Npcap Changelog

Npcap 1.81 [2025-02-20]

Added complete capture support for 802.1q VLAN packets. The 802.1q frame tagis usually stripped by NDIS before Npcap encounters it, but Npcap will nowrestore it from the packet metadata if the VLAN ID is not 0. Filtering with the"vlan" keyword is also now supported on live captures. The deprecated/vlan_support installer option has no impact on this feature. Fixes#171.
Added support for sending 802.1q VLAN packets. Ethernet frames passed topcap_sendpacket() orpcap_inject() with 802.1q VLAN tags will have those tags converted to NDIS metadata, and theNDIS stack will process them appropriately. The adapter must be configured to allow traffic on thetarget VLAN.
Significantly streamlined packet sending operations, especially forpcap_sendqueue(), removingunnecessary copying of packet data. Fixes#555.
Fixed an issue with the installer where the appropriate code-signing certificates for the/prior_driver=yes option were not installed on Windows 7, 8, and 8.1. This could lead to failedinstallations on those versions of Windows.
Fixed a layout issue in the installer that prevented the full warning frombeing displayed when a Win10Pcap installation is detected. Win10Pcap hasn’t been activelymaintained since 2015, and we recommend uninstalling it before installing Npcap.
Npcap now supports theBPF_MOD andBPF_XOR instructions. Previously, pcapfilter expressions using the% and^ operators would result inless-efficient user-mode filtering.
The Npcap driver now supports a range of NDIS versions depending on what isavailable at runtime. This will allow us to support newer features like UROand hardware timestamping when available, without needing to have separatebuilds for each NDIS version at install time.

Npcap 1.80 [2024-09-16]

On ARM64, Npcap now installs ARM64X pure-forwarder DLLs so that Npcap can be used by x86_64processes running under emulation as well as x86 and ARM64 processes. Programmers do not need tomake any special changes to take advantage of this feature. Fixes#585.
Npcap now supports packet capture on SR-IOV virtual function adapters directly. Somemanufacturers, such as Intel, were already supported because they use a separate miniport driveron top of the virtual function driver. Others that use a virtual function only, such as Broadcom,are now supported. Fixes#34.
Due to Microsoft's deprecation of software publisher certificates with kernel-mode signingcapability, installations of Npcap on Windows 7, 8, and 8.1 will use the Npcap 1.79 driver bydefault. The Npcap 1.80 driver can be chosen in the GUI and via the/latest_driver=yescommand-line option if driver signing is disabled in Windows. See#751.
Addressed faults found with Application Verifier:WSACleanup() was not being called in somecases, and in other cases was called from theDllMain() function ofwpcap.dll, which Microsoftwarns may cause deadlocks. Fixes#742.
Fixed a BSoD crash due to a race condition betweenNPF_DetachAdapter andNPF_Cleanup when closing a capture handle. Fixes#746.
Upgraded build system to Visual Studio 2022. This version prevents building drivers for earlierWindows versions, so the npcap.sys driver for Windows 7 through 8.1 is still built on VisualStudio 2019. See#629.

Npcap 1.79 [2024-01-19]

Fixed a condition where disabling and re-enabling a network adapter while acapture is active would prevent any packets from being received by the systemuntil the capture handle was closed. Fixes#710.
Introduced a workaround for a previously-unknown bug in Microsoft's bthpan.sys that wascausing BSoD crashes withINVALID_MDL_RANGE when Npcap or other drivers sent packets overa Bluetooth-tethered connection. Microsoft intends to patch this Windows bug, but Npcap willno longer trigger it regardless of patch status. Fixes#708.

Npcap 1.78 [2023-10-18]

Fixed a memory leak in Npcap 1.77 which occurs when the kernel buffer isfull. Fixes#701.
Correctly handle an allocation failure during out-of-memory condition,avoiding a null pointer dereference. Fixes#698.

Npcap 1.77 [2023-09-29]

Fixed a memory leak in Npcap 1.76 only which occurs while capturing trafficat high data rates. Fixes#688.
Fixed an issue in Npcap 1.76 where packets delivered to the driver by NDIS ina single indication, having the same timestamp, would be placed in the packetqueue in reverse order. Fixes#684.
Fixed an issue with Npcap 1.75 and 1.76 where changing timestamp modes couldresult in all packets being delivered with the same timestamp. Fixes#695.
Fixed an issue with the Npcap installer that caused it to install duplicatecertificates in the system's certificate store, which caused problems forsome software. The fixed installer will remove the duplicates. Fixes#692.

Npcap 1.76 [2023-07-19]

Our code signing key has been reissued to "Nmap Software LLC" replacing theold "Insecure.Com LLC" subject name.
Improve performance of the driver by reducing lock contention andconsolidating data copy operations. This may help address#663.
Additional fixes to locking discipline to potentially address a BSoD issue,#679.

