The latest Npcap release is version 1.77.
![[ICO]](https://npcap.com/icons/blank.gif){kind=icon}
![[PARENTDIR]](https://npcap.com/icons/back.gif){kind=icon}
![[ ]](https://npcap.com/icons/compressed.gif){kind=icon}
![[ ]](https://npcap.com/icons/binary.gif){kind=icon}
Npcap 1.77
Installer available at https://npcap.com/#download
-
Fixed a memory leak in Npcap 1.76 only which occurs while capturing traffic
at high data rates. Fixes #688. -
Fixed an issue in Npcap 1.76 where packets delivered to the driver by NDIS in
a single indication, having the same timestamp, would be placed in the packet
queue in reverse order. Fixes #684. -
Fixed an issue with Npcap 1.75 and 1.76 where changing timestamp modes could
result in all packets being delivered with the same timestamp. Fixes #695. -
Fixed an issue with the Npcap installer that caused it to install duplicate
certificates in the system’s certificate store, which caused problems for
some software. The fixed installer will remove the duplicates. Fixes #692.
Npcap 1.76
Installer and symbols available at https://npcap.com/#download
-
Our code signing key has been reissued to «Nmap Software LLC» replacing the old «Insecure.Com LLC» subject name.
-
Improve performance of the driver by reducing lock contention and consolidating data copy operations. This may help address #663.
-
Additional fixes to locking discipline to potentially address a BSoD issue, #679.
Npcap 1.75
Installer available from https://npcap.com/#download
- Fix a critical regression in Npcap 1.74 which caused all captured packets to have the same timestamp. Fixes #668.
Npcap 1.74
Installer available from https://npcap.org/#download
-
Updated libpcap to 1.10.4.
-
Fixed an issue (#667) that prevented capture handles from receiving packets after a NDIS stack pause operation.
-
Fixed an issue that could cause inaccurate timestamps when multiple handles were open and using different timestamp modes. Fixes #666.
-
Fixed an issue preventing raw WiFi frame capture since Npcap 1.60.
-
Fixed an issue causing «failed to set hardware filter to promiscuous mode» errors with NetAdapterCx-based Windows 11 miniport drivers. Npcap was interpreting the NDIS spec too strictly; we have opened an issue with Microsoft to address the fault in netadaptercx.sys. Fixes #628.
-
Addressed several code readability and portability fixes in Packet.dll discovered using clang-tidy via Visual Studio Code Analysis.
Npcap 1.73
Installer, SDK, and symbols available from https://npcap.com/#download
-
Fixed an issue causing «failed to set hardware filter to promiscuous mode»
errors due to a new code path failing to return appropriate error codes. Fix
by Guy Harris in PR #656.
Fixes #628. -
Fixed an issue with WlanHelper causing «error 0x7b» since Npcap 1.70.Fix by
Hauke Neitzel in PR #652.
Fixes #649. -
Fixed an issue preventing capture handles from reattaching after NDIS stack
pause operations, resulting in persistentERROR_DEVICE_REMOVED(1617)
errors. Fixes #627. -
Restored original behavior of timestamps in the default case,
PCAP_TSTAMP_HOST_HIPREC_UNSYNCED/TIMESTAMPMODE_SINGLE_SYNCHRONIZATION.
Since Npcap 0.9994, the timestamp was resynchronized after NDIS stack pause
operations, which reduced timestamp drift from wall clock time but made it no
longer monotonic, making packet interval calculations inaccurate. This
restores the default behavior of WinPcap. -
Fixed an issue that prevented Npcap 1.71 and 1.72 from being completely
removed on uninstall. A misconfigured npcap driver service had persisted.
Fixes #657. -
Fixed an issue where applications using Npcap 1.20 or later DLLs with a Npcap
1.00 driver would crash due to a stack buffer overrun when the driver returned
too many bytes in response to a request for timestamp modes. Additionally,
changed NPFInstall.exe to attempt to uninstall the Npcap NetCfg component
prior to installation, in case an improperly-uninstalled component persists. -
Updated libpcap to 1.10.3.
Npcap 1.72
Installer and debug symbols available at https://npcap.com/
-
Fixed an issue where promiscuous mode or other hardware packet filters are ignored after a second
handle is opened on the same adapter, including handles opened in the process of listing adapters
withpcap_findalldevs(). Fixes #647. -
Fixed an issue with validation of parameters to
PacketGetNetInfoEx(). TheNEntriesparameter
was not being checked for values less than or equal to 0. Fixes #625.
