Nmap Project's Windows packet capture and transmission library
OTHER License
Bot releases are visible (Hide)
Published by hsluoyz over 8 years ago
Thanks Luff Vince for reporting this bug!
npcap-nmap-0.06-r13.exe
: This version fixed the bug that Win7 x86 won't install the driver than 0.06-r12 version.
npcap-nmap-0.06-r13-wifi.exe
: This -wifi
special version Npcap will capture Native 802.11 data packets instead of Fake Ethernet II packets. See this:
Published by hsluoyz over 8 years ago
Thanks Pascal for reporting this bug!
Published by hsluoyz over 8 years ago
Thanks Pascal for reporting this bug!
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Thanks Pascal and Komosa for reporting this bug!
I totally rewrite the ring buffer code that copies received packets to memory. So if there're any bugs about received packets, please let me know!
Published by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
R7.2
: Now VMware VMnet adapters
can be seen in Npcap.
R7.1
: Attention: This release has been updated to R7.1, please download again!
The original R7
version has a severe bug that causes malformed packets to be captured. Please use the latest R7.1
version.
R7
: An example of changing option feature for silent installation is:
npcap-nmap-0.06-r7.1.exe /S /admin_only=no /loopback_support=yes /dlt_null=no /vlan_support=yes /winpcap_mode=yes
/admin_only
, it will take the default value no
. This is the same with the GUI.yes
or no
.Published by hsluoyz over 8 years ago
DON'T DOWNLOAD THIS!
This release has a bug that causes malformed packets to be captured. Please use the latest version.
Published by hsluoyz over 8 years ago
DON'T DOWNLOAD THIS!
This release has a bug that causes malformed packets to be captured. Please use the latest version.
Published by hsluoyz over 8 years ago
Improvements:
Task Manager
.The debug symbols of 0.06 r4
are shared with 0.06
.
Published by hsluoyz over 8 years ago
Now Npcap installer will create a Windows system restore point named Before Npcap %VERSION% installs
before actual installation process and create a point named Before Npcap %VERSION% uninstalls
before uninstallation.
NOTE: this behavior is mandatory.
The debug symbols of 0.06 r3
are shared with 0.06
.
Published by hsluoyz over 8 years ago
Improvements:
SysRestore
plug-in is used: https://github.com/hsluoyz/SysRestore
The debug symbols of 0.06 r2
are shared with 0.06
.
Published by hsluoyz over 8 years ago
Fixed the bug reported by yyjdelete that Npcap causes BSoD if the user tries to disable the adapter while sending packets.
Published by hsluoyz over 8 years ago
Now the installer has added an option called Create a system restore point before installing Npcap
. It this option is checked, Npcap installer will create a Windows system restore point named Before installing Npcap
before actual installation process. Returning back to this point will roll back all changes made by Npcap.
Note: this option is NOT checked by default.
The debug symbols of 0.05 r16
are shared with 0.05 r15
.
Published by hsluoyz over 8 years ago
Now Npcap will release new versions shipping with the corresponding debug symbols. These PDB files will help debugging BSoDs and user-mode crashes of Npcap binaries. The file structure inside the zip is the same with the structure of binaries, which is shown below:
npcap.sys
for Vista, Win7
npf.sys
for Vista, Win7 (at WinPcap Compatible Mode
)npcap.sys
for Win8, Win10, Packet.dll
, NPFInstall.exe
, NPcapHelper.exe
npf.sys
for Win8, Win10, Packet.dll
, NPFInstall.exe
, NPcapHelper.exe
(at WinPcap Compatible Mode
)wpcap.dll
Published by hsluoyz over 8 years ago
We used the legacy SHA1 code signing cert to sign the Npcap driver in Win7, so no need for Win7 users to install KB3033929
patch any more.
PS: This version Npcap is supposed to have fixed all signing errors, so it will successfully install on all the platforms: Vista, Win7, Win8, Win8.1 and Win10 without any prerequisites.
Published by hsluoyz over 8 years ago
Vista users should be able to install Npcap driver normally now.
For Win7 x64 users:
If you still get the pop-up window that said Windows requires a digitally signed driver
(or get error 577
when executing net start npf
), please try these steps:
KB3033929
for Win7: https://technet.microsoft.com/en-us/library/security/3033929.aspxPublished by hsluoyz over 8 years ago
Published by hsluoyz over 8 years ago
Now Npcap can BLOCK the traffic instead of just inspecting packets. The Block-Rx
adapters will reject all incoming packets except the ones injected by Npcap itself.
Block-Rx
and send-to-Rx
adapter. Npcap driver needs to be restarted.pcap_next_ex
to retrieve and parse all traffic on an adapter, make a decision (Pass
or Drop
) based on your own way.Pass
, call pcap_sendpacket
to reinject the packet to the same adapter.Drop
, do nothing. This packet will be dropped.A firewall example is provided here:
https://github.com/hsluoyz/UserBridge
Block-Rx
adapter:Npcap driver service's registry key is usually in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
In this key, you need to manually create a REG_SZ
value named BlockRx
, the value is the name of the adapter you want to be Block-Rx adapter. The name is usually like format of \Device\{F5A00000-E19A-4D17-B6D9-A23FE1852573}
. You can query this value using Nmap's nmap --iflist
command, you will get a similar value like \Device\NPF_{F5A00000-E19A-4D17-B6D9-A23FE1852573}
, but they are NOT THE SAME. You need to remove the NPF_
in this string and copy it to registry's BlockRx
value. Then reboot the driver by net stop npf
and net start npf
.
Block-Rx adapters can be multiple. The string specified in registry's BlockRx
value should be semicolon-separated.
Send-To-Rx
adapter:Published by hsluoyz over 8 years ago
Npcap driver service's registry key is usually in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
. In this key, you need to manually create a REG_DWORD
value named TimestampMode
,
the value can be (in decimal):
0, DEFAULT_TIMESTAMPMODE
1, TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP
2, TIMESTAMPMODE_QUERYSYSTEMTIME
3, TIMESTAMPMODE_RDTSC (only supported on x86 systems)
99, TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP
If this value doesn't exsit, Npcap will regard TimestampMode
as 0
.
Don't forget to reboot the driver by net stop npf
and net start npf
to make this option change take effect.
You can also refer to https://www.wireshark.org/lists/wireshark-users/201008/msg00171.html and https://www.wireshark.org/lists/wireshark-users/201001/msg00125.html for the details about Timestamp Mode.