Discussion:
[Winpcap-users] Windows 10 support for WinPcap
Sven Kerschbaum
2016-02-04 08:30:37 UTC
Permalink
Hi all,

is there already effort for getting WinPcap ready for Windows 10? As Pascal
Quantin already pointed out WinPcap does not run on Windows 10 due to the
fact that the WinPcap driver is not an NDIS 6 driver. Please find more
information here:
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html

Searching the internet I found a port of the WinPcap driver to NDIS 6 which
has been done by Daiyuu Nobori . Unfortunately, the sources are licensed
under GPL and not BSD-like the original WinPcap. Furthermore, I did not
found any references about the quality of this port and about the roadmap?
Will it be maintained in future or was it just a kind of proof of concept?
Find more information here: http://www.win10pcap.org/

I would prefer to use an official release from WinPcap... Does anyone know
more about the WinPcap roadmap? What is the current state?

Best regards,
SK
Guy Harris
2016-02-04 08:51:19 UTC
Permalink
Post by Sven Kerschbaum
is there already effort for getting WinPcap ready for Windows 10?
There's NPcap:

https://github.com/nmap/npcap
Pascal Quantin
2016-02-04 09:15:45 UTC
Permalink
Hi Sven,
Post by Sven Kerschbaum
Hi all,
is there already effort for getting WinPcap ready for Windows 10? As
Pascal Quantin already pointed out WinPcap does not run on Windows 10 due
to the fact that the WinPcap driver is not an NDIS 6 driver. Please find
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Searching the internet I found a port of the WinPcap driver to NDIS 6
which has been done by Daiyuu Nobori . Unfortunately, the sources are
licensed under GPL and not BSD-like the original WinPcap. Furthermore, I
did not found any references about the quality of this port and about the
roadmap? Will it be maintained in future or was it just a kind of proof of
concept? Find more information here: http://www.win10pcap.org/
I would prefer to use an official release from WinPcap... Does anyone know
more about the WinPcap roadmap? What is the current state?
Since that time, Microsoft reverted their change and WinPcap 4.1.3 is
working fine on Windows 10. So you can use it.
As Guy indicated, Npcap is a pretty good fork of WinPcap source code (using
MIT license) with NDIS6.0 and other new features, with an active developer
and I use it daily.

Regards,
Pascal.
Gisle Vanem
2016-02-04 10:08:28 UTC
Permalink
is there already effort for getting WinPcap ready for Windows 10? As Pascal Quantin already pointed out WinPcap does not
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':

Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit


The version and 'Signing date' is in accordance with what's on winpcap.org.
An also:

F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over Native802_11, DOWN, 54Mb/s (NDIS)

2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over Bluetooth, DOWN, 3Mb/s (NDIS)

3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)

--------------

I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
Sven Kerschbaum
2016-02-04 11:18:15 UTC
Permalink
Oh, I have to admit that I did not try it on an update to date Windows 10
system... Thanks for the hint that this was only an issue in early Windows
10 versions.

I was also not aware of the Npcap. Thanks for pointing me to this fork! How
does Npcap differ from WinPcap with respect to performance, feature? At
least I am missing the possibility to get notified about media state
changes (connected, disconnected) in WinPcap. Does Npcap offer such a
functionality?

Furthermore: Is WinPcap still under active development? Its last release
was in 2013. Or I am better advised to rely on Npcap?

Thank you!
Best regards,
SK
Post by Sven Kerschbaum
Post by Sven Kerschbaum
is there already effort for getting WinPcap ready for Windows 10? As
Pascal Quantin already pointed out WinPcap does not
Post by Sven Kerschbaum
run on Windows 10 due to the fact that the WinPcap driver is not an NDIS
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit
The version and 'Signing date' is in accordance with what's on winpcap.org
.
F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
Native802_11, DOWN, 54Mb/s (NDIS)
2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over Bluetooth,
DOWN, 3Mb/s (NDIS)
3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)
--------------
I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
食肉大灰兔V5
2016-02-04 12:04:53 UTC
Permalink
Hi Sven,

Npcap (https://github.com/nmap/npcap) has better performance because of
NDIS 6. It also has several new features:


1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows Vista
and later (the legacy driver is used on XP). It's faster than the
legacy *NDIS
5 Intermediate*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx>
technique.
One reason is that packet data stucture has changed (fromNDIS_PACKET to
NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet
structure conversion.
2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
Administrators for safety purpose. If Npcap is installed with the
option *Restrict
Npcap driver's access to Administrators only* checked, when a non-Admin
user tries to start a user software (Nmap, Wireshark, etc), the *User
Account Control (UAC)*
<http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7>
dialog
will prompt asking for Administrator privilege. Only when the end user
chooses Yes, the driver can be accessed. This is similar to UNIX where
you need root access to capture packets.
3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
used to decide whether Npcap should coexist With WinPcap or be compatible
with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist with
WinPcap and share the DLL binary interface with WinPcap. So the
applications unaware of Npcap *SHOULD* be able to use Npcap
automatically if WinPcap is unavailable. The applications who knows Npcap's
existence can choose to use Npcap or WinPcap first. The key about which is
loaded first is *DLL Search Path*
<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\. So
applications who want to load Npcap first must make
C:\Windows\System32\Npcap\ precedent to other paths in ways such as
calling*SetDllDirectory*
<https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc. Another
point is Npcap uses service name npcap instead of WinPcap's npf with
"WinPcap Compatible Mode" OFF. So applications using net start npf for
starting service must use net start npcap instead. If you want 100%
compatibility with WinPcap, you should install Npcap choosing "WinPcap
Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this
mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and
use the npf service name. It's notable that before installing in this
mode, you must uninstall WinPcap first (the installer wizard will prompt
you that).
4. *Loopback Packets Capture Support*: Now Npcap is able to see Windows
loopback packets using *Windows Filtering Platform (WFP)*
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx>
technique.
After installation, Npcap will create an adapter named Npcap Loopback
Adapter for you. If you are a Wireshark user, choose this adapter to
capture, you will see all loopback traffic the same way as other
non-loopback adapters. Try it by typing in commands like ping
127.0.0.1 (IPv4)
or ping ::1 (IPv6).
5. *Loopback Packets Send Support*: Besides loopback packets capturing,
Npcap can also send out loopback packets based on *Winsock Kernel (WSK)*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx>
technique.
A user software (e.g. Nmap) can just send packets out using Npcap
Loopback Adapter like other adapters. Npcap Loopback Adapter will
automatically remove the packet's Ethernet header and inject the payload
into Windows TCP/IP stack, so this kind of loopback packet never go out of
the machine.