Npcap 1.75 [2023-04-27]

Fix a critical regression in Npcap 1.74 which caused all captured packets tohave the same timestamp. Fixes#668.

Npcap 1.74 [2023-04-19]

Updated libpcap to 1.10.4.
Fixed an issue (#667) that prevented capturehandles from receiving packets after a NDIS stack pause operation.
Fixed an issue that could cause inaccurate timestamps when multiple handleswere open and using different timestamp modes. Fixes#666.
Fixed an issue preventing raw WiFi frame capture since Npcap 1.60.
Fixed an issue causing "failed to set hardware filter to promiscuous mode"errors with NetAdapterCx-based Windows 11 miniport drivers. Npcap wasinterpreting the NDIS spec too strictly; we haveopened an issue with Microsoftto address the fault in netadaptercx.sys. Fixes#628.
Addressed several code readability and portability fixes in Packet.dlldiscovered using clang-tidy via Visual Studio Code Analysis.

Npcap 1.73 [2023-03-28]

Fixed an issue causing "failed to set hardware filter to promiscuous mode"errors due to a new code path failing to return appropriate error codes. Fixby Guy Harris inPR #656.Fixes#628.
Fixed an issue with WlanHelper causing "error 0x7b" since Npcap 1.70.Fix byHauke Neitzel inPR #652.Fixes#649.
Fixed an issue preventing capture handles from reattaching after NDIS stackpause operations, resulting in persistentERROR_DEVICE_REMOVED (1617)errors. Fixes#627.
Restored original behavior of timestamps in the default case,PCAP_TSTAMP_HOST_HIPREC_UNSYNCED/TIMESTAMPMODE_SINGLE_SYNCHRONIZATION.Since Npcap 0.9994, the timestamp was resynchronized after NDIS stack pauseoperations, which reduced timestamp drift from wall clock time but made it nolonger monotonic, making packet interval calculations inaccurate. Thisrestores the default behavior of WinPcap.
Fixed an issue that prevented Npcap 1.71 and 1.72 from being completelyremoved on uninstall. A misconfigured npcap driver service had persisted.Fixes#657.
Fixed an issue where applications using Npcap 1.20 or later DLLs with a Npcap1.00 driver would crash due to a stack buffer overrun when the driver returnedtoo many bytes in response to a request for timestamp modes. Additionally,changed NPFInstall.exe to attempt to uninstall the Npcap NetCfg componentprior to installation, in case an improperly-uninstalled component persists.
Updated libpcap to 1.10.3.

Npcap 1.72 [2022-12-14]

Fixed an issue where promiscuous mode or other hardware packet filters are ignored after a secondhandle is opened on the same adapter, including handles opened in the process of listing adapterswithpcap_findalldevs(). Fixes#647.
Fixed an issue with validation of parameters toPacketGetNetInfoEx(). TheNEntries parameterwas not being checked for values less than or equal to 0. Fixes#625.

Npcap 1.71 [2022-08-19]

Increase strictness in checking for and restoring adapter parameters modified during capture:hardware packet filter and lookahead will only be modified if the original value can bedetermined. This fixes issues with connectivity on certain adapter types (WWAN and some WiFiadapters) after a capture is closed.
Modify NDIS binding parameters so that Npcap will bind both above and below a NIC teaming ornetwork bridge IM driver. This may improve capture options in related situations, like#115.
Updated build configurations to enable DEP and ASLR for npcap.sys, which were missing from theoriginal configs inherited from WinPcap. Additionally, enabled Control Flow Guard for Packet.dlland all helper EXEs.
Fix a BSoD issue on Windows 8.1 due to registering a service without a name. Fixes#565.
The silent-install option (/S) inNpcap OEM is now case-insensitive so that /s worksas well. All other Npcap installer options are already case-insensitive except for /D (destination directory)which is handled by NSIS itself. Closes#630.
Fix an issue with admin-only mode where high-integrity processes (UAC not enforced) could not openor list adapters. Fixes#606.
Restored an undocumented data member of the structADAPTER that is not used internally. Directlyaccessing members of theADAPTER struct fromPacket32.h is highly discouraged, since theAPI inPacket32.h is not intended for use apart from libpcap. Closes#609.
Extensive refactoring of driver code for performance and maintainability.

