Discussion:
[Winpcap-users] winpcap alternatives
Giulio Marescotti
2014-02-13 15:22:37 UTC
Permalink
Hi everybody,

I am developing a software to manipulate traffic in real-time,
that is adding/removing a suffix to every packets out-coming/incoming the PC
and performing other activities. The packets manipulated should
serve applications transparently, that is as they were coming from NIC
driver directly.

I prepared a test environment with a prototype, written on Linux Platform,
to perform traffic stress test using *libpcap*
and a virtual interface with *TUN/TAP* on which is connected my stress
test application.

I noticed some performance limitation with packet losses (confirmed
reading some papers on this issues),
I was wondering if there are any alternatives (free or commercial) which
can help me to get better results.

For Linux I know of *PF_RING*, but there is no version for Windows.

Any help will be greatly appreciated,

thank you,

Giulio
Blibbet
2014-02-13 19:41:39 UTC
Permalink
Post by Giulio Marescotti
I was wondering if there are any alternatives (free or commercial) which
can help me to get better results.
For Linux I know of *PF_RING*, but there is no version for Windows.
1) NetMon

NetMon is the Microsoft packet capturing library and API and app.
Windows-centric, created by the LAN Manager team years ago.

Advantage of NetMon over WinPcap: the network stack vendor maintains it,
and cares about performance. Whereas Winpcap uses unix-centric libpcap
code/logic and tries to fit this into the Windows driver model, and this
model doesn't properly handle all platform differences.

NetMon is maintained, whereas whereas Windows Winpcap has been mostly
ignored for many years, and Windows has completely changed their network
stack during that time.

Disadvantage: it's closed-source freeware, not open source like libpcap.
There are a few filters on CodePlex.com for NetMon that're open source,
though. You'll be reliant on MSDN for help, but there's a sample or two
that does as much as the WinPcap samples, not hard to use.

Make sure you ignore all the NetMon v2 stuff and only look at v3 or
later. MSDN is really bad at showing you the old stuff first.

http://www.microsoft.com/en-us/download/details.aspx?id=4865
http://nmexperts.codeplex.com/
http://nmparsers.codeplex.com/

2) NMap's WinPcap.

I think they have a fork of WinPcap that's getting updates, unlike the
main one.

2) For third party libraries, check out:
http://www.pcausa.com
or
http://www.rawether.net/
The OSRonline.com's ntdev mailing list is where the main NT consultants
hang out, and talk about NDIS perf issues with libs like this, among
other things. Search their archives for opinions one these two libs.

HTH,
Lee
Gisle Vanem
2014-02-13 20:30:04 UTC
Permalink
Post by Blibbet
2) NMap's WinPcap.
I think they have a fork of WinPcap that's getting updates, unlike the
main one.
No, they use a fork of *libpcap* which is way behind the officilal libpcap
at tcpdump.org.

--gv
Blibbet
2014-02-13 22:53:34 UTC
Permalink
Post by Gisle Vanem
Post by Blibbet
2) NMap's WinPcap.
I think they have a fork of WinPcap that's getting updates, unlike the
main one.
No, they use a fork of *libpcap* which is way behind the officilal libpcap
at tcpdump.org.
All I know is that on one of the nmap mailing lists -- perhaps 6 months
or more current -- there was recent activity about getting it to work on
recent builds of Windows (Win7 or Win8), whereas at the same time people
were on the winpcap list complaining about lack of any activity. So I
still think that they might have some Windows code that works better
with the current NDIS stack than current Winpcap trunk.

Sorry, don't have time to research it for you further.
Blibbet
2014-02-14 19:10:02 UTC
Permalink
This is what I mean. Below is partial msg, with date timeframe and
author. I emailed this to the person at cache/riverbed who saying he was
about to catch up on WinPcap after years of negnect, asking if they
should investigate merging these changes.

