Nmap Project's Windows packet capture and transmission library
Installer and debug symbols available from https://npcap.org/#download
Npcap can now tolerate network disconnections or NDIS stack modifications that previously resulted in programs like Wireshark stopping with the error "PacketReceivePacket error: The device has been removed. (1617)". This error may still be returned, but user programs can consider it a transient error. If the network is reconnected, capture can resume on the same handle. Fixes #506.
Improved validation for IRP parameters, resolving potential BSoD crashes that could be triggered by software interacting directly with the driver's device interface. These bugs still affect the last releases of WinPcap. Thanks to Ilja Van Sprundel from IOActive for reporting them.
Fix an issue with NX pool compatibility that caused Npcap 1.50 and 1.55 to fail to run on some Windows 7 systems. Fixes #536.
Fix how the installer handles /option=enforced, which was broken
in Npcap 1.55. Fixes #556.
Concurrently released the Npcap SDK Version 1.12, which fixes native ARM compilation by including the ARM64 wpcap.lib, among other changes. The SDK now has its own change log at https://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md.
Further driver source code hardening to catch more bugs before they manifest in worse ways. This includes adding more SAL annotations for code analysis, extra assertions, etc.
The /prior_driver installer option now selects the Npcap 1.30
driver, since Microsoft's cross-certificate expired 30 minutes
before we signed Version 1.31. See
#536.
Simplified the code base by removing a bunch of unused or
unneccessary code. This includes "kernel dump mode" (MODE_DUMP)
which was inherited from WinPcap 3.1 even though it had already been
deactivated there in 2005. Also removed legacy WinPcap code which allowed
their (long discontinued) "Pro" version DLL to install the driver
itself. This is not allowed by modern operating systems. We were
able to remove a bunch of code from NPFInstall.exe too. Updated the
INF file to prevent npf_wifi service from being configured, since it
was never actually used.
Fix an issue causing pcap_setmode()/PacketSetMode() with a value
of MODE_CAPT to fail. MODE_CAPT is the default for new handles,
so this only affects software that uses MODE_STAT and then
switches to MODE_CAPT, or software that expects a call to
pcap_setmode(MODE_CAPT) on a handle already in MODE_CAPT to
succeed. Fixes #558.
When installing Npcap in WinPcap API-Compatible mode (the default), the Npcap installer will perform the uninstallation of WinPcap directly instead of running the WinPcap uninstaller. This prevents the WinPcap uninstaller from rebooting the system and allows us to clean up partial or broken installations.
Further deprecate the "Legacy loopback support" option: The npcapwatchdog scheduled task will not check for the existence of the Npcap Loopback Adapter.
Added the PnpLockDown directive to the npcap.sys INF file for
additional Windows file protection of the driver binary.
Replaced a feature of NPFInstall.exe and the SimpleSC.dll NSIS plugin with Powershell commands to improve installer size and compatibility. May fix #226.
While you won't see it in the code itself, we dramatically improved our automated build and testing proceses. We now run automated native-arch builds and testing of multiple programs (particularly the SDK Examples) on all 3 architectures (x86, x64, and ARM). All tests are run with the debug build of the driver (assertions on) and Driver Verifier with at least standard settings, and only when that passes is the release build run through the same tests, also with Driver Verifier. The tests are also run in x86 emulation on x64 and ARM.
Installer and debug symbols available from https://npcap.org/#download . Npcap SDK 1.11 was released concurrently, with only minor changes to const-ness of some function parameters in Packet32.h and additional documentation on installer options.
Npcap installer can now recognize NetCfg status codes indicating that a
reboot is required (0x0004a020, NETCFG_S_REBOOT), and will prompt the user
to reboot. In silent mode, the installer will return code 3010 (0x0bc2,
ERROR_SUCCESS_REBOOT_REQUIRED) to indicate this result. Fixes #224.
Npcap installer's silent mode now offers better control over when to remove
and reinstall an existing Npcap installation. Documentation has been updated
for the new installation options /require_version, /require_features, and
/force and will be published with the new Npcap SDK 1.11. Fixes #523.
