Table of Contents
Npcap is an update of WinPcap to NDIS 6 Light-Weight Filter (LWF) technique. It supports Windows Vista, 7, 8 and 10. It is sponsored by the Nmap Project and developed by Yang Luo under Google Summer of Code 2013 and 2015. It also received many helpful tests from Wireshark and NetScanTools.
NDIS 6 Support: Npcap makes use of new LWF driver in
Windows Vista and later (the legacy driver is used on XP). It's faster
than the legacy NDIS 5 Intermediate
technique. One reason is that
packet data stucture has changed (from NDIS_PACKET to NET_BUFFER_LIST)
since Vista and NDIS 5 needs to handle extra packet structure conversion.
“Admin-only Mode” Support: Npcap supports to restrict its use to Administrators for safety purpose. If Npcap is installed with the option “Restrict Npcap driver's access to Administrators only” checked, when a non-Admin user tries to start a user software (Nmap, Wireshark, etc), the User Account Control (UAC) dialog will prompt asking for Administrator privilege. Only when the end user chooses Yes, the driver can be accessed. This is similar to UNIX where you need root access to capture packets.
“WinPcap Compatible Mode”
Support: “WinPcap Compatible Mode” is used to decide whether Npcap should coexist With WinPcap or
be compatible with WinPcap. With “WinPcap Compatible Mode” OFF, Npcap
can coexist with WinPcap and share the DLL binary interface with WinPcap.
So the applications unaware of Npcap SHOULD be able to use Npcap
automatically if WinPcap is unavailable. The applications who knows
Npcap's existence can choose to use Npcap or WinPcap first. The key
about which is loaded first is DLL Search Path. With “WinPcap Compatible Mode” OFF, Npcap installs its DLLs into C:\Windows\System32\Npcap\
instead of WinPcap's C:\Windows\System32\. So applications who want
to load Npcap first must make C:\Windows\System32\Npcap\ precedent
to other paths in ways such as calling SetDllDirectory, etc. Another
point is Npcap uses service name “npcap” instead of WinPcap's “npf” with
“WinPcap Compatible Mode” OFF. So applications using net start npf
for starting service must use net start npcap instead. If you want
100% compatibility with WinPcap, you should install Npcap choosing
“WinPcap Compatible Mode” (“Install Npcap in WinPcap API-compatible Mode”).
In this mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\
and use the “npf” service name. It's notable that before installing in
this mode, you must uninstall WinPcap first (the installer wizard will
prompt you that).
Loopback Packets Capture Support: Now Npcap is able to see Windows loopback packets using Windows Filtering Platform (WFP) technique. After installation, Npcap will create an adapter named “Npcap Loopback Adapter” for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
Loopback Packets Send Support: Besides loopback packets capturing, Npcap can also send out loopback packets based on Winsock Kernel (WSK) technique. A user software (e.g. Nmap) can just send packets out using “Npcap Loopback Adapter” like other adapters. “Npcap Loopback Adapter” will automatically remove the packet's Ethernet header and inject the payload into Windows TCP/IP stack, so this kind of loopback packet never go out of the machine.
Raw 802.11 Packets Capture Support: Npcap is able to see
802.11 packets instead of fake Ethernet packets on ordinary wireless
adapters. You need to select the Support raw 802.11 traffic (and monitor
mode) for wireless adapters option in the installation wizard to enable
this feature. When your adapter is in “Monitor Mode”, Npcap will supply all
802.11 data + control + management packets with radiotap headers. When
your adapter is in “Managed Mode”, Npcap will only supply 802.11 data
packets with radiotap headers. Moreover, Npcap provides the WlanHelper.exe
tool to help you switch to “Monitor Mode” on Windows. See more details
about this feature in section “For softwares that use Npcap raw 802.11
feature”. See more details about radiotap here:
http://www.radiotap.org/
Npcap tries to keep the original WinPcap architecture as much as possible. As the table shows, you will find it very similar with WinPcap.