Npcap 1.71
Installer, debug symbols, and SDK available from https://npcap.org/#download
-
Increase strictness in checking for and restoring adapter parameters modified during capture:
hardware packet filter and lookahead will only be modified if the original value can be
determined. This fixes issues with connectivity on certain adapter types (WWAN and some WiFi
adapters) after a capture is closed. -
Modify NDIS binding parameters so that Npcap will bind both above and below a NIC teaming or
network bridge IM driver. This may improve capture options in related situations, like #115. -
Updated build configurations to enable DEP and ASLR for npcap.sys, which were missing from the
original configs inherited from WinPcap. Additionally, enabled Control Flow Guard for Packet.dll
and all helper EXEs. -
Fix a BSoD issue on Windows 8.1 due to registering a service without a name. Fixes #565.
-
Fix an issue with admin-only mode where high-integrity processes (UAC not enforced) could not open
or list adapters. Fixes #606. -
Restored an undocumented data member of the struct
ADAPTERthat is not used internally. Directly
accessing members of theADAPTERstruct fromPacket32.his highly discouraged, since the
API inPacket32.his not intended for use apart from libpcap. Closes #609. -
Extensive refactoring of driver code for performance and maintainability.
Npcap 1.70
Installer, debug symbols, and SDK available from https://npcap.org/#download
-
Major overhaul of Packet.dll to improve performance of
PacketGetAdapterNames(), used by
pcap_findalldevs(), andPacketOpenAdapter(), used in all libpcap functions that return a
pcap_t. Reduced calls toGetAdaptersAddresses(), properly caching results for short periods.
Errors from lower functions are correctly propagated, making diagnosis of failures easier. Fixes
#168, #61, and #586. -
PacketGetNetType()now always sets the LinkSpeed field to 0. Many adapters did not support the OID
that was being used to get the link speed, and libpcap (Npcap’s published API) does not pass this
information through, so there should be no impact on the majority of software. Software that needs
link speed may usepcap_oid_get_request()orGetAdaptersAddresses()to get the information. -
The undocumented
char PacketLibraryVersion[]export has been removed. ThePacketGetVersion()
function is the documented way to get the runtime version of the Packet.dll library. -
Packet injection operations (
pcap_inject(),PacketSendPacket(),pcap_sendqueue_transmit(),
andPacketSendPackets()) now properly pend the related Write IRP until the NBLs have
been returned by NDIS. This may make packet injection more efficient. -
Packet injection operations are no longer limited to one at a time. Multiple threads can issue
multiple send operations concurrently on the same capture handle without issue, unless system
resource limits result in allocation failures. Additionally, WinPcap’s limit of 256 concurrent
sends on each adapter has been removed. Each Write call is still synchronous, however. -
Loopback packet capture and injection now uses fewer WFP filters and callbacks, avoids duplicate
packet processing, uses inspection rather than blocking filters, and persists callout driver
objects while still removing callout filters when captures are not using them. These and other
improvements increase loopback capture efficiency and reduce interference with other network
components. -
Npcap is only supported on Windows 7 SP1 and later, and requires KB4474419 to support SHA-2
signature validation. The installer will now check these specific requirements, rather than
attempting an installation that will fail anyway. -
Added timeouts to subprocess executions in the installer to prevent a hung installation.
-
Fixed a minor issue with Npcap OEM’s silent installer: Npcap 1.55 and later ought to avoid
reinstalling the same version if the existing installation options match the requested options,
but/winpcap_mode=nowould never match. -
Packet sendqueue operations (
pcap_sendqueue_transmit(),PacketSendPackets())
with time synchronization (syncparameter) have been improved to use timed waits when
possible, only falling back to busy wait for inter-packet delays of less than 50
microseconds. Time difference calculations have been revised to avoid integer overflows
and loss of precision. Fixes #580. -
Packet sendqueue operations now more strictly check timestamp order. If an out-of-order
timestamp is encountered, the packet will not be transmitted.PacketSendPackets()will
set the last error value toERROR_INVALID_TIME. Since packets may be
reported slightly out-of-timestamp-order on multiprocessor machines due to
processing delays, only timestamps that are more than 1ms earlier than the
preceding timestamp will generate the error. -
Npcap is now built with the Win11 SDK and WDK (10.0.22000). We look forward to
implementing support for the exciting new features of NDIS and WFP. -
Improve capture handle state transitions within the Npcap driver. State mismatches led
to issues like #584, where the wrong error code was
reported when the adapter was detached and reattached. -
Fix an issue where raw WiFi capture handles (
/dot11_supportinstall option) would not
reattach after a network disconnect and reconnect. Normal handles got this ability in
Npcap 1.60, but raw WiFi frame captures (monitor mode) did not take advantage of it.
Fixes #591. -
Npcap now avoids setting hardware packet filters (
OID_GEN_CURRENT_PACKET_FILTER,
PacketSetHwFilter()) that the miniport does not declare support for. This may improve
compatibility with WWAN (e.g. 3G and LTE) and VPN connections. -
Npcap now tracks the original lookahead value (
OID_GEN_CURRENT_LOOKAHEAD,
PacketSetMaxLookahead()) before requesting the max value from the miniport, and restores it once
the capture handle is closed. The practice of setting the lookahead to max value was inherited
from WinPcap, and may be changed in the future subject to performance testing.
