Npcap is the Nmap Project's packet sniffing library for Windows. It is based
on the wonderful WinPcap / Libpcap libraries, but with improved
improved speed, portability, security, and efficiency. In particular, Npcap
- WinPcap for Windows 10: Npcap works on Windows 7 and later by making use of the new
NDIS 6 Light-Weight Filter (LWF) API. It's faster than the deprecated
NDIS 5 API, which Microsoft could remove at any time. Also, the
driver is signed with our EV certificate and countersigned by Microsoft,
so it works even with the stricter driver signing requirements in Windows
- Extra Security: Npcap can be restricted so that only
Administrators can sniff packets. If a non-Admin user tries to utilize
Npcap through software such as Nmap or
Wireshark, the user will have to pass a
User Account Control (UAC) dialog to utilize the driver. This is
conceptually similar to UNIX, where root access is generally required to
capture packets. We've also enabled the Windows ASLR and DEP security
features and signed the driver, DLLs, and executables to prevent tampering.
- Loopback Packet Capture: Npcap is able to sniff loopback packets
(transmissions between services on the same machine) by using the
Windows Filtering Platform (WFP). After installation, Npcap will create
an adapter named Npcap Loopback Adapter for you. If you are a Wireshark
user, choose this adapter to capture, you will see all loopback traffic the
same way as other non-loopback adapters. Try it by typing in commands like
“ping 127.0.0.1” (IPv4) or “ping ::1” (IPv6).
- Loopback Packet Injection: Npcap is also able to send loopback packets using the
Winsock Kernel (WSK) technique. User-level software such as
Nping can just send the packets out
using Npcap Loopback Adapter just like any other adapter. Npcap then does
the magic of removing the packet's Ethernet header and injecting the
payload into the Windows TCP/IP stack.
- WinPcap compatibility: For applications that don't yet make use
of Npcap's advanced features, Npcap can be installed in “WinPcap
Compatible Mode.” This will replace any existing WinPcap installation. If
compatibility mode is not selected, Npcap can coexist alongside WinPcap;
applications which only know about WinPcap will continue using that, while
other applications can choose to use the newer and faster Npcap driver instead.
Npcap is free for anyone to download and use (but not redistribute).
Simply run the executable installer. The full source code for each release is
available, and developers can build their apps against the SDK. The improvements for each release are documented in the Npcap Changelog.
The latest development source is in our
Github source repository.
Windows XP and earlier are not supported; you can use
WinPcap for these versions.
The Npcap License allows end users to download, install, and use Npcap from our site for free. Software providers (open source or otherwise) which want to use Npcap functionality are welcome to point their users to npcap.org for those users to download and install.
We fund the Npcap project by selling licenses to companies who wish to redistribute Npcap within their products. The Npcap OEM edition allows companies to silently and seamlessly install Npcap during their product's installation rather than asking users to download and install Npcap themselves. The Npcap OEM commercial license also includes support, updates and indemnification. This is similar to the commercial licenses we offer for embedding Nmap in commercial software. More details are available from the Npcap OEM page.
The primary documentation for Npcap is the Npcap User's Guide. You can also refer to the README file on Github. The changes in each new release are documented in the Npcap Changelog.
Questions, comments and bug reports are always welcome. Please use the Nmap
development mailing list (nmap-dev). To subscribe, please visit:
Code patches to fix bugs are even better than bug reports. Instructions for
creating patch files and sending them are available here.
Bug reports for Npcap can also be filed on the Nmap bug tracker.