I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
). And if you have any improvement advice about Npcap, I will consider it:)


Cheers,
Yang
Post by Sven Kerschbaum
Oh, I have to admit that I did not try it on an update to date Windows 10
system... Thanks for the hint that this was only an issue in early Windows
10 versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork!
How does Npcap differ from WinPcap with respect to performance, feature? At
least I am missing the possibility to get notified about media state
changes (connected, disconnected) in WinPcap. Does Npcap offer such a
functionality?
Furthermore: Is WinPcap still under active development? Its last release
was in 2013. Or I am better advised to rely on Npcap?
Thank you!
Best regards,
SK
Post by Sven Kerschbaum
Post by Sven Kerschbaum
is there already effort for getting WinPcap ready for Windows 10? As
Pascal Quantin already pointed out WinPcap does not
Post by Sven Kerschbaum
run on Windows 10 due to the fact that the WinPcap driver is not an
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit
The version and 'Signing date' is in accordance with what's on winpcap.org.
F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
Native802_11, DOWN, 54Mb/s (NDIS)
2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
Bluetooth, DOWN, 3Mb/s (NDIS)
3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)
--------------
I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
Sven Kerschbaum
2016-02-04 15:31:34 UTC
Permalink
Hi Yang,

thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.

Cheers,
SK
Post by Pascal Quantin
Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of
1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
Vista and later (the legacy driver is used on XP). It's faster than the
legacy *NDIS 5 Intermediate*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
One reason is that packet data stucture has changed (fromNDIS_PACKET
to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
packet structure conversion.
2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
Administrators for safety purpose. If Npcap is installed with the option *Restrict
Npcap driver's access to Administrators only* checked, when a
non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
Account Control (UAC)*
<http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
will prompt asking for Administrator privilege. Only when the end user
chooses Yes, the driver can be accessed. This is similar to UNIX where
you need root access to capture packets.
3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
used to decide whether Npcap should coexist With WinPcap or be compatible
with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
with WinPcap and share the DLL binary interface with WinPcap. So the
applications unaware of Npcap *SHOULD* be able to use Npcap
automatically if WinPcap is unavailable. The applications who knows Npcap's
existence can choose to use Npcap or WinPcap first. The key about which is
loaded first is *DLL Search Path*
<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
So applications who want to load Npcap first must make
C:\Windows\System32\Npcap\ precedent to other paths in ways such as
calling*SetDllDirectory*
<https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc. Another
point is Npcap uses service name npcap instead of WinPcap's npf with
"WinPcap Compatible Mode" OFF. So applications using net start npf for
starting service must use net start npcap instead. If you want 100%
compatibility with WinPcap, you should install Npcap choosing "WinPcap
Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this
mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and
use the npf service name. It's notable that before installing in this
mode, you must uninstall WinPcap first (the installer wizard will prompt
you that).
4. *Loopback Packets Capture Support*: Now Npcap is able to see
Windows loopback packets using *Windows Filtering Platform (WFP)*
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
After installation, Npcap will create an adapter named Npcap Loopback
Adapter for you. If you are a Wireshark user, choose this adapter to
capture, you will see all loopback traffic the same way as other
non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4)
or ping ::1 (IPv6).
5. *Loopback Packets Send Support*: Besides loopback packets
capturing, Npcap can also send out loopback packets based on *Winsock
Kernel (WSK)*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
A user software (e.g. Nmap) can just send packets out using Npcap
Loopback Adapter like other adapters. Npcap Loopback Adapter will
automatically remove the packet's Ethernet header and inject the payload
into Windows TCP/IP stack, so this kind of loopback packet never go out of
the machine.
I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
). And if you have any improvement advice about Npcap, I will consider it:)
Cheers,
Yang
Post by Sven Kerschbaum
Oh, I have to admit that I did not try it on an update to date Windows 10
system... Thanks for the hint that this was only an issue in early Windows
10 versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork!
How does Npcap differ from WinPcap with respect to performance, feature? At
least I am missing the possibility to get notified about media state
changes (connected, disconnected) in WinPcap. Does Npcap offer such a
functionality?
Furthermore: Is WinPcap still under active development? Its last release
was in 2013. Or I am better advised to rely on Npcap?
Thank you!
Best regards,
SK
Post by Sven Kerschbaum
Post by Sven Kerschbaum
is there already effort for getting WinPcap ready for Windows 10? As
Pascal Quantin already pointed out WinPcap does not
Post by Sven Kerschbaum
run on Windows 10 due to the fact that the WinPcap driver is not an
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit
The version and 'Signing date' is in accordance with what's on winpcap.org.
F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
Native802_11, DOWN, 54Mb/s (NDIS)
2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
Bluetooth, DOWN, 3Mb/s (NDIS)
3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)
--------------
I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
Sven Kerschbaum
2016-02-04 18:40:48 UTC
Permalink
@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Post by Sven Kerschbaum
Hi Yang,
thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.
Cheers,
SK
Post by Pascal Quantin
Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of
1. *NDIS 6 Support*: Npcap makes use of new LWF driver in Windows
Vista and later (the legacy driver is used on XP). It's faster than the
legacy *NDIS 5 Intermediate*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff557012(v=vs.85).aspx> technique.
One reason is that packet data stucture has changed (fromNDIS_PACKET
to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra
packet structure conversion.
2. *"Admin-only Mode" Support*: Npcap supports to restrict its use to
Administrators for safety purpose. If Npcap is installed with the option *Restrict
Npcap driver's access to Administrators only* checked, when a
non-Admin user tries to start a user software (Nmap, Wireshark, etc), the *User
Account Control (UAC)*
<http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7> dialog
will prompt asking for Administrator privilege. Only when the end user
chooses Yes, the driver can be accessed. This is similar to UNIX
where you need root access to capture packets.
3. *"WinPcap Compatible Mode" Support*: "WinPcap Compatible Mode" is
used to decide whether Npcap should coexist With WinPcap or be compatible
with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist
with WinPcap and share the DLL binary interface with WinPcap. So the
applications unaware of Npcap *SHOULD* be able to use Npcap
automatically if WinPcap is unavailable. The applications who knows Npcap's
existence can choose to use Npcap or WinPcap first. The key about which is
loaded first is *DLL Search Path*
<https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx>.
With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into
C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\.
So applications who want to load Npcap first must make
C:\Windows\System32\Npcap\ precedent to other paths in ways such as
calling*SetDllDirectory*
<https://msdn.microsoft.com/en-us/library/ms686203.aspx>, etc.
Another point is Npcap uses service name npcap instead of WinPcap's
npf with "WinPcap Compatible Mode" OFF. So applications using net
start npf for starting service must use net start npcap instead. If
you want 100% compatibility with WinPcap, you should install Npcap choosing
"WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible Mode).
In this mode, Npcap will install its Dlls in WinPcap's
C:\Windows\System32\and use the npf service name. It's notable that
before installing in this mode, you must uninstall WinPcap first (the
installer wizard will prompt you that).
4. *Loopback Packets Capture Support*: Now Npcap is able to see
Windows loopback packets using *Windows Filtering Platform (WFP)*
<https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx> technique.
After installation, Npcap will create an adapter named Npcap Loopback
Adapter for you. If you are a Wireshark user, choose this adapter to
capture, you will see all loopback traffic the same way as other
non-loopback adapters. Try it by typing in commands like ping
127.0.0.1 (IPv4) or ping ::1 (IPv6).
5. *Loopback Packets Send Support*: Besides loopback packets
capturing, Npcap can also send out loopback packets based on *Winsock
Kernel (WSK)*
<https://msdn.microsoft.com/en-us/library/windows/hardware/ff556958(v=vs.85).aspx> technique.
A user software (e.g. Nmap) can just send packets out using Npcap
Loopback Adapter like other adapters. Npcap Loopback Adapter will
automatically remove the packet's Ethernet header and inject the payload
into Windows TCP/IP stack, so this kind of loopback packet never go out of
the machine.
I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx
). And if you have any improvement advice about Npcap, I will consider it:)
Cheers,
Yang
Post by Sven Kerschbaum
Oh, I have to admit that I did not try it on an update to date Windows
10 system... Thanks for the hint that this was only an issue in early
Windows 10 versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork!
How does Npcap differ from WinPcap with respect to performance, feature? At
least I am missing the possibility to get notified about media state
changes (connected, disconnected) in WinPcap. Does Npcap offer such a
functionality?
Furthermore: Is WinPcap still under active development? Its last release
was in 2013. Or I am better advised to rely on Npcap?
Thank you!
Best regards,
SK
Post by Sven Kerschbaum
Post by Sven Kerschbaum
is there already effort for getting WinPcap ready for Windows 10? As
Pascal Quantin already pointed out WinPcap does not
Post by Sven Kerschbaum
run on Windows 10 due to the fact that the WinPcap driver is not an
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit
The version and 'Signing date' is in accordance with what's on winpcap.org.
F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over
Native802_11, DOWN, 54Mb/s (NDIS)
2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over
Bluetooth, DOWN, 3Mb/s (NDIS)
3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)
--------------
I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
Jiyang Hu
2016-02-04 19:17:48 UTC
Permalink
@Sven: you need something called - Inverted Call Model
The Inverted Call Model in KMDF - OSR