Npcap 1.60
Installer and debug symbols available from https://npcap.org/#download
-
Npcap can now tolerate network disconnections or NDIS stack
modifications that previously resulted in programs like Wireshark
stopping with the error «PacketReceivePacket error: The device has
been removed. (1617)». This error may still be returned, but user
programs can consider it a transient error. If the network is
reconnected, capture can resume on the same handle. Fixes
#506. -
Improved validation for IRP parameters, resolving potential BSoD
crashes that could be triggered by software interacting directly
with the driver’s device interface. These bugs still affect the last
releases of WinPcap. Thanks to Ilja Van Sprundel from IOActive for
reporting them. -
Fix an issue with NX pool compatibility that caused Npcap 1.50 and
1.55 to fail to run on some Windows 7 systems. Fixes
#536. -
Fix how the installer handles
/option=enforced, which was broken
in Npcap 1.55. Fixes #556. -
Concurrently released the Npcap SDK Version 1.12, which fixes native
ARM compilation by including the ARM64 wpcap.lib, among other
changes. The SDK now has its own change log at
https://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md. -
Further driver source code hardening to catch more bugs
before they manifest in worse ways. This includes adding more SAL
annotations for code analysis, extra assertions, etc. -
The
/prior_driverinstaller option now selects the Npcap 1.30
driver, since Microsoft’s cross-certificate expired 30 minutes
before we signed Version 1.31. See
#536. -
Simplified the code base by removing a bunch of unused or
unneccessary code. This includes «kernel dump mode» (MODE_DUMP)
which was inherited from WinPcap 3.1 even though it had already been
deactivated there in 2005. Also removed legacy WinPcap code which allowed
their (long discontinued) «Pro» version DLL to install the driver
itself. This is not allowed by modern operating systems. We were
able to remove a bunch of code from NPFInstall.exe too. Updated the
INF file to prevent npf_wifi service from being configured, since it
was never actually used. -
Fix an issue causing
pcap_setmode()/PacketSetMode()with a value
ofMODE_CAPTto fail.MODE_CAPTis the default for new handles,
so this only affects software that usesMODE_STATand then
switches toMODE_CAPT, or software that expects a call to
pcap_setmode(MODE_CAPT)on a handle already inMODE_CAPTto
succeed. Fixes #558. -
When installing Npcap in WinPcap API-Compatible mode (the default),
the Npcap installer will perform the uninstallation of WinPcap
directly instead of running the WinPcap uninstaller. This prevents
the WinPcap uninstaller from rebooting the system and allows us to
clean up partial or broken installations. -
Further deprecate the «Legacy loopback support» option: The
npcapwatchdog scheduled task will not check for the existence of the
Npcap Loopback Adapter. -
Added the
PnpLockDowndirective to the npcap.sys INF file for
additional Windows file protection of the driver binary. -
Replaced a feature of NPFInstall.exe and the SimpleSC.dll NSIS
plugin with Powershell commands to improve installer size and
compatibility. May fix #226. -
While you won’t see it in the code itself, we dramatically improved
our automated build and testing proceses. We now run automated
native-arch builds and testing of multiple programs (particularly
the SDK Examples) on all 3 architectures (x86, x64, and ARM). All
tests are run with the debug build of the driver (assertions on) and
Driver Verifier with at least standard settings, and only when that
passes is the release build run through the same tests, also with
Driver Verifier. The tests are also run in x86 emulation on x64 and
ARM.
Npcap 1.55
Installer and debug symbols available from https://npcap.org/#download . Npcap SDK 1.11 was released concurrently, with only minor changes to const-ness of some function parameters in Packet32.h and additional documentation on installer options.
-
Npcap installer can now recognize NetCfg status codes indicating that a
reboot is required (0x0004a020,NETCFG_S_REBOOT), and will prompt the user
to reboot. In silent mode, the installer will return code 3010 (0x0bc2,
ERROR_SUCCESS_REBOOT_REQUIRED) to indicate this result. Fixes #224. -
Npcap installer’s silent mode now offers better control over when to remove
and reinstall an existing Npcap installation. Documentation has been updated
for the new installation options/require_version,/require_features, and
/forceand will be published with the new Npcap SDK 1.11. Fixes #523. -
Fixed an installation failure (0xe0000247) on Windows 8.1/Server 2012 R2 and
earlier systems which have not updated root certificates. The root certificates
are now installed to the Roots trust store. Fixes #233. -
Fixed an issue since Npcap 1.30 where broadcast and subnet masks for adapters
returned bypcap_findalldevs()were in host byte order, displaying values
like «0.240.255.255». Fixes #525. -
Libpcap 1.10.1 has been updated to include some recent changes to the libpcap-1.10
release branch which extend support to adapters with the NdisMediumIP media type,
including Wireguard Wintun virtual adapters. Fixes #173. -
Added specific bad-value checks for issues originating in other drivers which
may be incorrectly attributed to Npcap. These checks, in combination with
additionalconstqualifiers, should serve as assurance that Npcap is not
modifying traffic during capture and cannot be responsible for such crashes. -
Powershell commands launched by the installer are now run with the
-NoProfileoption. Fixes #529. -
Npcap SDK minor change to add const qualifiers to parameters to several Packet.dll functions.
