This Manual describes the programming interface and the source code of
Npcap. It provides detailed descriptions of the functions and structures
exported to programmers, along with complete documentation of the Npcap
internals. Several tutorials and examples are provided as well.
Npcap is an architecture for packet capture and network analysis for
Windows operating systems, consisting of a software library and a network
Most networking applications access the network through widely-used
operating system primitives such as sockets. It is easy to access data on
the network with this approach since the operating system copes with the
low level details (protocol handling, packet reassembly, etc.) and
provides a familiar interface that is similar to the one used to read and
Sometimes, however, the “easy way” is not up to the task,
since some applications require direct access to packets on the network.
That is, they need access to the “raw” data on the network
without the interposition of protocol processing by the operating
The purpose of Npcap is to give this kind of access to Windows
applications. It provides facilities to:
- capture raw packets, both the ones destined to the machine where
it's running and the ones exchanged by other hosts (on shared media)
- filter the packets according to user-specified rules before
dispatching them to the application
- transmit raw packets to the network
- gather statistical information on the network traffic
This set of capabilities is obtained by means of a device driver,
which is installed inside the networking portion of the Windows kernel,
plus a couple of DLLs.
All of these features are exported through a powerful programming
interface, easily usable by applications. The main goal of this manual is
to document this interface, with the help of several examples.
What kind of programs use Npcap?
The Npcap programming interface can be used by many types of
network tools for analysis, troubleshooting, security and monitoring.
In particular, classical tools that rely on Npcap are:
- network and protocol analyzers
- network monitors
- traffic loggers
- traffic generators
- user-level bridges and routers
- network intrusion detection systems (NIDS)
- network scanners
- security tools
Npcap receives and sends the packets independently from the host
protocols, like TCP/IP. This means that it isn't able to block, filter or
manipulate the traffic generated by other programs on the same machine: it
simply “sniffs” the packets that transit on the wire. Therefore, it does not
provide the appropriate support for applications like traffic shapers, QoS
schedulers and personal firewalls.
Npcap has many exciting features that set it above other packet capture solutions:
Built for modern Windows: Npcap is written for Windows 10, Windows 8.1, Windows 8, and Windows 7. Using up-to-date NDIS versions, it allows you to capture traffic without slowing down the network stack. Npcap is implemented as a NDIS 6 Lightweight Filter driver, faster and with less overhead
than the legacy NDIS 5 Protocol Driver
used by WinPcap.
WinPcap compatibility: Npcap is a
drop-in replacement for WinPcap
in most applications.
Updated cross-platform libpcap API:
The libpcap API allows cross-platform packet capture applications
to target Linux, Windows, macOS, BSD, Solaris and others. Npcap includes
the latest version of libpcap,
providing the best solution for compatibility, performance, functionality, and security.
Loopback packet capture and injection: Npcap is able to
see Windows loopback packets using the
Windows Filtering Platform (WFP). Npcap supplies an
interface named “NPF_Loopback”, with the description “Adapter for loopback capture.”
Wireshark users can choose this adapter to capture all loopback traffic the same way as other
Packet injection works as well with
Raw 802.11 Packet Capture Support: Npcap is able to see
802.11 frames instead of emulated Ethernet frames on ordinary wireless
adapters. You need to select the
Support raw 802.11 traffic (and monitor
mode) for wireless adapters option in the installation wizard to enable
this feature. When your adapter is in “Monitor Mode”, Npcap will supply all
802.11 data + control + management packets with Radiotap headers. When
your adapter is in “Managed Mode”, Npcap will only supply Ethernet
packets. Npcap directly supports using Wireshark to capture in “Monitor Mode”.
Npcap also provides the
tool to manually configure WiFi PHY parameters. See more details
about this feature in the section called “For software that uses Npcap raw 802.11 feature”.
“Admin-only Mode” Support: Npcap supports restricting its
use to Administrators for safety purpose. If Npcap is installed with
the option “Restrict Npcap driver's access to Administrators only” checked,
only Built-in Administrators may access its features via user software (Nmap, Wireshark, etc).
This provides a level of restriction similar to requiring root access for packet capture on Linux/UNIX.
The purpose of this manual is to provide a comprehensive and easy way
to browse the documentation of the Npcap architecture. You will find
three main sections:
the section called “Npcap Users' Guide” is for end users of Npcap, and
primarily concerns installation options, hardware compatibility, and bug
the section called “Developing software with Npcap” is for programmers who need to use
Npcap from an application: it contains information about functions and
data structures exported by the Npcap API, a manual for writing packet
filters, and information on how to include it in an application. A
tutorial with several code samples is provided as well; it can be used to
learn the basics of the Npcap API using a step-by-step approach, but it
also offers code snippets that demonstrate advanced features.
the section called “Npcap internals” is intended for Npcap developers
and maintainers, or for people who are curious about how this system
works: it provides a general description of the Npcap architecture and
explains how it works. Additionally, it documents the complete device
driver structure, the source code, the Packet.dll interface and the
low-level Npcap API. If you want to understand what happens inside Npcap
or if you need to extend it, this is the section you will want to
We call Npcap an architecture rather than
library because packet capture is a low level
mechanism that requires a strict interaction with the network adapter and
with the operating system, in particular with its networking
implementation, so a simple library is not sufficient.
For consistency with the literature, we will use the term
packet even though
frame is more accurate since the capture process
is done at the data-link layer and the data-link header is included in
the captured data.
Even though Npcap source code is publicly available for review, it is
not open source software and may not be redistributed without special
permission from the Nmap Project. The
allows end users to download, install, and use up to 5 copies of
Npcap from our site for
free. Copies which are only used with Nmap, Wireshark, and/or
Defender for Identity don't count toward this 5-install
We fund the Npcap project by selling the Npcap OEM
Edition. This special version of Npcap includes enterprise
features such as the silent installer and commercial support as
well as special license rights allowing customers to redistribute
Npcap with their products or to install it on more systems within
their organization with easy enterprise deployment. We offer two
commercial license types:
The Npcap OEM
Redistribution License is for companies that wish to
distribute Npcap OEM within their products (the free Npcap
edition does not allow this). Licensees generally use the
Npcap OEM silent installer, ensuring a seamless experience for
end users. Licensees may choose between a perpetual unlimited
license or an annual term license, along with options for
commercial support and updates.
The Npcap OEM
Internal-Use License is for organizations that wish to
use Npcap OEM internally without redistribution outside their
organization. This allows them to bypass the 5-system usage
cap of the Npcap free edition. It includes commercial support
and update options, and provides the extra Npcap OEM features
such as the silent installer for enterprise-wide
The latest Npcap release can always be found
on the Npcap
website as an executable installer and as a source code
Acknowledgements and copyright
Npcap is an update of WinPcap.
It is developed
by the Nmap Project
as a continuation of the project started by Yang Luo
under Google Summer of Code 2013 and
It also received many helpful tests from Wireshark
Portions of this guide were adapted from the WinPcap documentation.
Copyright © 2002-2005 Politecnico di Torino. Copyright ©
2005-2010 CACE Technologies. Copyright © 2010-2013 Riverbed
Technology. Copyright © 2021 Insecure.Com, LLC. All rights