|   |
|   | |   |   |   |   |   |
| The Inverted Call Model in KMDF - OSROne of the most common questions we see from students, clients, and new Windows driver Read more |
| |
| View on www.osr.com | Preview by Yahoo |
| |
|   |




On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <***@gmail.com> wrote:


@Yang: It is not possible to get notifications of media state changes by the API which you proposed in your previous post. It provides only notifications about IP table changes.Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <***@gmail.com>:

Hi Yang,
thanks for providing me the detailed information about Npcap. I will definitively have a look at it and try it.
Cheers,SK

2016-02-04 13:04 GMT+01:00 食肉倧灰兔V5 <***@gmail.com>:

Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6. It also has several new features:

- NDIS 6 Support: Npcap makes use of new LWF driver in Windows Vista and later (the legacy driver is used on XP). It's faster than the legacy NDIS 5 Intermediate technique. One reason is that packet data stucture has changed (fromNDIS_PACKET to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet structure conversion.
- "Admin-only Mode" Support: Npcap supports to restrict its use to Administrators for safety purpose. If Npcap is installed with the option Restrict Npcap driver's access to Administrators only checked, when a non-Admin user tries to start a user software (Nmap, Wireshark, etc), the User Account Control (UAC) dialog will prompt asking for Administrator privilege. Only when the end user chooses Yes, the driver can be accessed. This is similar to UNIX where you need root access to capture packets.
- "WinPcap Compatible Mode" Support: "WinPcap Compatible Mode" is used to decide whether Npcap should coexist With WinPcap or be compatible with WinPcap. With "WinPcap Compatible Mode" OFF, Npcap can coexist with WinPcap and share the DLL binary interface with WinPcap. So the applications unaware of Npcap SHOULD be able to use Npcap automatically if WinPcap is unavailable. The applications who knows Npcap's existence can choose to use Npcap or WinPcap first. The key about which is loaded first is DLL Search Path. With "WinPcap Compatible Mode" OFF, Npcap installs its DLLs into C:\Windows\System32\Npcap\ instead of WinPcap's C:\Windows\System32\. So applications who want to load Npcap first must make C:\Windows\System32\Npcap\ precedent to other paths in ways such as callingSetDllDirectory, etc. Another point is Npcap uses service name npcap instead of WinPcap's npf with "WinPcap Compatible Mode" OFF. So applications using net start npf for starting service must use net start npcap instead. If you want 100% compatibility with WinPcap, you should install Npcap choosing "WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible Mode). In this mode, Npcap will install its Dlls in WinPcap's C:\Windows\System32\and use the npf service name. It's notable that before installing in this mode, you must uninstall WinPcap first (the installer wizard will prompt you that).
- Loopback Packets Capture Support: Now Npcap is able to see Windows loopback packets using Windows Filtering Platform (WFP) technique. After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
- Loopback Packets Send Support: Besides loopback packets capturing, Npcap can also send out loopback packets based on Winsock Kernel (WSK) technique. A user software (e.g. Nmap) can just send packets out using Npcap Loopback Adapter like other adapters. Npcap Loopback Adapter will automatically remove the packet's Ethernet header and inject the payload into Windows TCP/IP stack, so this kind of loopback packet never go out of the machine.