-
Npcap installer now uses Unicode internally. This may result in mixed-encoding install.log files.
Npcap is packet capture library for Windows operating system. Npcap is created and developed as a Nmap project. Npcap is based on WinPcap project which is currently not actively developed. The most important feature of Npcap is support for Windows 10 operating systems where WinPcap only supports up to Windows 7.
Npcap Features
Npcap provides a lot of powerful features according to WinPcap. Here are some of them.
- `NDIS 6 support` will make the Npcap work with newer Windows operating systems like Windows 10, Windows Server 2016, etc.
- `Extra Security` will only provide packet capture to the Administrator level users. If a non-Admin user tries to package capture he should pass UAC (User Account Control).
- `Loopback Packet Capture` makes Npcap capture loopback interface packet capture which is generally used for different services to communicate on the local host.
- `Loopback Packet Injection` makes Npcap inject packets to the loopback interfaces.
- `Libpcap` API support is very useful where popular applications like Wireshark, tcpdump can use Npcap easily like a native application.
- `WinPcap` compatibility is another useful compatibility feature for Npcap.
Npcap Versions
Npcap is an open source project and provided free for most cases. But as an open source project, it needs some support for costs. So Npcap provides as 2 versions for open source and commercial use
- Opensource Npcap source code can be downloaded, compiled and used for internal use.
- Npcap OEM Commercial license is provided with enterprise features like silent installer and commercial support. With Npcap OEM commercial license npcap can be redistributed with different products and libraries.
Npcap can be downloaded from the following URL. The latest version of the Npcap is 0.996 .
https://nmap.org/npcap/dist/npcap-0.996.exe
Install Npcap
Windows 10 operating systems provide SmartScreen as a security measure. We can bypass SmartScreen check by clicking Run in the following window.
As Npcap requires access to the system functions the installation requires Administrative privileges with the following screen in order to start the installation. We will simply click Yes.
If there is an already install Npcap version it will be uninstalled automatically with the following screen.
In the following screen, we will accept the License Agreement of Npcap by clicking I Agree
The most important part of the Npcap installation is the following screen where we will set and provide installation options.
- `Support loopback traffic` will provide support for Loopback adapter packet capture and injection which will create a Npcap Loopback Adapter.
- `Restrict Npcap driver’s access to Administrators only` will secure access to npcap packet capture to Administrative users
- `Support raw 802.11 traffic for wireless adapters` will add wireless traffic capture support with IEEE 802.11 protocols
- `Install Npcap in WinPcap API-compatible Mode` will set fully WinPcap compatibility.
The installation will take a little time to complete.
When the Npcap installation is completed successfully we will see the following screen.
Print Npcap Service Status
Npcap is installed as a driver with a service. In order to capture packets, the Npcap service should be working. The service is named as npcap and we can print or display service status from the command line with sc command. We will open an MS-DOS or PowerShell with Administrator privileges like below.
Windows CMD.exe or Command Shell Tutorial with Examples
> sc query npcap
We can see that the npcap service status is currently running.
Start Npcap Service
We can also start Npcap service with the sc command like below. This operation also requires Administrative privileges.
> sc start npcap
Stop Npcap Service
We can stop Npcap service with the sc command like below. This operation also requires Administrative privileges.
> sc stop npcap
RELEASE RETRACTED Due to #513, we have retracted Npcap 1.40 and have released Npcap 1.50 to address this issue.
Installer and debug symbols available from https://npcap.org/#download
-
Fix a bug with the non-default legacy loopback capture support that caused
all requests to open a capture handle to open the loopback capture instead.
It is recommended to not select «Legacy loopback support» at installation
unless you know your application relies on it. Fixes #302. -
For Windows 10 and Server 2016 and later, restore the ability to capture
traffic on VMware VMnet interfaces such as the host-only and NAT virtual
networks. This will be restored for other supported Windows versions in a
later release. Fixes #304.