Table 1. Npcap Architecture
| Binary | Source | Description |
|---|---|---|
| wpcap.dll | wpcap | the libpcap API, added "loopback support" to original WinPcap |
| Packet.dll | packetWin7\Dll | the Packet API for Windows, added "Admin-only Mode" to original WinPcap |
npf.sys (or npcap.sys) | packetWin7\npf | the driver, ported from NDIS 5 to NDIS 6, we support two names: npf or npcap, based on whether Npcap is installed in “WinPcap Compatible Mode” |
| NPFInstall.exe | packetWin7\NPFInstall | a LWF & WFP driver installation tool we added to Npcap |
| NPcapHelper.exe | packetWin7\Helper | the helper program for “Admin-only Mode”, will run under Administrator rights |
| WlanHelper.exe | packetWin7\WlanHelper | a tool is used to set/get the operation mode (like “Monitor Mode”) for a wireless adapter, will run under Administrator rights |
Sometimes, our user software needs to detect the existence of Npcap/WinPcap at install-time or run-time. Although Npcap's GUI installer has the ability to handle this, you may want to handle it by yourself in some conditions, like you run Npcap installer in silent-mode. The run-time detection is even more useful. Your software probably has some functions that rely on Npcap's particular features (like the loopback interface). You need to know if you are running on top of Npcap or the legacy WinPcap to control whether to switch your functions on. Fortunately, Npcap provides you some methods to detect Npcap/WinPcap at install-time and run-time.
You may notice that Npcap has several version strings. The installer name can be something
like npcap-0.07-r5.exe. “0.07” is the version number, and
“r5” is the revision number. We use a version number less than “1.00”
to imply that it's still a beta release. This naming follows the Nmap's convension. However,
WinPcap follows a different version system. It has three dotted figures like “4.1.3”,
which is more Wireshark-like. One thing you need to know here is that Npcap starts the
development based on the latest WinPcap “4.1.3”. So any Npcap release is more
advanced than WinPcap's latest release. Another thing needs to notice is
that, the “0.07” version number can be obtained from the
pcap_lib_version function. The “r5” revision number
only appears in the installer filename, it doesn't show its existence
in any code or functions. So you'd better not determine anything based on Npcap revision
number. Just use the latest release.
The executable file version (aka e-version in this document) is another thing we need to notice. A e-version has four dotted figures on Windows. Npcap's e-version is something like “5.0.7.424”. “5” here is used to advance Npcap version than the legacy WinPcap's e-version “4.1.0.2980” because “5.0.7.424” is larger than “4.1.0.2980”. The legacy WinPcap installer and Wireshark uses e-version to check the version of WinPcap. Usually these legacy codes don't even know Npcap. So Npcap needs to make them simply think Npcap is a newer version of WinPcap. “0” and “7” in Npcap's e-version corresponds to Npcap's version “0.07”. “424” means that this release is built at date “4.24” (aka 24th, April). When Npcap version jumps to a new version (like from “0.06” to “0.07”), the e-version will also change (like from “0.6.0.301” to “0.7.0.424”). A revision update won't cause a change of version or e-version.
You can check the existence of C:\Program Files\Npcap\NPFInstall.exe to
detect Npcap's existence. If Npcap exists, you can check the file version of
C:\Program Files\Npcap\NPFInstall.exe to detect Npcap e-version. The
e-version also gives you the version. The NSIS code is shown below. $inst_ver
is an e-version string like “5.0.7.424”
GetDllVersion "C:\Program Files\Npcap\NPFInstall.exe" $R0 $R1 IntOp $R2 $R0 / 0x00010000 IntOp $R3 $R0 & 0x0000FFFF IntOp $R4 $R1 / 0x00010000 IntOp $R5 $R1 & 0x0000FFFF StrCpy $inst_ver "$R2.$R3.$R4.$R5"
You can check the installation options of an already installed Npcap by reading the registry
key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf
(WinPcap compatible mode) or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap
(Non-WinPcap compatible mode). the entries like AdminOnly,
Loopback, DltNull,Dot11Support,
VlanSupport, WinPcapCompatible, etc. show the installation options.