I actually didn't add a function about making user software getting notified about media state changes. From my knowledge I don't know there's any support of such a function in libpcap. libpcap is an interface standard followed by WinPcap/Npcap. However, I think you can do it using native Windows APIs (like Receiving Notification of Network Events in https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx). And if you have any improvement advice about Npcap, I will consider it:)

Cheers,Yang

On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <***@gmail.com> wrote:

Oh, I have to admit that I did not try it on an update to date Windows 10 system... Thanks for the hint that this was only an issue in early Windows 10 versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork! How does Npcap differ from WinPcap with respect to performance, feature? At least I am missing the possibility to get notified about media state changes (connected, disconnected) in WinPcap. Does Npcap offer such a functionality?
Furthermore: Is WinPcap still under active development? Its last release was in 2013. Or I am better advised to rely on Npcap?
Thank you!Best regards,SK
is there already effort for getting WinPcap ready for Windows 10? As Pascal Quantin already pointed out WinPcap does not
http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':

        Verified:       Signed
        Signing date:   02.49 01.03.2013
        Publisher:      Riverbed Technology
        Company:        Riverbed Technology, Inc.
        Description:    npf.sys (NT5/6 AMD64) Kernel Driver
        Product:        WinPcap
        Prod version:   4.1.0.2980
        File version:   4.1.0.2980
        MachineType:    64-bit


The version and 'Signing date' is in accordance with what's on winpcap.org.
An also:

F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF}    Descr: Microsoft
    Addr 0: 10.0.0.11 (mask 255.255.255.0)
    MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over Native802_11, DOWN, 54Mb/s (NDIS)

2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC}    Descr: Microsoft
    Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
    Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
    MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over Bluetooth, DOWN, 3Mb/s (NDIS)

3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607}    Descr: Realtek Ethernet Controller
    Addr 0: 10.0.0.10 (mask 255.255.255.0)
    MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)

--------------

I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.



--
--gv
_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users



_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
食肉大灰兔V5
2016-02-05 04:43:44 UTC
Permalink
On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <
The inverted call model might be useful in an abstract way to get notified
of a media
state change, however, the question then comes back to how to convey that
detail
to the application which is using the libpcap APIs.
Since the only APIs that an application which already has a pcap session
opened
is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly
pcap_sendpacket
pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an
error.
Is media state change an error?
Is media offline an error?
I prefer to use the phrases in ncpa.cpl.
If the adapter disconnects (like Wi-Fi), libpcap API should only report
time-out (you don't get any new packets).
If the adapter is disabled, libpcap API may report error (or time-out)? I
didn't try this. One thing for sure is that you can't get new packets too.
This thing should not happen when using Npcap/WinPcap. Because when listing
adapters with Npcap/WinPcap, disabled adapters never show up on the list.
So Npcap/WinPcap assumes that the adapters it uses is always kept as
enabled.
pcap_sendpacket is defined to return -1 if a packet wasn’t successfully
sent.
It would seem that returning -1 when the media is offline
makes sense
This makes sense to me.
I don’t know for sure how WinPcap behaves under these conditions, but it
seems that it npcap should reliably report errors under the media offline
state.
Is there a reason it can’t?
Npcap actually doesn't report errors any better than WinPcap. There's even
a chance that Npcap behaves different on reporting errors with WinPcap.
Because Npcap uses NDIS6 and WinPcap uses NDIS5.
*Sent:* Thursday, February 4, 2016 11:18 AM
*Subject:* Re: [Winpcap-users] Windows 10 support for WinPcap
@Sven: you need something called - Inverted Call Model
The Inverted Call Model in KMDF - OSR
<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>
[image: Image removed by sender. image]
<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>
The Inverted Call Model in KMDF - OSR
<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>
One of the most common questions we see from students, clients, and new
Windows driver Read more
View on *www.osr.com*
<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>
Preview by Yahoo
@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Hi Yang,
thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.
Cheers,
SK
Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of
I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx).
And if you have any improvement advice about Npcap, I will consider it:)
Cheers,
Yang
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
Nuno Antonio Dias Ferreira
2016-02-05 09:52:53 UTC
Permalink
Hi Sven,

I have an application where I am using npcap and I also have the need to detect the media status changes. To do that I query NDIS to get that information: https://msdn.microsoft.com/en-us/library/windows/hardware/ff569604(v=vs.85).aspx

Here is an example:
if(IoctlNdisQueryGlobalStats(Iface->IOCTLhandler, OID_GEN_MEDIA_CONNECT_STATUS, &ConnectedState, sizeof(ConnectedState), (PUINT)&ReturnedCount) == ERROR_SUCCESS)
{
return ConnectedState == NdisMediaStateConnected;
}

Hope this information could be helpful.


Melhores Cumprimentos / Best Regards
Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit
Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
[EFA Logo]
Disclaimer<Loading Image...>

From: winpcap-users-***@winpcap.org [mailto:winpcap-users-***@winpcap.org] On Behalf Of ?????V5
Sent: 5 de fevereiro de 2016 04:44
To: winpcap-***@winpcap.org
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap



On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <winpcap-users-***@subscriptions.pizzolato.net<mailto:winpcap-users-***@subscriptions.pizzolato.net>> wrote:
The inverted call model might be useful in an abstract way to get notified of a media
state change, however, the question then comes back to how to convey that detail
to the application which is using the libpcap APIs.

