Re: Does npcap completely replace Winpcap? Unistallation WinpCap for other tools (e.g. Wireshark) possible?

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Ben,

On Sun, Oct 9, 2016 at 8:30 PM, Ben Stover <bxstover () yahoo co uk> wrote:

> As I noticed npcap is released with new nmap tool.
>
> It claims to be better than the "old" Winpcap driver.

Npcap is developed based on WinPcap. It has added many good features like:

1. NDIS 6 Support
2. Latest libpcap API Support
3. Extra Security
4. WinPcap Compatibility
5. Loopback Packet Capture and Injection
6. Raw 802.11 Packet Capture

For details please refer to: https://github.com/nmap/npcap#features


> So if I install npcap: Does it completely replace the Winpcap driver -
> even for other progams?

That's why we developed the "WinPcap Compatible Mode". If you install Npcap
without checking the last "Install Npcap in WinPcap API-compatible Mode"
option, Npcap service/driver will be installed using a different name
"npcap" instead of "npf". So Npcap can coexist with WinPcap. Other programs
that don't know Npcap will still use the original WinPcap. However, if some
softwares *declare* in its code to use Npcap first, it will not use WinPcap
even if both Npcap and WinPcap are installed.


> As you know the well known tool "Wireshark" uses Winpcap.

In fact, the latest Wireshark 2.2.1 has supported Npcap in either "npcap"
or "npf" mode. You can use Wireshark smoothly with Npcap.


> So if I uninstall Winpcap driver to have only ONE capture driver does
> Wireshark accept this or does it stop working?

The same as above, Wireshark even supports Npcap in Npcap mode.


> A complete replacement should only work if the API ist full downwards
> compatible.
> Is this the case?

Npcap is now (or trying to be) fully compatible with WinPcap API. In fact,
I personally think Npcap API is better than WinPcap. Because it follows the
latest libpcap 1.8.0+ interface. However, WinPcap only has a libpcap 1.0.0
support. This means you can't use any new libpcap features/functions since
1.0.0. libpcap 1.0.0 is released at Oct 28, 2008. It's old enough and can
be deprecated.

Note: you will get the same functionality for "WinPcap Compatible Mode" or
"Npcap Mode". They only differ in driver names.


> Is npcap the official successor of Winpcap or a fork?

It's not official.  Another fork is Win10Pcap. However, it has not been
updated for a long time. So Npcap seems to be the only active fork of
WinPcap right now.


Cheers,
Yang


> Thx
> Ben
>
>
>
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/