Nmap Project's Windows packet capture and transmission library
Installer and debug symbols available from https://npcap.org/#download
Fix a runaway memory leak triggered by low-resources condition leading to system hangs. Fixes #213.
Fix a BSoD crash in NPF_Read in some high-traffic cases. Fixes #206.
Fix a handle leak in Packet.dll when enumerating interfaces. Fixes #26.
Fix an inconsistency between return value and IRP completion status in
NPF_Read when an adapter is removed. Driver Verifier would cause a bugcheck
(BSoD) in this case, and pcap API functions would not detect an error.
Fixes #217
Improved performance by reusing allocated packet data buffers and
implementing DISPATCH_LEVEL tracking throughout the driver to speed up lock
acquisition.
When upgrading from compatible recent versions (currently Npcap 0.9985 and
newer), the installer will unpack a new Uninstall.exe and NPFInstall.exe
prior to removing the existing installation. This resolves issues with the
uninstallation process such as were common in Npcap 0.9991 through 0.9994.
Upgraded build system to VisualStudio 2019 and WDK 10.0.18362.0
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_Read when NDIS filter module is detached from the
adapter. Fixes #194
On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10 WFP compatibility, supporting network stack improvements like RSC. Fixes #196.
Correctly obey maximum frame size for an adapter by querying
OID_GEN_MAXIMUM_TOTAL_SIZE instead of using MTU, which does not include
space for the link layer header. Fixes #186.
Fix detection of processes using Npcap resources during uninstall or upgrade. The fix for #2015 had broken this so such processes were not terminated, leading to failed installations.
Obey snaplen (pcap_set_snaplen()) even if a packet filter is not set. This
is a backported change from upstream libpcap that corrects a deficiency that
has been present in all previous versions of WinPcap and Npcap.
Fixes #201.
Improvements to object pool/slab allocator to allow nonpaged memory to be freed when not in use.
When installing Npcap OEM in silent mode, avoid running C:\Uninstall.exe if no existing Npcap installation is present.
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_ReleaseOpenInstanceResources due to miscounting of
number of open Loopback capture instances. Fixes #185.
Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing a data structure that already contained packet data.
Fix a crash in NPFInstall.exe that happened when trying to rebind Npcap to
the network stack as part of some installations. Reported by Microsoft App
Assure ISV Outreach Team.
When multiple packets are indicated in a single FilterReceiveNetBufferLists
callback, only get a single timestamp for all of them. Avoids extra calls to
KeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended up
measuring Npcap processing delay, not actual packet arrival time.
Fix a potential NULL pointer deref issue in Objpool.h macros if an
allocation were to fail and return a NULL pointer.
Fix parsing of pnputil.exe output that resulted in Npcap drivers not being
cleared from the DriverStore before installing or upgrading. This led to
older drivers being preferred in some cases, such as installing an unsigned
driver in test mode.
Move all capture- and injection-related initialization code out of
NPF_OpenAdapter, improving efficiency of operations like listing adapters
or performing OID requests without starting a full capture.
Added SAL annotations to most driver functions to improve static analysis. Found one issue related to using a NULL NDIS handle in an allocation function, which is not supported on Windows 7.
Allow driver to load even if there is a problem initializing loopback capture or injection functions. The loopback capture device will simply be unavailable in that case.
Installer and debug symbols available from https://npcap.org/#download
Fix a BSoD crash in NPF_DoInternalRequest triggered by suspending the
system while a capture is running. Added source annotations to allow static
analysis to catch bugs like this in the future. Fixes #181.
Fix a bug introduced in Npcap 0.9992 which caused loopback capture to fail if any loopback capture had been previously started and finished.
Fix packet length calculation for loopback capture. The packet length was being counted twice, leading to junk data being appended to captured packets.
If installation fails for any reason other than a failure to uninstall the
previous version of Npcap, the current version's uninstaller will be used to
clean up any partial installation. The only remaining files will be the
install.log and NPFInstall.log in the Npcap installation directory.
Fixes #170
Replaced ReadWriteLock mechanisms with improved NDIS_RW_LOCK_EX new in NDIS
6.20 for improved performance.