Since the only APIs that an application which already has a pcap session opened
is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly
pcap_sendpacket

pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an error.
Is media state change an error?
Is media offline an error?

I prefer to use the phrases in ncpa.cpl.
If the adapter disconnects (like Wi-Fi), libpcap API should only report time-out (you don't get any new packets).
If the adapter is disabled, libpcap API may report error (or time-out)? I didn't try this. One thing for sure is that you can't get new packets too. This thing should not happen when using Npcap/WinPcap. Because when listing adapters with Npcap/WinPcap, disabled adapters never show up on the list. So Npcap/WinPcap assumes that the adapters it uses is always kept as enabled.


pcap_sendpacket is defined to return -1 if a packet wasn’t successfully sent.
It would seem that returning -1 when the media is offline makes sense

This makes sense to me.


I don’t know for sure how WinPcap behaves under these conditions, but it
seems that it npcap should reliably report errors under the media offline state.
Is there a reason it can’t?

Npcap actually doesn't report errors any better than WinPcap. There's even a chance that Npcap behaves different on reporting errors with WinPcap. Because Npcap uses NDIS6 and WinPcap uses NDIS5.


From: winpcap-users-***@winpcap.org<mailto:winpcap-users-***@winpcap.org> [mailto:winpcap-users-***@winpcap.org<mailto:winpcap-users-***@winpcap.org>] On Behalf Of Jiyang Hu
Sent: Thursday, February 4, 2016 11:18 AM
To: winpcap-***@winpcap.org<mailto:winpcap-***@winpcap.org>
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap

@Sven: you need something called - Inverted Call Model

The Inverted Call Model in KMDF - OSR<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>




[Image removed by sender. image]<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>











The Inverted Call Model in KMDF - OSR<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>
One of the most common questions we see from students, clients, and new Windows driver Read more


View on www.osr.com<https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/>

Preview by Yahoo







On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <***@gmail.com<mailto:***@gmail.com>> wrote:

@Yang: It is not possible to get notifications of media state changes by the API which you proposed in your previous post. It provides only notifications about IP table changes.
Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <***@gmail.com<mailto:***@gmail.com>>:
Hi Yang,

thanks for providing me the detailed information about Npcap. I will definitively have a look at it and try it.

Cheers,
SK


2016-02-04 13:04 GMT+01:00 食肉倧灰兔V5 <***@gmail.com<mailto:***@gmail.com>>:
Hi Sven,

Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6. It also has several new features:


I actually didn't add a function about making user software getting notified about media state changes. From my knowledge I don't know there's any support of such a function in libpcap. libpcap is an interface standard followed by WinPcap/Npcap. However, I think you can do it using native Windows APIs (like Receiving Notification of Network Events in https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx). And if you have any improvement advice about Npcap, I will consider it:)


Cheers,
Yang


_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org<mailto:Winpcap-***@winpcap.org>
https://www.winpcap.org/mailman/listinfo/winpcap-users
Jiyang Hu
2016-02-05 15:38:08 UTC
Permalink
I believe query NDIS for OID_GEN_MEDIA_CONNECT_STATUS is a waste of resource if it is put in a loop. Getting a notification of media state change asynchronously should be better. My 2 cents.

On Friday, February 5, 2016 9:23 AM, Nuno Antonio Dias Ferreira <***@efacec.com> wrote:


#yiv5383968201 #yiv5383968201 -- _filtered #yiv5383968201 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv5383968201 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv5383968201 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv5383968201 {font-family:Georgia;panose-1:2 4 5 2 5 4 5 2 3 3;} _filtered #yiv5383968201 {panose-1:2 11 5 3 2 0 0 2 0 4;} _filtered #yiv5383968201 {panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv5383968201 {panose-1:2 11 5 3 2 0 0 2 0 4;} _filtered #yiv5383968201 {panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv5383968201 {panose-1:2 11 6 3 2 2 2 2 2 4;}#yiv5383968201 #yiv5383968201 p.yiv5383968201MsoNormal, #yiv5383968201 li.yiv5383968201MsoNormal, #yiv5383968201 div.yiv5383968201MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv5383968201 a:link, #yiv5383968201 span.yiv5383968201MsoHyperlink {color:blue;text-decoration:underline;}#yiv5383968201 a:visited, #yiv5383968201 span.yiv5383968201MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv5383968201 span.yiv5383968201EmailStyle17 {color:#1F497D;}#yiv5383968201 span.yiv5383968201EmailStyle18 {color:windowtext;}#yiv5383968201 .yiv5383968201MsoChpDefault {} _filtered #yiv5383968201 {margin:70.85pt 3.0cm 70.85pt 3.0cm;}#yiv5383968201 div.yiv5383968201WordSection1 {}#yiv5383968201 Hi Sven,   I have an application where I am using npcap and I also have the need to detect the media status changes. To do that I query NDIS to get that information: https://msdn.microsoft.com/en-us/library/windows/hardware/ff569604(v=vs.85).aspx   Here is an example: if(IoctlNdisQueryGlobalStats(Iface->IOCTLhandler, OID_GEN_MEDIA_CONNECT_STATUS, &ConnectedState, sizeof(ConnectedState), (PUINT)&ReturnedCount) == ERROR_SUCCESS)      {            return ConnectedState == NdisMediaStateConnected;       }   Hope this information could be helpful.     Melhores Cumprimentos / Best Regards Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
Disclaimer   From: winpcap-users-***@winpcap.org [mailto:winpcap-users-***@winpcap.org]On Behalf Of ?????V5
Sent: 5 de fevereiro de 2016 04:44
To: winpcap-***@winpcap.org
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap       On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <winpcap-users-***@subscriptions.pizzolato.net> wrote:
The inverted call model might be useful in an abstract way to get notified of a media state change, however, the question then comes back to how to convey that detail to the application which is using the libpcap APIs.    Since the only APIs that an application which already has a pcap session opened is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly pcap_sendpacket   pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an error.  Is media state change an error?                 Is media offline an error?
  I prefer to use the phrases in ncpa.cpl. If the adapter disconnects (like Wi-Fi), libpcap API should only report time-out (you don't get any new packets). If the adapter is disabled, libpcap API may report error (or time-out)? I didn't try this. One thing for sure is that you can't get new packets too. This thing should not happen when using Npcap/WinPcap. Because when listing adapters with Npcap/WinPcap, disabled adapters never show up on the list. So Npcap/WinPcap assumes that the adapters it uses is always kept as enabled.  
  pcap_sendpacket is defined to return -1 if a packet wasn’t successfully sent.                 It would seem that returning -1 when the media is offline makes sense
  This makes sense to me.  
  I don’t know for sure how WinPcap behaves under these conditions, but it seems that it npcap should reliably report errors under the media offline state. Is there a reason it can’t?
  Npcap actually doesn't report errors any better than WinPcap. There's even a chance that Npcap behaves different on reporting errors with WinPcap. Because Npcap uses NDIS6 and WinPcap uses NDIS5.  
  From:winpcap-users-***@winpcap.org [mailto:winpcap-users-***@winpcap.org]On Behalf Of Jiyang Hu
Sent: Thursday, February 4, 2016 11:18 AM
To: winpcap-***@winpcap.org
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap   @Sven: you need something called - Inverted Call Model   The Inverted Call Model in KMDF - OSR
|   |
|   | |   |   |   |   |   |
| The Inverted Call Model in KMDF - OSR One of the most common questions we see from students, clients, and new Windows driver Read more |
| |
| View on www.osr.com | Preview by Yahoo |
| |
|   |
| | | | | | | | |