Fixed an installation failure (0xe0000247) on Windows 8.1/Server 2012 R2 and earlier systems which have not updated root certificates. The root certificates are now installed to the Roots trust store. Fixes #233.
Fixed an issue since Npcap 1.30 where broadcast and subnet masks for adapters
returned by pcap_findalldevs() were in host byte order, displaying values
like "0.240.255.255". Fixes #525.
Libpcap 1.10.1 has been updated to include some recent changes to the libpcap-1.10 release branch which extend support to adapters with the NdisMediumIP media type, including Wireguard Wintun virtual adapters. Fixes #173.
Added specific bad-value checks for issues originating in other drivers which
may be incorrectly attributed to Npcap. These checks, in combination with
additional const qualifiers, should serve as assurance that Npcap is not
modifying traffic during capture and cannot be responsible for such crashes.
Powershell commands launched by the installer are now run with the
-NoProfile option. Fixes #529.
Npcap SDK minor change to add const qualifiers to parameters to several Packet.dll functions.
Npcap installer now uses Unicode internally. This may result in mixed-encoding install.log files.
Installer and debug symbols available from https://npcap.org/#download
Fixed #513 which prevented Npcap 1.40 from installing.
All PowerShell scripts installed or used during installation are now digitally signed.
Npcap can now be installed on Windows 10 for ARM64 devices. Both ARM64 and x86 DLLs will be installed, allowing existing x86 applications such as Nmap or Wireshark to run without modification.
Npcap SDK 1.10 release coincides with this release, providing updated documentation and libs for ARM64.
Npcap code now passes Microsoft's Static Driver Verifier for NDIS drivers and Visual Studio's Code Analysis "AllRules" ruleset. A couple of minor and extremely-improbable bugs were fixed in addition to general code cleanup and annotation.
On Windows 8 and 8.1, the Npcap driver has been updated to NDIS 6.30, supporting network stack improvements like RSC and QoS. Windows 10 still uses NDIS 6.50 and Windows 7 uses NDIS 6.20.
Npcap is no longer distributed with SHA-1 digital signatures. Windows 7 and Server 2008 R2 will require KB4474419 in order to install Npcap. All other platforms support SHA-2 digital signatures by default.
Streamlined loopback packet injection to avoid using Winsock Kernel (WSK) sockets. This removes a significant amount of complexity and overhead.
Due to Microsoft's deprecation of cross-signed root certificates for kernel-mode code signing,
Npcap 1.40 may not install correctly on Windows versions prior to Windows 10.
Our testing did not show any issues, but users who experience installation
failures may use the /prior_driver=yes installation option to install the
Npcap 1.31 driver instead, which has no such issues.
The "npcapwatchdog" scheduled task, which ensures the Npcap driver service is configured to start at boot, is now installed with a description when possible (Windows 7 does not support creating scheduled tasks via PowerShell). Fixes #498.
Fix an issue where installation under Citrix Remote Access or other situations would fail with the message "Installer runtime error 255 at 76539962, Could not load SimpleSC.dll". Fixes #226.
Ensure driver signature can be validated on systems without Internet access by installing the entire certificate chain, including the chain for the timestamp counter-signature. This should address #233.
Fix an issue with comparing adapter names retrieved from the Registry. This prevented Npcap 1.31 from being used for SendToRx and other less-used features. Fixes #311.
Npcap driver no longer excludes adapters based on media type, which may allow capture on some devices that were previously unavailable.
RELEASE RETRACTED Due to #513, we have retracted Npcap 1.40 and have released Npcap 1.50 to address this issue.
Installer and debug symbols available from https://npcap.org/#download
Fix a bug with the non-default legacy loopback capture support that caused all requests to open a capture handle to open the loopback capture instead. It is recommended to not select "Legacy loopback support" at installation unless you know your application relies on it. Fixes #302.