-------- Original Message --------
Subject: Call for test: WinPcap 4.1.4 (NPcap 1.0.0)
Date: Tue, 6 Aug 2013 02:06:18 +0800
To: dev <***@nmap.org>

Just now, I had released WinPcap 4.1.4 (a non-official name, also called
NPcap 1.0.0) for testing. I have spent nearly one month to port it from
NDIS5.0 to NDIS6.x. It can gain better performance than the official
WinPcap (currently 4.1.3 version) under Win7 and Win8 (behaves the same
as the old one under XP and Vista). I have rewritten the original NSIS
installation script and packed the new WinPcap 4.1.4 into an EXE
package, so you can test it easily.
[...]
Giulio Marescotti
2014-02-14 13:31:11 UTC
Permalink
Hi,
thank you for the prompt and valuable response.

I have already considered your last option pcausa/rawether but the owner
wrote me that it is not suitable for my need.
Do you think I would have same issues using NetMon? Here are the reasons of
Mr Divine, owner of PCASA:

"Rawether is based on a NDIS protocol driver. A NDIS protocol driver is a
peer to the host OS TCP/IP protocol driver. All incoming packets ALWAYS are
indicates to all peer NDIS protocol drivers. This is not good for the
implementation that you have in mind. In a product such as I think you have
in mind you want to be able to handle some packets privately without the
host OS seeing them. You would manipulate these "private" packets is some
way and reinject them into the network flow. You can't do this sort of
manipulation with a NDIS protocol driver."


Thank you anyway for your time


Giulio
Post by Blibbet
Post by Giulio Marescotti
I was wondering if there are any alternatives (free or commercial) which
can help me to get better results.
For Linux I know of *PF_RING*, but there is no version for Windows.
1) NetMon
NetMon is the Microsoft packet capturing library and API and app.
Windows-centric, created by the LAN Manager team years ago.
Advantage of NetMon over WinPcap: the network stack vendor maintains it,
and cares about performance. Whereas Winpcap uses unix-centric libpcap
code/logic and tries to fit this into the Windows driver model, and this
model doesn't properly handle all platform differences.
NetMon is maintained, whereas whereas Windows Winpcap has been mostly
ignored for many years, and Windows has completely changed their network
stack during that time.
Disadvantage: it's closed-source freeware, not open source like libpcap.
There are a few filters on CodePlex.com for NetMon that're open source,
though. You'll be reliant on MSDN for help, but there's a sample or two
that does as much as the WinPcap samples, not hard to use.
Make sure you ignore all the NetMon v2 stuff and only look at v3 or later.
MSDN is really bad at showing you the old stuff first.
http://www.microsoft.com/en-us/download/details.aspx?id=4865
http://nmexperts.codeplex.com/
http://nmparsers.codeplex.com/
2) NMap's WinPcap.
I think they have a fork of WinPcap that's getting updates, unlike the
main one.
http://www.pcausa.com
or
http://www.rawether.net/
The OSRonline.com's ntdev mailing list is where the main NT consultants
hang out, and talk about NDIS perf issues with libs like this, among other
things. Search their archives for opinions one these two libs.
HTH,
Lee
Blibbet
2014-02-14 19:12:17 UTC
Permalink
As mentioned below, ask on the osronline.com's ntdev forum. Thomas and
the other NDIS experts hang out there. I don't have any current
experience with Rawether.
Post by Giulio Marescotti
I have already considered your last option pcausa/rawether but the owner
wrote me that it is not suitable for my need.
Do you think I would have same issues using NetMon? Here are the reasons of
"Rawether is based on a NDIS protocol driver. A NDIS protocol driver is a
peer to the host OS TCP/IP protocol driver. All incoming packets ALWAYS are
indicates to all peer NDIS protocol drivers. This is not good for the
implementation that you have in mind. In a product such as I think you have
in mind you want to be able to handle some packets privately without the
host OS seeing them. You would manipulate these "private" packets is some
way and reinject them into the network flow. You can't do this sort of
manipulation with a NDIS protocol driver."
Thank you anyway for your time
....
Post by Giulio Marescotti
Post by Blibbet
http://www.pcausa.com
or
http://www.rawether.net/
The OSRonline.com's ntdev mailing list is where the main NT consultants
hang out, and talk about NDIS perf issues with libs like this, among other
things. Search their archives for opinions one these two libs.
Continue reading on narkive:
Loading...