Installer and debug symbols available at https://npcap.org/#download
-
Restore raw WiFi frame capture support, which had been broken in a few ways
since Npcap 0.9983. Additional improvements enablePacketSetMonitorMode()
for non-admin-privileged processes, allowing Wireshark to correctly enable
monitor mode via checkbox without requiring WlanHelper.exe. -
Fixed WlanHelper.exe to correctly set modes and channels for adapters, if run
with Administrator privileges. Fixes #122. -
Improved speed of
pcap_findalldevs()by using fewer calls to
GetAdaptersAddresses()and avoiding direct Registry inspection. The new
method may result in more adapters being available for capture than
previously reported. See #169. -
Updated Packet.dll to use modern
HeapAlloc()allocation, faster than the
legacyGlobalAlloc()inherited from WinPcap. -
Improve error reporting from
PacketGetAdapterNames()and related functions.
Installer, SDK and debug symbols available from https://npcap.org/#download
-
Upgrade wpcap.dll to libpcap 1.10. This change enables software to use
pcap_set_tstamp_type()to set the packet capture time source and precision
per capture handle. The currently-supported types (see
pcap-tstamp) are:-
PCAP_TSTAMP_HOST_HIPREC_UNSYNCED— default, maps toTIMESTAMPMODE_SINGLE_SYNCHRONIZATION -
PCAP_TSTAMP_HOST_LOWPREC— maps toTIMESTAMPMODE_QUERYSYSTEMTIME -
PCAP_TSTAMP_HOST_HIPREC— maps toTIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
-
-
Fix an issue preventing
WlanHelper.exefrom changing WiFi parameters for
adapters which caused the error message «makeOIDRequest::My_PacketOpenAdapter
error». Fixes #122 and several other reports
of the same issue. -
Fixed an issue that prevented NDIS protocol drivers from reducing the
hardware packet filter, even if the removed bits/filters were only set by
that protocol driver initially. This may fix #106. -
Fixed an issue with
pcap_sendqueue_transmit()that caused it to busy-wait
in an attempt to synchronize packet sends with pcap timestamps, even when the
program did not request synchronization. Fixes #113. -
The installer will now safely remove and replace broken installations due to
#268. -
Upgraded installer to NSIS 3, which improves compatibility with modern Windows versions.
-
Added application manifests to several installer tools and removed Windows
Vista from the manifests of others, improving compatibility.
Installer and debug symbols available from https://npcap.org/#download
-
Fixed an issue where our upgrade uninstaller would trigger the
#1924 BSoD crash when upgrading from Npcap 0.9988 or older to
version 0.9996 or greater. Fixes #268. -
Improved handling of large packets when a very small user buffer size is specified, which could
lead to stalled captures and dropped packets. -
Fix a packet corruption issue when one capture handle sets a snaplen of exactly 256 bytes and
another sets a snaplen of greater than 256 bytes and the packet size exceeds 256 bytes. -
Fix accounting of free space in the kernel buffer so that bugs like the previous one do not cause
space to be permanently lost, leading to dropped packets. Instead, use assertions to catch this
condition in testing with the debug build. -
Check that the npcap driver service is configured for
SYSTEM_STARTin thenpcapwatchdog
scheduled task and correct it if necessary. Windows feature updates can modify this value.
Installer and debug symbols available from https://npcap.org/#download
-
After more than 7 years of development and 170 previous public releases, the
Nmap Project is delighted to release Npcap version 1.00! -
New Packet.dll function
PacketGetTimestampModes()to retrieve supported
packet timestamping modes. These do not currently vary by adapter, but
TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISEis not supported on Windows 7, for
example. Fixes #174.
Installer and debug symbols available from https://npcap.org/#download
-
Fix an integer underflow in the amount of free buffer space available leading
to excessive memory consumption. Fixes #223. -
Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.
-
Replaced object pool/slab allocator with Windows lookaside lists, improving
performance by avoiding spinlocks and allowing the system to adjust memory
consumption.
Installer and debug symbols available from https://npcap.org/#download
-
Fix a runaway memory leak triggered by low-resources condition leading to
system hangs. Fixes #213. -
Fix a BSoD crash in
NPF_Readin some high-traffic cases. Fixes #206. -
Fix a handle leak in Packet.dll when enumerating interfaces. Fixes #26.
-
Fix an inconsistency between return value and IRP completion status in
NPF_Readwhen an adapter is removed. Driver Verifier would cause a bugcheck
(BSoD) in this case, and pcap API functions would not detect an error.
Fixes #217 -
Improved performance by reusing allocated packet data buffers and
implementingDISPATCH_LEVELtracking throughout the driver to speed up lock
acquisition. -
When upgrading from compatible recent versions (currently Npcap 0.9985 and
newer), the installer will unpack a newUninstall.exeandNPFInstall.exe
prior to removing the existing installation. This resolves issues with the
uninstallation process such as were common in Npcap 0.9991 through 0.9994. -
Upgraded build system to VisualStudio 2019 and WDK 10.0.18362.0
Installer and debug symbols available from https://npcap.org/#download
-
Fix a BSoD crash in
NPF_Readwhen NDIS filter module is detached from the
adapter. Fixes #194 -
On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10
WFP compatibility, supporting network stack improvements like RSC.