Moved object pool for captured packets from the filter module (adapter) object to the open instance (pcap handle) to allow memory to be recovered after a capture is closed.
Installer and debug symbols available from https://npcap.org/#download
Npcap issues are now tracked on their own Github Issues page, separate from Nmap issues. Many existing issues have been migrated, and issue numbers may have changed.
Rewrote the kernel packet capture buffer code again to avoid requiring a separate worker thread. Instead, captured packets are held directly in a synchronized queue. The worker thread introduced in Npcap 0.9991 was unable to keep up with the volume of packet requests, leading to buffer bloat and reduced performance.
Avoid initializing loopback capture-related functions and processing packets as soon as an adapter is opened. This will improve performance since adapters are opened as part of listing adapters.
Fix a crash in NPFInstall.exe when terminating processes which are using Npcap resources. This could lead to failed installations and message windows about "A LWF & WFP driver installation tool has stopped working."
Update Npcap from NDIS 6.10 to NDIS 6.20, which limits its compatibility to Windows 7 and higher. Closes #167.
Fix a bug in Npcap 0.9991 which prevented packets from being captured until a BPF filter had been set. Fixes #168 (migrated from nmap/nmap#2037).
Allow capture statistics and captured packets remaining in the buffer to be retrieved when an adapter is removed. Fixes nmap/nmap#2036.
Use WMI instead of the Windows 10-only Get-NetAdapter Powershell cmdlet in
the DiagReport tool. Fixes nmap/nmap#611.
Installer, SDK, and debug symbols available from https://npcap.org/#download
Switched our code signing certificate back to DigiCert after some users found older Windows versions could not validate the signature on our driver for versions 0.9985 through 0.9990. The driver is again dual-signed with SHA-1 and SHA-2 certificates. See #2012
Major changes to management of Npcap driver's circular packet buffer, switching from per-CPU unshared segments to a single worker thread managing a queue of work items. This improves buffer utilization, reduces the amount of time spent processing in the network stack, and should reduce packet loss. See #1967.
Several performance-related improvements to the NDIS filter driver: Switched from SpinLocks to ReadWriteLocks for several crucial shared data structures, which will improve performance by reducing resource contention on multiprocessor systems, and introduced an object-pool allocation pattern for several frequently-used short-lifetime objects, improving performance by reducing memory allocations.
Again restore "unused" NDIS filter callbacks which cause Windows 7 to lose connectivity when they are removed. See #1998.
Include debug symbols for wpcap.dll in our debug symbols zip file at
https://npcap.org/#download . Fixes #1844.
Fixed #1996: heap corruption in
NPFInstall.exe since Npcap 0.9989 leading to hung installs when the "raw
802.11 traffic" option was checked.
Fixed #2014: Npcap OEM silent install produced a dialog when installing over an existing installation of the same version.
Uninstaller improvements related to removing the installation directory, properly killing processes using Npcap DLLs, not leaving a partial installation if a step fails. Fixes #2013 and #2015.
Installer, SDK, and debug symbols available from https://npcap.org/#download
Improve compatibility with WinPcap's behavior regarding injected traffic.
WinPcap uses inefficient loopback to capture all outbound traffic, but allows
PacketSetLoopbackBehavior() to avoid this for injected traffic. Because of
Npcap's more efficient design, injected traffic was never looped back up to
protocol drivers, causing problems for some users who relied on this behavior.
Now, injected traffic follows the same path as with WinPcap, though ordinary
traffic is unaffected. For highest efficiency without loopback, use
PacketSetLoopbackBehavior(PACKET_DISABLE_LOOPBACK). Fixes #1343,
#1929, and GNS3/gns3-gui#2936
No longer honor NDIS_PACKET_TYPE_ALL_LOCAL set via PacketSetHwFilter().
This packet filter causes all local traffic to be routed through an unoptimized
loopback path within NDIS, which was necessary to capture outgoing traffic in
WinPcap but is no longer needed in Npcap. Instead, this value will be treated as
NDIS_PACKET_TYPE_DIRECTED | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST.