Loopback is REG_SZ type. A non-NULL value indicates the option is
CHECKED. All other entries are REG_DWORD type. A 0x00000001 value
indicates the option is CHECKED.
Npcap and WinPcap can be installed together on a symtem. Which capture library is used by the
user software relies on the DLL loading path. If Npcap's wpcap.dll is loaded first, then you
are using Npcap, vice versa. However, it's difficult and fragile to check the DLL loading path by yourself.
So we provide a better way: Npcap exports a pcap_get_servicename function in its libpcap
API. It returns the string of Npcap service name, which can be used to start the service using
net start %SERVICE_NAME% command. You need to dynamically import this function to call it because
WinPcap doesn't have this function and it's obviously not in the WinPcap SDK. The C code of the
pcap_get_servicename usage is shown below.
typedef char* (__cdecl *MY_PCAP_GET_SERVICENAME) ();
HINSTANCE hinstLib;
// Get a handle to the wpcap DLL module.
hinstLib = LoadLibrary(TEXT("wpcap.dll"));
MY_PCAP_GET_SERVICENAME pcap_get_servicename;
char *servicename_buf;
// If the handle is valid, try to get the function address.
if (hinstLib != NULL)
{
pcap_get_servicename = (MY_PCAP_GET_SERVICENAME)GetProcAddress(hinstLib, "pcap_get_servicename");
// If the function address is valid, call the function.
if (pcap_get_servicename != NULL)
{
printf("Notice: You are using Npcap.\n");
servicename_buf = pcap_get_servicename();
// servicename_buf = "NPF" or "NPCAP"
printf("Npcap service name: %s\n", servicename_buf);
}
else
{
printf("Notice: You are using WinPcap.\n");
}
// Free the DLL module.
FreeLibrary(hinstLib);
}
else
{
printf("Notice: Neither Npcap nor WinPcap is installed.\n");
}
Prerequisite: Uncheck the Install Npcap in WinPcap API-compatible Mode option at install-time.
pcap_get_servicename“Run-time detection”pcap_get_servicenameNpcap installs its DLLs into C:\Windows\System32\Npcap\
instead of WinPcap's C:\Windows\System32\. So applications who want
to load Npcap first must make C:\Windows\System32\Npcap\ precedent
to other paths in ways such as calling SetDllDirectory, etc.
Npcap uses service name “npcap” instead of WinPcap's “npf” with “WinPcap Compatible Mode” OFF. So applications using net start npf for starting service must use net start npcap instead.
Prerequisite: Check the Support loopback traffic ("Npcap Loopback Adapter" will be created) option at install-time.
Npcap's loopback adapter device is based on “Microsoft KM-TEST Loopback Adapter” (Win8 and Win10) or “Microsoft Loopback Adapter” (Vista, Win7). It is an Ethernet adapter, and Npcap has changed its behavior and rename it to “Npcap Loopback Adapter”, to make it see the real loopback traffic only. The traffic captured by original WinPcap will not appear here.
The IP address of “Npcap Loopback Adapter” is usually like 169.254.x.x. However, this IP is totally meaningless. Softwares using Npcap should regard this interface's IP address as 127.0.0.1 (IPv4) and ::1 (IPv6). This work can't be done by Npcap because Windows forbids any IP address to be configured as 127.0.0.1 or ::1 as they're reserved.
The MAC address of “Npcap Loopback Adapter” is usually like 02:00:4C:4F:4F:50. However,
this address is meaningless too. Softwares using Npcap should think this interface doesn't own a
MAC address, as the loopback traffic never goes to link layer. For softwares using Npcap to
capture loopback traffic, the MAC addresses in captured data will be all zeros (aka 00:00:00:00:00:00).