Fixes #196. -
Correctly obey maximum frame size for an adapter by querying
OID_GEN_MAXIMUM_TOTAL_SIZEinstead of using MTU, which does not include
space for the link layer header. Fixes #186. -
Fix detection of processes using Npcap resources during uninstall or upgrade.
The fix for #2015 had broken this so such
processes were not terminated, leading to failed installations. -
Obey snaplen (
pcap_set_snaplen()) even if a packet filter is not set. This
is a backported change from upstream libpcap that corrects a deficiency that
has been present in all previous versions of WinPcap and Npcap.
Fixes #201. -
Improvements to object pool/slab allocator to allow nonpaged memory to be
freed when not in use. -
When installing Npcap OEM in silent mode, avoid running
C:\Uninstall.exeif no existing Npcap installation is present.
Installer and debug symbols available from https://npcap.org/#download
-
Fix a BSoD crash in
NPF_ReleaseOpenInstanceResourcesdue to miscounting of
number of open Loopback capture instances. Fixes #185. -
Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing a
data structure that already contained packet data. -
Fix a crash in
NPFInstall.exethat happened when trying to rebind Npcap to
the network stack as part of some installations. Reported by Microsoft App
Assure ISV Outreach Team. -
When multiple packets are indicated in a single
FilterReceiveNetBufferLists
callback, only get a single timestamp for all of them. Avoids extra calls to
KeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended up
measuring Npcap processing delay, not actual packet arrival time. -
Fix a potential NULL pointer deref issue in
Objpool.hmacros if an
allocation were to fail and return a NULL pointer. -
Fix parsing of
pnputil.exeoutput that resulted in Npcap drivers not being
cleared from the DriverStore before installing or upgrading. This led to
older drivers being preferred in some cases, such as installing an unsigned
driver in test mode. -
Move all capture- and injection-related initialization code out of
NPF_OpenAdapter, improving efficiency of operations like listing adapters
or performing OID requests without starting a full capture. -
Added SAL annotations to most driver functions to improve static analysis.
Found one issue related to using a NULL NDIS handle in an allocation
function, which is not supported on Windows 7. -
Allow driver to load even if there is a problem initializing loopback capture
or injection functions. The loopback capture device will simply be
unavailable in that case.
Installer and debug symbols available from https://npcap.org/#download
-
Npcap can now tolerate network disconnections or NDIS stack
modifications that previously resulted in programs like Wireshark
stopping with the error «PacketReceivePacket error: The device has
been removed. (1617)». This error may still be returned, but user
programs can consider it a transient error. If the network is
reconnected, capture can resume on the same handle. Fixes
#506. -
Improved validation for IRP parameters, resolving potential BSoD
crashes that could be triggered by software interacting directly
with the driver’s device interface. These bugs still affect the last
releases of WinPcap. Thanks to Ilja Van Sprundel from IOActive for
reporting them. -
Fix an issue with NX pool compatibility that caused Npcap 1.50 and
1.55 to fail to run on some Windows 7 systems. Fixes
#536. -
Fix how the installer handles
/option=enforced, which was broken
in Npcap 1.55. Fixes #556. -
Concurrently released the Npcap SDK Version 1.12, which fixes native
ARM compilation by including the ARM64 wpcap.lib, among other
changes. The SDK now has its own change log at
https://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md. -
Further driver source code hardening to catch more bugs
before they manifest in worse ways. This includes adding more SAL
annotations for code analysis, extra assertions, etc. -
The
/prior_driverinstaller option now selects the Npcap 1.30
driver, since Microsoft’s cross-certificate expired 30 minutes
before we signed Version 1.31. See
#536. -
Simplified the code base by removing a bunch of unused or
unneccessary code. This includes «kernel dump mode» (MODE_DUMP)
which was inherited from WinPcap 3.1 even though it had already been
deactivated there in 2005. Also removed legacy WinPcap code which allowed
their (long discontinued) «Pro» version DLL to install the driver
itself. This is not allowed by modern operating systems. We were
able to remove a bunch of code from NPFInstall.exe too. Updated the
INF file to prevent npf_wifi service from being configured, since it
was never actually used. -
Fix an issue causing
pcap_setmode()/PacketSetMode()with a value
ofMODE_CAPTto fail.MODE_CAPTis the default for new handles,
so this only affects software that usesMODE_STATand then
switches toMODE_CAPT, or software that expects a call to
pcap_setmode(MODE_CAPT)on a handle already inMODE_CAPTto
succeed. Fixes #558. -
When installing Npcap in WinPcap API-Compatible mode (the default),
the Npcap installer will perform the uninstallation of WinPcap
directly instead of running the WinPcap uninstaller. This prevents
the WinPcap uninstaller from rebooting the system and allows us to
clean up partial or broken installations. -
Further deprecate the «Legacy loopback support» option: The
npcapwatchdog scheduled task will not check for the existence of the
Npcap Loopback Adapter. -
Added the
PnpLockDowndirective to the npcap.sys INF file for
additional Windows file protection of the driver binary. -
Replaced a feature of NPFInstall.exe and the SimpleSC.dll NSIS
plugin with Powershell commands to improve installer size and
compatibility. May fix #226. -
While you won’t see it in the code itself, we dramatically improved
our automated build and testing proceses. We now run automated
native-arch builds and testing of multiple programs (particularly
the SDK Examples) on all 3 architectures (x86, x64, and ARM). All
tests are run with the debug build of the driver (assertions on) and
Driver Verifier with at least standard settings, and only when that
passes is the release build run through the same tests, also with
Driver Verifier. The tests are also run in x86 emulation on x64 and
ARM.