    On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <***@gmail.com> wrote:   @Yang: It is not possible to get notifications of media state changes by the API which you proposed in your previous post. It provides only notifications about IP table changes. Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <***@gmail.com>:
Hi Yang,   thanks for providing me the detailed information about Npcap. I will definitively have a look at it and try it.   Cheers, SK     2016-02-04 13:04 GMT+01:00食肉倧灰兔V5 <***@gmail.com>:
Hi Sven,   Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6. It also has several new features:     I actually didn't add a function about making user software getting notified about media state changes. From my knowledge I don't know there's any support of such a function in libpcap. libpcap is an interface standard followed by WinPcap/Npcap. However, I think you can do it using native Windows APIs (like Receiving Notification of Network Events in https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx). And if you have any improvement advice about Npcap, I will consider it:)     Cheers, Yang

 
Sven Kerschbaum
2016-02-05 16:26:35 UTC
Permalink
I cannot find any information about the function
IoctlNdisQueryGlobalStats(...). Do you have a link? I agree that is not an
option to query the media state in a loop. I have a working solution using
WMI but the notification is not in real-time. I sometimes experience a
delay of a few seconds...
I believe query NDIS for OID_GEN_MEDIA_CONNECT_STATUS is a waste of
resource if it is put in a loop. Getting a notification of media state
change asynchronously should be better. My 2 cents.


On Friday, February 5, 2016 9:23 AM, Nuno Antonio Dias Ferreira <
***@efacec.com> wrote:


Hi Sven,

I have an application where I am using npcap and I also have the need to
detect the media status changes. To do that I query NDIS to get that
information:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff569604(v=vs.85).aspx

Here is an example:
if(IoctlNdisQueryGlobalStats(Iface->IOCTLhandler,
OID_GEN_MEDIA_CONNECT_STATUS, &ConnectedState, sizeof(ConnectedState),
(PUINT)&ReturnedCount) == ERROR_SUCCESS)
{
return ConnectedState == NdisMediaStateConnected;
}

Hope this information could be helpful.


Melhores Cumprimentos / Best Regards
Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit
Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
[image: EFA Logo]
Disclaimer

*From:* winpcap-users-***@winpcap.org [mailto:
winpcap-users-***@winpcap.org] *On Behalf Of *?????V5
*Sent:* 5 de fevereiro de 2016 04:44
*To:* winpcap-***@winpcap.org
*Subject:* Re: [Winpcap-users] Windows 10 support for WinPcap



On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <
winpcap-users-***@subscriptions.pizzolato.net> wrote:

The inverted call model might be useful in an abstract way to get notified
of a media
state change, however, the question then comes back to how to convey that
detail
to the application which is using the libpcap APIs.

Since the only APIs that an application which already has a pcap session
opened
is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly
pcap_sendpacket

pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an
error.
Is media state change an error?
Is media offline an error?


I prefer to use the phrases in ncpa.cpl.
If the adapter disconnects (like Wi-Fi), libpcap API should only report
time-out (you don't get any new packets).
If the adapter is disabled, libpcap API may report error (or time-out)? I
didn't try this. One thing for sure is that you can't get new packets too.
This thing should not happen when using Npcap/WinPcap. Because when listing
adapters with Npcap/WinPcap, disabled adapters never show up on the list.
So Npcap/WinPcap assumes that the adapters it uses is always kept as
enabled.



pcap_sendpacket is defined to return -1 if a packet wasn’t successfully
sent.
It would seem that returning -1 when the media is offline
makes sense


This makes sense to me.



I don’t know for sure how WinPcap behaves under these conditions, but it
seems that it npcap should reliably report errors under the media offline
state.
Is there a reason it can’t?


Npcap actually doesn't report errors any better than WinPcap. There's even
a chance that Npcap behaves different on reporting errors with WinPcap.
Because Npcap uses NDIS6 and WinPcap uses NDIS5.



*From:* winpcap-users-***@winpcap.org [mailto:
winpcap-users-***@winpcap.org] *On Behalf Of *Jiyang Hu
*Sent:* Thursday, February 4, 2016 11:18 AM
*To:* winpcap-***@winpcap.org
*Subject:* Re: [Winpcap-users] Windows 10 support for WinPcap

@Sven: you need something called - Inverted Call Model

The Inverted Call Model in KMDF - OSR


[image: Image removed by sender. image]





The Inverted Call Model in KMDF - OSR
One of the most common questions we see from students, clients, and new
Windows driver Read more
View on *www.osr.com*
Preview by Yahoo



On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <***@gmail.com>
wrote:

@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <***@gmail.com>:

Hi Yang,

thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.