For softwares using Npcap to send loopback traffic, any MAC addresses can be specified as they
will be ignored. But notice that ether_type in Ethernet header should be set correctly. Only IPv4
and IPv6 are accepted. Other values like ARP will be ignored. (You don't need an ARP request for
loopback interface)
The MTU of “Npcap Loopback Adapter” is hard-coded to 65536 by Npcap. Softwares using Npcap should get this value automatically and no special handling is needed. This value is determined personally by me and doesn't mean Windows loopback stack can only support packet size as large as 65536. So don't feel weird if you have captured packets whose size are larger than it.
Don't try to make OID requests to “Npcap Loopback Adapter” except
OID_GEN_MAXIMUM_TOTAL_SIZE (MTU). Those requests will still succeed like
other adapters do, but they only make sense for NDIS adapters and Npcap doesn't even use the
NDIS way to handle the loopback traffic. The only handled OID request by Npcap is
OID_GEN_MAXIMUM_TOTAL_SIZE. If you query its value, you will always get
65550 (65536 + 14). If you try to set its value, the operation will always fail.
To conclude, a software that wants to support Npcap loopback feature should do these steps:
Detect Npcap Loopback Adapter's presence, by reading registry value Loopback
at key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
(or npfnpcap if you installed Npcap With “WinPcap Compatible Mode”
OFF). If Loopback value exsits, it means “Npcap Loopback Adapter” is OK.
Then perform the following steps.
Treat the IP address of “Npcap Loopback Adapter” as 127.0.0.1 (IPv4) and ::1 (IPv6).
Treat the MAC address of “Npcap Loopback Adapter” as 00:00:00:00:00:00.
If you use IP Helper API to get adapter list, you will get an interface named like “Loopback Pseudo-Interface 1”. This interface is a DUMMY interface by Microsoft and can't be seen in NDIS layer. And it also takes the 127.0.0.1/::1 IP address. A good practice for softwares is merging the entry of “Npcap Loopback Adapter” and the entry of “Loopback Pseudo-Interface 1” into one entry, like what I have implemented for Nmap (see the “Other code (for developers)” part).
Don't make use of OID requests for “Npcap Loopback Adapter”
except OID_GEN_MAXIMUM_TOTAL_SIZE requests.
Prerequisite: Check the Support raw 802.11 traffic (and monitor mode) for wireless adapters option at install-time.
Install the latest version Npcap with the
Support raw 802.11 traffic (and monitor mode) for wireless adapters option
checked in the installation wizard. With this option checked, Npcap will see packets with
Radiotap + 802.11 headers for wireless adapters. Otherwise, Npcap
will see packets with fake Ethernet headers for wireless adapters.
Run WlanHelper.exe with Administrator privilege. Type in
the index of your wireless adapter (usually Enter) and press Enter.
Then type in Enter and press Enter to switch on the “Monitor Mode”.
WlanHelper.exe also supports parameters to be used in an API manner, run
WlanHelper.exe -h for details.
An example: launch Wireshark and capture on the wireless adapter, you will see all 802.11 packets (data + control + management). Here you should make your software interact with Npcap using the WinPcap API (open the adapter, read packets, send packets, etc).
If you need to return to “Managed Mode”, run WlanHelper.exe again and input the index of the adapter, then type in Enter and press Enter to switch off the “Monitor Mode”.
You need to use WlanHelper.exe tool to switch on
the “Monitor Mode” in order to see 802.11 control and management
packets in Wireshark (also encrypted 802.11 data packets, you need
to specify the decipher key in Wireshark in order to decrypt those packets), otherwise you will
only see 802.11 data packets.
Switching on the “Monitor Mode” will disconnect your wireless
network from the AP, you can switch back to “Managed Mode” using the same
WlanHelper.exe tool.
The WlanHelper.exe tool automatically installed to your
system path after installing Npcap.