Installer and debug symbols available from https://npcap.org/#download . Npcap SDK 1.11 was released concurrently, with only minor changes to const-ness of some function parameters in Packet32.h and additional documentation on installer options.
-
Npcap installer can now recognize NetCfg status codes indicating that a
reboot is required (0x0004a020,NETCFG_S_REBOOT), and will prompt the user
to reboot. In silent mode, the installer will return code 3010 (0x0bc2,
ERROR_SUCCESS_REBOOT_REQUIRED) to indicate this result. Fixes #224. -
Npcap installer’s silent mode now offers better control over when to remove
and reinstall an existing Npcap installation. Documentation has been updated
for the new installation options/require_version,/require_features, and
/forceand will be published with the new Npcap SDK 1.11. Fixes #523. -
Fixed an installation failure (0xe0000247) on Windows 8.1/Server 2012 R2 and
earlier systems which have not updated root certificates. The root certificates
are now installed to the Roots trust store. Fixes #233. -
Fixed an issue since Npcap 1.30 where broadcast and subnet masks for adapters
returned bypcap_findalldevs()were in host byte order, displaying values
like «0.240.255.255». Fixes #525. -
Libpcap 1.10.1 has been updated to include some recent changes to the libpcap-1.10
release branch which extend support to adapters with the NdisMediumIP media type,
including Wireguard Wintun virtual adapters. Fixes #173. -
Added specific bad-value checks for issues originating in other drivers which
may be incorrectly attributed to Npcap. These checks, in combination with
additionalconstqualifiers, should serve as assurance that Npcap is not
modifying traffic during capture and cannot be responsible for such crashes. -
Powershell commands launched by the installer are now run with the
-NoProfileoption. Fixes #529. -
Npcap SDK minor change to add const qualifiers to parameters to several Packet.dll functions.
-
Npcap installer now uses Unicode internally. This may result in mixed-encoding install.log files.
Installer and debug symbols available from https://npcap.org/#download
-
Fixed #513 which prevented Npcap 1.40 from installing.
-
All PowerShell scripts installed or used during installation are now digitally signed.
-
Npcap can now be installed on Windows 10 for ARM64 devices. Both ARM64 and
x86 DLLs will be installed, allowing existing x86 applications such as Nmap
or Wireshark to run without modification. -
Npcap SDK 1.10 release coincides with this release, providing updated
documentation and libs for ARM64. -
Npcap code now passes Microsoft’s Static Driver Verifier for NDIS drivers and
Visual Studio’s Code Analysis «AllRules» ruleset. A couple of minor and
extremely-improbable bugs were fixed in addition to general code cleanup and annotation. -
On Windows 8 and 8.1, the Npcap driver has been updated to NDIS 6.30,
supporting network stack improvements like RSC and QoS. Windows 10 still uses
NDIS 6.50 and Windows 7 uses NDIS 6.20. -
Npcap is no longer distributed with SHA-1 digital signatures. Windows 7 and
Server 2008 R2 will require KB4474419 in order to install Npcap. All other
platforms support SHA-2 digital signatures by default. -
Streamlined loopback packet injection to avoid using Winsock Kernel (WSK)
sockets. This removes a significant amount of complexity and overhead. -
Due to Microsoft’s deprecation of cross-signed root certificates for kernel-mode code signing,
Npcap 1.40 may not install correctly on Windows versions prior to Windows 10.
Our testing did not show any issues, but users who experience installation
failures may use the/prior_driver=yesinstallation option to install the
Npcap 1.31 driver instead, which has no such issues. -
The «npcapwatchdog» scheduled task, which ensures the Npcap driver service is
configured to start at boot, is now installed with a description when
possible (Windows 7 does not support creating scheduled tasks via PowerShell).
Fixes #498. -
Fix an issue where installation under Citrix Remote Access or other
situations would fail with the message «Installer runtime error 255 at
76539962, Could not load SimpleSC.dll». Fixes #226. -
Ensure driver signature can be validated on systems without Internet access
by installing the entire certificate chain, including the chain for the
timestamp counter-signature. This should address #233. -
Fix an issue with comparing adapter names retrieved from the Registry. This
prevented Npcap 1.31 from being used for SendToRx and other less-used
features. Fixes #311. -
Npcap driver no longer excludes adapters based on media type, which may allow
capture on some devices that were previously unavailable.