For Windows 10 and Server 2016 and later, restore the ability to capture traffic on VMware VMnet interfaces such as the host-only and NAT virtual networks. This will be restored for other supported Windows versions in a later release. Fixes #304.
Installer and debug symbols available at https://npcap.org/#download
Restore raw WiFi frame capture support, which had been broken in a few ways
since Npcap 0.9983. Additional improvements enable PacketSetMonitorMode()
for non-admin-privileged processes, allowing Wireshark to correctly enable
monitor mode via checkbox without requiring WlanHelper.exe.
Fixed WlanHelper.exe to correctly set modes and channels for adapters, if run with Administrator privileges. Fixes #122.
Improved speed of pcap_findalldevs() by using fewer calls to
GetAdaptersAddresses() and avoiding direct Registry inspection. The new
method may result in more adapters being available for capture than
previously reported. See #169.
Updated Packet.dll to use modern HeapAlloc() allocation, faster than the
legacy GlobalAlloc() inherited from WinPcap.
Improve error reporting from PacketGetAdapterNames() and related functions.
Installer, SDK and debug symbols available from https://npcap.org/#download
Upgrade wpcap.dll to libpcap 1.10. This change enables software to use
pcap_set_tstamp_type() to set the packet capture time source and precision
per capture handle. The currently-supported types (see
pcap-tstamp) are:
PCAP_TSTAMP_HOST_HIPREC_UNSYNCED - default, maps to TIMESTAMPMODE_SINGLE_SYNCHRONIZATION
PCAP_TSTAMP_HOST_LOWPREC - maps to TIMESTAMPMODE_QUERYSYSTEMTIME
PCAP_TSTAMP_HOST_HIPREC - maps to TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
Fix an issue preventing WlanHelper.exe from changing WiFi parameters for
adapters which caused the error message "makeOIDRequest::My_PacketOpenAdapter
error". Fixes #122 and several other reports
of the same issue.
Fixed an issue that prevented NDIS protocol drivers from reducing the hardware packet filter, even if the removed bits/filters were only set by that protocol driver initially. This may fix #106.
Fixed an issue with pcap_sendqueue_transmit() that caused it to busy-wait
in an attempt to synchronize packet sends with pcap timestamps, even when the
program did not request synchronization. Fixes #113.
The installer will now safely remove and replace broken installations due to #268.
Upgraded installer to NSIS 3, which improves compatibility with modern Windows versions.
Added application manifests to several installer tools and removed Windows Vista from the manifests of others, improving compatibility.
Installer and debug symbols available from https://npcap.org/#download
Fixed an issue where our upgrade uninstaller would trigger the #1924 BSoD crash when upgrading from Npcap 0.9988 or older to version 0.9996 or greater. Fixes #268.
Improved handling of large packets when a very small user buffer size is specified, which could lead to stalled captures and dropped packets.
Fix a packet corruption issue when one capture handle sets a snaplen of exactly 256 bytes and another sets a snaplen of greater than 256 bytes and the packet size exceeds 256 bytes.
Fix accounting of free space in the kernel buffer so that bugs like the previous one do not cause space to be permanently lost, leading to dropped packets. Instead, use assertions to catch this condition in testing with the debug build.
Check that the npcap driver service is configured for SYSTEM_START in the npcapwatchdog
scheduled task and correct it if necessary. Windows feature updates can modify this value.
Installer and debug symbols available from https://npcap.org/#download
After more than 7 years of development and 170 previous public releases, the Nmap Project is delighted to release Npcap version 1.00!
New Packet.dll function PacketGetTimestampModes() to retrieve supported
packet timestamping modes. These do not currently vary by adapter, but
TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE is not supported on Windows 7, for
example. Fixes #174.
Installer and debug symbols available from https://npcap.org/#download
Fix an integer underflow in the amount of free buffer space available leading to excessive memory consumption. Fixes #223.
Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.
Replaced object pool/slab allocator with Windows lookaside lists, improving performance by avoiding spinlocks and allowing the system to adjust memory consumption.