“Managed Mode” (for Linux) = “Extensible Station Mode” (aka “ExtSTA”, for Windows)
“Monitor Mode” (for Linux) = “Network Monitor Mode” (aka “NetMon”, for Windows)
“Master Mode” (for Linux) = “Extensible Access Point” (aka “ExtAP”, for Windows)
WlanHelper is used to set/get the operation mode (like “Monitor Mode”) for a wireless adapter on Windows.
WlanHelper tries to follow the grammar of iwconfig, a wireless management tool
for Linux. So if you rename WlanHelper.exe to iwconfig.exe,
your command lines for WlanHelper will be exactly the same with the iwconfig tool.
Note: WlanHelper must run under Administrator privilege.
Run netsh wlan show interfaces, get the Name or GUID for the interface.
Run WlanHelper -h to see the man page.
Example 1. WlanHelper Man
C:\> WlanHelper.exe
WlanHelper for Npcap 0.07 (http://npcap.org)
Usage: WlanHelper {Interface Name or GUID} [Options]
Options:
mode: get interface operation mode
mode <managed|monitor|master|wfd_device|wfd_owner|wfd_client>: set interface operation mode
modes: get all operation modes supported by the interface, comma-separated
channel: get interface channel
channel <1-11>: set interface channel (only works at monitor mode)
freq: get interface frequency
freq <0-200>: set interface frequency (only works at monitor mode)
Operation Modes:
managed - the Extensible Station (ExtSTA) operation mode
monitor - the Network Monitor (NetMon) operation mode
master - the Extensible Access Point (ExtAP) operation mode (supported for Windows 7 and later)
wfd_device - the Wi-Fi Direct Device operation mode (supported for Windows 8 and later)
wfd_owner - the Wi-Fi Direct Group Owner operation mode (supported for Windows 8 and later)
wfd_client - the Wi-Fi Direct Client operation mode (supported for Windows 8 and later)
Examples:
WlanHelper wi-fi mode
WlanHelper 42dfd47a-2764-43ac-b58e-3df569c447da channel 11
WlanHelper 42dfd47a-2764-43ac-b58e-3df569c447da freq 2
See the MAN Page (https://github.com/nmap/npcap) for more options and examples
An example:
Example 2. WlanHelper API Usage
C:\>netsh wlan show interfacesThere is 1 interface on the system: Name :Wi-FiDescription : Qualcomm Atheros AR9485WB-EG Wireless Network Adapter GUID :42dfd47a-2764-43ac-b58e-3df569c447daPhysical address : a4:db:30:d9:3a:9a State : connected SSID : LUO-PC_Network BSSID : d8:15:0d:72:8c:18 Network type : Infrastructure Radio type : 802.11n Authentication : WPA2-Personal Cipher : CCMP Connection mode : Auto Connect Channel : 1 Receive rate (Mbps) : 150 Transmit rate (Mbps) : 150 Signal : 100% Profile : LUO-PC_Network Hosted network status : Not available C:\>WlanHelper.exemanaged C:\>wi-fimodeWlanHelper.exeSuccess C:\>wi-fimode monitorWlanHelper.exemonitor C:\>wi-fimodeWlanHelper.exeSuccess C:\>wi-fimode managedWlanHelper.exemanagedwi-fimode
Run installer\Build.bat: build all DLLs and the driver. The DLLs need to be built using Visual Studio 2013. And the driver needs to be built using Visual Studio 2015 with Windows SDK 10 10586 & Windows Driver Kit 10 10586.
Run installer\Deploy.bat: copy the files from build directories to
deployment directories and sign the files. Generate an installer named
npcap-nmap-%VERSION%.exe using
NSIS large strings build
with the SysRestore plug-in (special build for Npcap)
and sign the installer.
Run installer\Deploy_Symbols.bat: copy the debug symbol files (.PDB)
from build directories to deployment directories and package them into a zip file named
npcap-nmap-<VERSION>-DebugSymbols.zip using
7-Zip.
