapter:

Npcap driver service's registry key is usually in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf

In this key, you need to manually create a REG_SZ value named BlockRx, the value is the name of the adapter you want to be Block-Rx adapter. The name is usually like format of \Device\{F5A00000-E19A-4D17-B6D9-A23FE1852573}. You can query this value using Nmap's nmap --iflist command, you will get a similar value like \Device\NPF_{F5A00000-E19A-4D17-B6D9-A23FE1852573}, but they are NOT THE SAME. You need to remove the NPF_ in this string and copy it to registry's BlockRx value. Then reboot the driver by net stop npf and net start npf.

Block-Rx adapters can be multiple. The string specified in registry's BlockRx value should be semicolon-separated.

How to specify a Send-To-Rx adapter:

See v0.05-r6 and v0.05-r7 for Send-to-Rx's details

Npcap driver service's registry key is usually in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf. In this key, you need to manually create a REG_DWORD value named TimestampMode,
the value can be (in decimal):

0,  DEFAULT_TIMESTAMPMODE
1,  TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP
2,  TIMESTAMPMODE_QUERYSYSTEMTIME
3,  TIMESTAMPMODE_RDTSC (only supported on x86 systems)
99, TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP

If this value doesn't exsit, Npcap will regard TimestampMode as 0.
Don't forget to reboot the driver by net stop npf and net start npf to make this option change take effect.

You can also refer to https://www.wireshark.org/lists/wireshark-users/201008/msg00171.html and https://www.wireshark.org/lists/wireshark-users/201001/msg00125.html for the details about Timestamp Mode.