Cheers,
SK


2016-02-04 13:04 GMT+01:00 食肉倧灰兔V5 <***@gmail.com>:

Hi Sven,

Npcap (https://github.com/nmap/npcap) has better performance because of
NDIS 6. It also has several new features:


I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx).
And if you have any improvement advice about Npcap, I will consider it:)


Cheers,
Yang



_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
食肉大灰兔V5
2016-02-05 18:00:04 UTC
Permalink
Hi,

I think this api provides the callback. It's called network list manager:
https://msdn.microsoft.com/en-us/library/ee264321(v=vs.85).aspx
I don't how much you care latency, If you want Npcap to tell you the status
change, it should be slower than the above way. Because driver has no way
to call a user mode app, except the above mentioned invoke thing, but it
sounds complicated.. So you have to get notified by calling pcap next
function or by ioctl periodically. But they are not real time.

Btw, I didn't do the experiment, but could anyone tell me how Npcap
actually behaves as network state changes? Is there obviously wrong
reaction there?

Cheers,
Yang
Post by Sven Kerschbaum
I cannot find any information about the function
IoctlNdisQueryGlobalStats(...). Do you have a link? I agree that is not an
option to query the media state in a loop. I have a working solution using
WMI but the notification is not in real-time. I sometimes experience a
delay of a few seconds...
I believe query NDIS for OID_GEN_MEDIA_CONNECT_STATUS is a waste of
resource if it is put in a loop. Getting a notification of media state
change asynchronously should be better. My 2 cents.
On Friday, February 5, 2016 9:23 AM, Nuno Antonio Dias Ferreira <
Hi Sven,
I have an application where I am using npcap and I also have the need to
detect the media status changes. To do that I query NDIS to get that
https://msdn.microsoft.com/en-us/library/windows/hardware/ff569604(v=vs.85).aspx
if(IoctlNdisQueryGlobalStats(Iface->IOCTLhandler,
OID_GEN_MEDIA_CONNECT_STATUS, &ConnectedState, sizeof(ConnectedState),
(PUINT)&ReturnedCount) == ERROR_SUCCESS)
{
return ConnectedState == NdisMediaStateConnected;
}
Hope this information could be helpful.
Melhores Cumprimentos / Best Regards
Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit
Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
[image: EFA Logo]
Disclaimer
Behalf Of *?????V5
*Sent:* 5 de fevereiro de 2016 04:44
*Subject:* Re: [Winpcap-users] Windows 10 support for WinPcap
On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <
The inverted call model might be useful in an abstract way to get notified of a media
state change, however, the question then comes back to how to convey that detail
to the application which is using the libpcap APIs.
Since the only APIs that an application which already has a pcap session opened
is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly
pcap_sendpacket
pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an error.
Is media state change an error?
Is media offline an error?
I prefer to use the phrases in ncpa.cpl.
If the adapter disconnects (like Wi-Fi), libpcap API should only report
time-out (you don't get any new packets).
If the adapter is disabled, libpcap API may report error (or time-out)? I
didn't try this. One thing for sure is that you can't get new packets too.
This thing should not happen when using Npcap/WinPcap. Because when listing
adapters with Npcap/WinPcap, disabled adapters never show up on the list.
So Npcap/WinPcap assumes that the adapters it uses is always kept as
enabled.
pcap_sendpacket is defined to return -1 if a packet wasn’t successfully sent.
It would seem that returning -1 when the media is offline makes sense
This makes sense to me.
I don’t know for sure how WinPcap behaves under these conditions, but it
seems that it npcap should reliably report errors under the media offline state.
Is there a reason it can’t?
Npcap actually doesn't report errors any better than WinPcap. There's even
a chance that Npcap behaves different on reporting errors with WinPcap.
Because Npcap uses NDIS6 and WinPcap uses NDIS5.
*Sent:* Thursday, February 4, 2016 11:18 AM
*Subject:* Re: [Winpcap-users] Windows 10 support for WinPcap
@Sven: you need something called - Inverted Call Model
The Inverted Call Model in KMDF - OSR
[image: Image removed by sender. image]
The Inverted Call Model in KMDF - OSR
One of the most common questions we see from students, clients, and new
Windows driver Read more
View on *www.osr.com*
Preview by Yahoo
@Yang: It is not possible to get notifications of media state changes by
the API which you proposed in your previous post. It provides only
notifications about IP table changes.
Hi Yang,
thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.
Cheers,
SK
Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of
I actually didn't add a function about making user software getting
notified about media state changes. From my knowledge I don't know there's
any support of such a function in libpcap. libpcap is an interface standard
followed by WinPcap/Npcap. However, I think you can do it using native
Windows APIs (like Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx).
And if you have any improvement advice about Npcap, I will consider it:)
Cheers,
Yang
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
https://www.winpcap.org/mailman/listinfo/winpcap-users
Nuno Antonio Dias Ferreira
2016-02-05 16:45:13 UTC
Permalink
Hi Sven,

I forgot to paste the resto f the code:

BOOL CInterfaceManager::IoctlNdisQueryGlobalStats(HANDLE handler, ULONG OidCode, PVOID InformationBuffer, UINT InformationBufferLength, PUINT pBytesWritten)
{
BOOL Res = S_FALSE;
*pBytesWritten = 0;

if(handler != INVALID_HANDLE_VALUE)
{
Res = DeviceIoControl(handler, IOCTL_NDIS_QUERY_GLOBAL_STATS, &OidCode, sizeof(OidCode), InformationBuffer, InformationBufferLength, (LPDWORD) pBytesWritten, NULL);
}

return Res==S_OK;
}


Melhores Cumprimentos / Best Regards
Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit
Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
Phone: 229403363
[EFA Logo]
Disclaimer<http://efacec.com/email.jpg>

From: winpcap-users-***@winpcap.org [mailto:winpcap-users-***@winpcap.org] On Behalf Of Sven Kerschbaum
Sent: 5 de fevereiro de 2016 16:27
To: Jiyang Hu <***@yahoo.com>; winpcap-***@winpcap.org
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap


I cannot find any information about the function IoctlNdisQueryGlobalStats(...). Do you have a link? I agree that is not an option to query the media state in a loop. I have a working solution using WMI but the notification is not in real-time. I sometimes experience a delay of a few seconds...
I believe query NDIS for OID_GEN_MEDIA_CONNECT_STATUS is a waste of resource if it is put in a loop. Getting a notification of media state change asynchronously should be better. My 2 cents.