(You need to first notice our LICENSE before distributing Npcap)
The Npcap installer is friendly for redistribution by supporting two installation
ways: “GUI Mode” (direct run) and “Silent Mode” (run with
/s paramter).
The current Npcap installation options by default are (for both “GUI Mode” and “Silent Mode”):
/admin_only=no /loopback_support=yes /dlt_null=no /dot11_support=no /vlan_support=no /winpcap_mode=no
/admin_only=yes: Restrict Npcap driver's access to Administrators only
/loopback_support=yes: Support loopback traffic (“Npcap Loopback Adapter” will be created)
/dlt_null=yes: Use DLT_NULL as the loopback interface' link layer protocol instead of DLT_EN10MB
/dot11_support=yes: Support raw 802.11 traffic (and “Monitor Mode”) for wireless adapters
/vlan_support=yes: Support 802.1Q VLAN tag when capturing and sending data
/winpcap_mode=yes: Install Npcap in WinPcap API-compatible Mode
Default options for Npcap installer GUI can be changed. An example is:
npcap-nmap-0.07.exe /admin_only=no /loopback_support=yes /dlt_null=no /dot11_support=no /vlan_support=no /winpcap_mode=yes
or even simpler:
npcap-nmap-0.07.exe /winpcap_mode=yes
As the default option of /winpcap_mode is no. Running the installer
directly without options will see Install Npcap in WinPcap API-compatible Mode
UNCHECKED by default in the “Installation Options” page.
However, the above two commands will launch the installer GUI, and in the “Installation Options” page, the
Install Npcap in WinPcap API-compatible Mode option will be CHECKED by default.
An example of changing option feature for silent installation is:
npcap-nmap-0.07.exe /S /admin_only=no /loopback_support=yes /dlt_null=no /dot11_support=no /vlan_support=no /winpcap_mode=yes
If you doesn't specify a paramter key, it will take the default value. This is the same with the GUI.
The keys are case-insensitive.
The values are case-sensitive, only two values are
permitted: yes or no.
Latest Npcap installer: Npcap Release
Archived Npcap installers (prior to 0.05): Npcap Release (Archieve)
Npcap doesn't have its own development kit for now. Please use WinPcap's development kit instead: WinPcap 4.1.2 Developer's Pack
The LWF technique Npcap used is usually a cause of conflicts between the programs using network drivers. The incompatible result can be bluescreen, no adapters, no traffic, etc. The reason can either be Npcap's bug or the incompatible software's bug. If the latter is the case, there's nothing much can be done by Npcap but for youself to remove the incompatible software.
The commonly seen sources of the incompatble softwares are anti-virus, network firewall, VPN, traffic capture, etc. To help you identify those softwares, We have collected the programs that have trouble with Npcap according to user's report, so what you need to do is to remove them if your Npcap doesn't work normally.
Avaya Collaboration Services
Avaya Collaboration Services x64
Avaya UCA Type Library
Network disconnects after installing Npcap: As Microsoft states here, an optional NDIS light-weight filter (LWF) driver like Npcap could cause 90-second delay in network availability. Some solutions you could try are: 1) wait for 90 seconds; 2) disable and re-enable the adapter icon in ncpa.cpl; 3) reboot. If this doesn't help you, you should consider that you have installed some incompatible software. It can be a VPN, anti-virus, firewall or other network related software. We are maintaining an incompatible software list in the previous section. So you can uninstall all those potential softwares one by one, and see which one exactly causes the issue. Don't forget to report it to me, so I could add it to this list.
Installation fails with error code 0x8004a029:
The cause is that you have “reached the maximum number of network filter
drivers”, see solution
here.
See: LICENSE
Please report any bugs or issues about Npcap at: GitHub Issues
dev@nmap.org (Nmap development list, this is preferred)
hsluoyz@gmail.com (Yang Luo's email, if your issue needs to be kept private, please contact me via this mail)