RELEASE RETRACTED Due to #513, we have retracted Npcap 1.40 and have released Npcap 1.50 to address this issue.
Installer and debug symbols available from https://npcap.org/#download
-
Fix a bug with the non-default legacy loopback capture support that caused
all requests to open a capture handle to open the loopback capture instead.
It is recommended to not select «Legacy loopback support» at installation
unless you know your application relies on it. Fixes #302. -
For Windows 10 and Server 2016 and later, restore the ability to capture
traffic on VMware VMnet interfaces such as the host-only and NAT virtual
networks. This will be restored for other supported Windows versions in a
later release. Fixes #304.
Installer and debug symbols available at https://npcap.org/#download
-
Restore raw WiFi frame capture support, which had been broken in a few ways
since Npcap 0.9983. Additional improvements enablePacketSetMonitorMode()
for non-admin-privileged processes, allowing Wireshark to correctly enable
monitor mode via checkbox without requiring WlanHelper.exe. -
Fixed WlanHelper.exe to correctly set modes and channels for adapters, if run
with Administrator privileges. Fixes #122. -
Improved speed of
pcap_findalldevs()by using fewer calls to
GetAdaptersAddresses()and avoiding direct Registry inspection. The new
method may result in more adapters being available for capture than
previously reported. See #169. -
Updated Packet.dll to use modern
HeapAlloc()allocation, faster than the
legacyGlobalAlloc()inherited from WinPcap. -
Improve error reporting from
PacketGetAdapterNames()and related functions.
Installer, SDK and debug symbols available from https://npcap.org/#download
-
Upgrade wpcap.dll to libpcap 1.10. This change enables software to use
pcap_set_tstamp_type()to set the packet capture time source and precision
per capture handle. The currently-supported types (see
pcap-tstamp) are:PCAP_TSTAMP_HOST_HIPREC_UNSYNCED— default, maps toTIMESTAMPMODE_SINGLE_SYNCHRONIZATIONPCAP_TSTAMP_HOST_LOWPREC— maps toTIMESTAMPMODE_QUERYSYSTEMTIMEPCAP_TSTAMP_HOST_HIPREC— maps toTIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
-
Fix an issue preventing
WlanHelper.exefrom changing WiFi parameters for
adapters which caused the error message «makeOIDRequest::My_PacketOpenAdapter
error». Fixes #122 and several other reports
of the same issue. -
Fixed an issue that prevented NDIS protocol drivers from reducing the
hardware packet filter, even if the removed bits/filters were only set by
that protocol driver initially. This may fix #106. -
Fixed an issue with
pcap_sendqueue_transmit()that caused it to busy-wait
in an attempt to synchronize packet sends with pcap timestamps, even when the
program did not request synchronization. Fixes #113. -
The installer will now safely remove and replace broken installations due to
#268. -
Upgraded installer to NSIS 3, which improves compatibility with modern Windows versions.
-
Added application manifests to several installer tools and removed Windows
Vista from the manifests of others, improving compatibility.
Installer and debug symbols available from https://npcap.org/#download
-
Fixed an issue where our upgrade uninstaller would trigger the
#1924 BSoD crash when upgrading from Npcap 0.9988 or older to
version 0.9996 or greater. Fixes #268. -
Improved handling of large packets when a very small user buffer size is specified, which could
lead to stalled captures and dropped packets. -
Fix a packet corruption issue when one capture handle sets a snaplen of exactly 256 bytes and
another sets a snaplen of greater than 256 bytes and the packet size exceeds 256 bytes. -
Fix accounting of free space in the kernel buffer so that bugs like the previous one do not cause
space to be permanently lost, leading to dropped packets. Instead, use assertions to catch this
condition in testing with the debug build. -
Check that the npcap driver service is configured for
SYSTEM_STARTin thenpcapwatchdog
scheduled task and correct it if necessary. Windows feature updates can modify this value.
Installer and debug symbols available from https://npcap.org/#download
-
After more than 7 years of development and 170 previous public releases, the
Nmap Project is delighted to release Npcap version 1.00! -
New Packet.dll function
PacketGetTimestampModes()to retrieve supported
packet timestamping modes. These do not currently vary by adapter, but
TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISEis not supported on Windows 7, for
example. Fixes #174.
Installer and debug symbols available from https://npcap.org/#download
-
Fix an integer underflow in the amount of free buffer space available leading
to excessive memory consumption. Fixes #223. -
Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.
-
Replaced object pool/slab allocator with Windows lookaside lists, improving
performance by avoiding spinlocks and allowing the system to adjust memory
consumption.