On Friday, February 5, 2016 9:23 AM, Nuno Antonio Dias Ferreira <***@efacec.com<mailto:***@efacec.com>> wrote:

Hi Sven,

I have an application where I am using npcap and I also have the need to detect the media status changes. To do that I query NDIS to get that information: https://msdn.microsoft.com/en-us/library/windows/hardware/ff569604(v=vs.85).aspx

Here is an example:
if(IoctlNdisQueryGlobalStats(Iface->IOCTLhandler, OID_GEN_MEDIA_CONNECT_STATUS, &ConnectedState, sizeof(ConnectedState), (PUINT)&ReturnedCount) == ERROR_SUCCESS)
{
return ConnectedState == NdisMediaStateConnected;
}

Hope this information could be helpful.


Melhores Cumprimentos / Best Regards
Nuno Antonio Dias Ferreira
Unidade de Automação de Sistemas de Energia / Power System Automation Unit
Efacec Energia, Máquinas e Equipamentos Elétricos, S.A.
[EFA Logo]
Disclaimer

From: winpcap-users-***@winpcap.org<mailto:winpcap-users-***@winpcap.org> [mailto:winpcap-users-***@winpcap.org<mailto:winpcap-users-***@winpcap.org>] On Behalf Of ?????V5
Sent: 5 de fevereiro de 2016 04:44
To: winpcap-***@winpcap.org<mailto:winpcap-***@winpcap.org>
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap



On Fri, Feb 5, 2016 at 3:56 AM, Mark Pizzolato - Winpcap-Users <winpcap-users-***@subscriptions.pizzolato.net<mailto:winpcap-users-***@subscriptions.pizzolato.net>> wrote:
The inverted call model might be useful in an abstract way to get notified of a media
state change, however, the question then comes back to how to convey that detail
to the application which is using the libpcap APIs.

Since the only APIs that an application which already has a pcap session opened
is using are: pcap_next_ex, pcap_dispatch, pcap_loop and possibly
pcap_sendpacket

pcap_next_ex, pcap_dispatch and pcap_loop are defined to return -1 on an error.
Is media state change an error?
Is media offline an error?

I prefer to use the phrases in ncpa.cpl.
If the adapter disconnects (like Wi-Fi), libpcap API should only report time-out (you don't get any new packets).
If the adapter is disabled, libpcap API may report error (or time-out)? I didn't try this. One thing for sure is that you can't get new packets too. This thing should not happen when using Npcap/WinPcap. Because when listing adapters with Npcap/WinPcap, disabled adapters never show up on the list. So Npcap/WinPcap assumes that the adapters it uses is always kept as enabled.


pcap_sendpacket is defined to return -1 if a packet wasn’t successfully sent.
It would seem that returning -1 when the media is offline makes sense

This makes sense to me.


I don’t know for sure how WinPcap behaves under these conditions, but it
seems that it npcap should reliably report errors under the media offline state.
Is there a reason it can’t?

Npcap actually doesn't report errors any better than WinPcap. There's even a chance that Npcap behaves different on reporting errors with WinPcap. Because Npcap uses NDIS6 and WinPcap uses NDIS5.


From: winpcap-users-***@winpcap.org<mailto:winpcap-users-***@winpcap.org> [mailto:winpcap-users-***@winpcap.org] On Behalf Of Jiyang Hu
Sent: Thursday, February 4, 2016 11:18 AM
To: winpcap-***@winpcap.org<mailto:winpcap-***@winpcap.org>
Subject: Re: [Winpcap-users] Windows 10 support for WinPcap

@Sven: you need something called - Inverted Call Model

The Inverted Call Model in KMDF - OSR




[Image removed by sender. image]











The Inverted Call Model in KMDF - OSR
One of the most common questions we see from students, clients, and new Windows driver Read more


View on www.osr.com<http://www.osr.com>

Preview by Yahoo







On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <***@gmail.com<mailto:***@gmail.com>> wrote:

@Yang: It is not possible to get notifications of media state changes by the API which you proposed in your previous post. It provides only notifications about IP table changes.
Am 04.02.2016 16:31 schrieb "Sven Kerschbaum" <***@gmail.com<mailto:***@gmail.com>>:
Hi Yang,

thanks for providing me the detailed information about Npcap. I will definitively have a look at it and try it.

Cheers,
SK


2016-02-04 13:04 GMT+01:00 食肉倧灰兔V5 <***@gmail.com<mailto:***@gmail.com>>:
Hi Sven,

Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6. It also has several new features:


I actually didn't add a function about making user software getting notified about media state changes. From my knowledge I don't know there's any support of such a function in libpcap. libpcap is an interface standard followed by WinPcap/Npcap. However, I think you can do it using native Windows APIs (like Receiving Notification of Network Events in https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx). And if you have any improvement advice about Npcap, I will consider it:)


Cheers,
Yang


_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org<mailto:Winpcap-***@winpcap.org>
https://www.winpcap.org/mailman/listinfo/winpcap-users


_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org<mailto:Winpcap-***@winpcap.org>
https://www.winpcap.org/mailman/listinfo/winpcap-users


_______________________________________________
Winpcap-users mailing list
Winpcap-***@winpcap.org<mailto:Winpcap-***@winpcap.org>
https://www.winpcap.org/mailman/listinfo/winpcap-users

Continue reading on narkive:
Loading...