Fix a bug that caused TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE to fall back to
TIMESTAMPMODE_QUERYSYSTEMTIME even when KeQuerySystemTimePrecise() was
available. Fix by Mauro Levra in PR#23.
Installer will now install an intermediate CA cert that was missing from some systems, which is needed to verify the driver's digital signature. Only affects Windows versions prior to Windows 10.
Backport a fix from libpcap needed to properly support
NdisMediumWirelessWan. See #1573.
Include experimental support for AirPcap cards if airpcap.dll (not
included) is installed.
Installer, debug symbols, and SDK available from https://npcap.org/#download
Fix a BSOD crash in NPF_OpenAdapter due to reading past the end of a
string. Fixes #1924
Fix a BSOD crash (NULL pointer dereference) in NPF_Restart.
Fixes #1964.
Fix a memory leak in the Loopback WFP filter. Additionally, WFP callbacks will be unregistered when all loopback captures are closed, reducing impact of related code when not in use. Fixes #1966.
New Packet.DLL function PacketSetTimestampMode() allows a user program to
set the method used to timestamp packets as they arrive. See #1775.
Supported modes are:
TIMESTAMPMODE_SINGLE_SYNCHRONIZATION - default monotonic timestamps based
on KeQueryPerformanceCounter()
TIMESTAMPMODE_QUERYSYSTEMTIME - low-precision wall clock time based on
KeQuerySystemTime()
TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE - high-precision wall clock time
based on KeQuerySystemTimePrecise(), new in this release and only
available on Windows 8 and newer. See #1407.Remove some problematic timestamp modes:
TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP and
TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP were undocumented;
TIMESTAMPMODE_RDTSC was x86-only and not suitable for multi-processor
systems. See #1829.
The Npcap SDK 1.05 will be released to include the new
PacketSetTimestampMode() function.
Installer and debug symbols available from https://npcap.org/#download
If a capture is in progress when the system is suspended, it will continue without interruption after the system is woken. This also prevents capture interruptions when the OS makes certain network stack changes. Fixes #1903.
If the npcap driver is stopped, Packet.dll will attempt to start it automatically. This feature requires Administrator privilege and had been removed in Npcap 0.9983. Fixes #1911.
Fix the check for fragmented packets in loopback capture. Closes PR #22.
Eliminate clone/block/inject pattern from loopback capture except for packets already injected by Npcap. Should fix #1529 and #1789.
Fix an issue in the Npcap OEM installer where silent mode would not detect a failure to install the npcap driver. Fixes #1910.
Improve the installer to avoid broken installations and allow the installer to continue if a broken installation is detected. Fixes #1935.
Formally removed support for Windows Vista and Server 2008 r1, which are no longer supported by Microsoft either. This allows us to support newer Windows WFP and NDIS features for better performance and compatibility. Folks who must still run these ancient Windows releases should use Npcap version 0.9984 from https://nmap.org/npcap/dist/?C=M;O=D. That was the last Npcap release to support the old (and less secure) SHA-128 driver signatures required by these Windows Vista/2008. Please note that Windows Server 2008 r2 and Windows 7 are still supported in this release even though they have also passed their Microsoft end-of-life dates.
Installer and debug symbols available from https://npcap.org/#download
Fix an issue where Npcap begins dropping large packets, then smaller ones until finally all packets are dropped. Our fix changes the way remaining free space in the kernel buffer is calculated, which ought to prevent the free space accounting from drifting from reality. Fixes #1891.
Fix a potential race condition when opening the loopback capture adapter. If two threads simultaneously determine that the WFP filters need to be registered, each may open a handle to the WFP engine using the same global pointer, leading to a double-free when the second one tries to close the handle.
Allow Packet.dll and the npcap driver to skip loopback-related operations,
including WFP and WSK setup, if the LoopbackSupport Registry key is set
to 0. This configuration will not be supported by the installer, but may
serve as a workaround for problems that may be related to Npcap's loopback
traffic capture and injection capability.
Ensure open handles to the Service Control Manager are closed on error in PacketGetFileVersion. Fixes #1882.