Home page logo

Npcap Users' Guide

Npcap Users' Guide

Npcap: Nmap Project's packet sniffing library for Windows

Npcap is an update of WinPcap to the NDIS 6 Light-Weight Filter (LWF) API. It supports Windows Vista, 7, 8 and 10. It is sponsored by the Nmap Project and developed by Yang Luo under Google Summer of Code 2013 and 2015. It also received many helpful tests from Wireshark and NetScanTools.


  • NDIS 6 Support: Npcap makes use of new LWF driver in Windows Vista and later. It's faster than the legacy NDIS 5 Intermediate technique. One reason is that packet data stucture has changed (from NDIS_PACKET to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet structure conversion.

  • Latest libpcap API Support: Npcap provides support for the latest libpcap API by accepting libpcap as a Git submodule. The latest libpcap 1.8 has integrated more fascinating features and functions than the deprecated libpcap 1.0.0 shipped by WinPcap. Moreover, since Linux already has a good support for latest libpcap API, using Npcap on Windows facilitates your software to base on the same API on both Windows and Linux.

  • Admin-only Mode Support: Npcap supports to restrict its use to Administrators for safety purpose. If Npcap is installed with the option Restrict Npcap driver's access to Administrators only checked, when a non-Admin user tries to start a user software (Nmap, Wireshark, etc), the User Account Control (UAC) dialog will prompt asking for Administrator privilege. Only when the end user chooses Yes, the driver can be accessed. This is similar to UNIX where you need root access to capture packets.

  • Loopback Packet Capture: Npcap is able to see Windows loopback packets using the Windows Filtering Platform (WFP). After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping (IPv4) or ping ::1 (IPv6).

  • Loopback Packets Injection: Besides loopback packets capturing, Npcap can also send out loopback packets using the Winsock Kernel (WSK) technique. A user software (e.g. Nmap) can just send packets out using Npcap Loopback Adapter like other adapters. Npcap Loopback Adapter will automatically remove the packet's Ethernet header and inject the payload into Windows TCP/IP stack.

  • Raw 802.11 Packets Capture Support: Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to select the Support raw 802.11 traffic (and monitor mode) for wireless adapters option in the installation wizard to enable this feature. When your adapter is in Monitor Mode, Npcap will supply all 802.11 data + control + management packets with radiotap headers. When your adapter is in Managed Mode, Npcap will only supply Ethernet packets. Npcap directly supports to use Wireshark to capture in Monitor Mode. Meantime, Npcap also provides the WlanHelper.exe tool to help you switch to Monitor Mode on your own. See more details about this feature in section For software that uses Npcap raw 802.11 feature. See more details about radiotap here: http://www.radiotap.org/

  • WinPcap Compatible Mode Support: WinPcap Compatible Mode makes Npcap a strict WinPcap replacement by using the same DLL location and service name as WinPcap. This is useful for testing or migrating from software that only uses WinPcap, but because Npcap is masquerading as WinPcap, software will not be able to be aware of and use Npcap's newer features. It's notable that before installing in this mode, you must uninstall WinPcap first (the installer wizard will prompt you that).


See: Npcap License


Npcap tries to keep the original WinPcap architecture as much as possible. As the table shows, you will find it very similar with WinPcap.

Table 1. Npcap Architecture

wpcap.dllwpcapthe libpcap API, added "loopback support" to original WinPcap
Packet.dllpacketWin7\Dllthe Packet API for Windows, added "Admin-only Mode" to original WinPcap
npcap.syspacketWin7\npfthe filter driver. If Npcap is installed in WinPcap Compatible Mode, the driver name is <npf>.sys
NPFInstall.exepacketWin7\NPFInstalla LWF and WFP driver installation tool
NpcapHelper.exepacketWin7\Helperthe helper program for Admin-only Mode, will run under Administrator rights
WlanHelper.exepacketWin7\WlanHelpera tool is used to set/get the operation mode (like Monitor Mode) for a wireless adapter, will run under Administrator rights

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]