Npcap 1.70 [2022-06-24]

Major overhaul of Packet.dll to improve performance ofPacketGetAdapterNames(), used bypcap_findalldevs(), andPacketOpenAdapter(), used in all libpcap functions that return apcap_t. Reduced calls toGetAdaptersAddresses(), properly caching results for short periods.Errors from lower functions are correctly propagated, making diagnosis of failures easier. Fixes#168,#61, and#586.
PacketGetNetType() now always sets the LinkSpeed field to 0. Many adapters did not support the OIDthat was being used to get the link speed, and libpcap (Npcap's published API) does not pass thisinformation through, so there should be no impact on the majority of software. Software that needslink speed may usepcap_oid_get_request() orGetAdaptersAddresses() to get the information.
The undocumentedchar PacketLibraryVersion[] export has been removed. ThePacketGetVersion()function is the documented way to get the runtime version of the Packet.dll library.
Concurrently released the Npcap SDK Version 1.13 to reflect removal of PacketLibraryVersion and toadd SAL annotations to most function prototypes and several struct fields. See SDK changelog athttps://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md
Packet injection operations (pcap_inject(),PacketSendPacket(),pcap_sendqueue_transmit(),andPacketSendPackets()) now properly pend the related Write IRP until the NBLs havebeen returned by NDIS. This may make packet injection more efficient.
Packet injection operations are no longer limited to one at a time. Multiple threads can issuemultiple send operations concurrently on the same capture handle without issue, unless systemresource limits result in allocation failures. Additionally, WinPcap's limit of 256 concurrentsends on each adapter has been removed. Each Write call is still synchronous, however.
Loopback packet capture and injection now uses fewer WFP filters and callbacks, avoids duplicatepacket processing, uses inspection rather than blocking filters, and persists callout driverobjects while still removing callout filters when captures are not using them. These and otherimprovements increase loopback capture efficiency and reduce interference with other networkcomponents.
Npcap is only supported on Windows 7 SP1 and later, and requires KB4474419 to support SHA-2signature validation. The installer will now check these specific requirements, rather thanattempting an installation that will fail anyway.
Added timeouts to subprocess executions in the installer to prevent a hung installation.
Fixed a minor issue with Npcap OEM's silent installer: Npcap 1.55 and later ought to avoidreinstalling the same version if the existing installation options match the requested options,but/winpcap_mode=no would never match.
Packet sendqueue operations (pcap_sendqueue_transmit(),PacketSendPackets())with time synchronization (sync parameter) have been improved to use timed waits whenpossible, only falling back to busy wait for inter-packet delays of less than 50microseconds. Time difference calculations have been revised to avoid integer overflowsand loss of precision. Fixes#580.
Packet sendqueue operations now more strictly check timestamp order. If an out-of-ordertimestamp is encountered, the packet will not be transmitted.PacketSendPackets() willset the last error value toERROR_INVALID_TIME. Since packets may bereported slightly out-of-timestamp-order on multiprocessor machines due toprocessing delays, only timestamps that are more than 1ms earlier than thepreceding timestamp will generate the error.
Npcap is now built with the Win11 SDK and WDK (10.0.22000). We look forward toimplementing support for the exciting new features of NDIS and WFP.
Improve capture handle state transitions within the Npcap driver. Fixes BSoD#601 as well as#584, where the wrong error code was reportedwhen the adapter was detached and reattached.
Fix an issue where raw WiFi capture handles (/dot11_support install option) would notreattach after a network disconnect and reconnect. Normal handles got this ability inNpcap 1.60, but raw WiFi frame captures (monitor mode) did not take advantage of it.Fixes#591.
Npcap now avoids setting hardware packet filters (OID_GEN_CURRENT_PACKET_FILTER,PacketSetHwFilter()) that the miniport does not declare support for. This may improvecompatibility with WWAN (e.g. 3G and LTE) and VPN connections.
Npcap now tracks the original lookahead value (OID_GEN_CURRENT_LOOKAHEAD,PacketSetMaxLookahead()) before requesting the max value from the miniport, and restores it oncethe capture handle is closed. The practice of setting the lookahead to max value was inheritedfrom WinPcap, and may be changed in the future subject to performance testing.

Npcap 1.60 [2021-12-06]

Npcap can now tolerate network disconnections or NDIS stackmodifications that previously resulted in programs like Wiresharkstopping with the error "PacketReceivePacket error: The device hasbeen removed. (1617)". This error may still be returned, but userprograms can consider it a transient error. If the network isreconnected, capture can resume on the same handle. Fixes#506.
Improved validation for IRP parameters, resolving potential BSoDcrashes that could be triggered by software interacting directlywith the driver's device interface. These bugs still affect the lastreleases of WinPcap. Thanks to Ilja Van Sprundel from IOActive forreporting them.
Fix an issue with NX pool compatibility that caused Npcap 1.50 and1.55 to fail to run on some Windows 7 systems. Fixes#536.
Fix how the installer handles/option=enforced, which was brokenin Npcap 1.55. Fixes#556.
Concurrently released the Npcap SDK Version 1.12, which fixes nativeARM compilation by including the ARM64 wpcap.lib, among otherchanges. The SDK now has its own change log athttps://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md.
Further driver source code hardening to catch more bugsbefore they manifest in worse ways. This includes adding more SALannotations for code analysis, extra assertions, etc.
The/prior_driver installer option now selects the Npcap 1.30driver, since Microsoft's cross-certificate expired 30 minutesbefore we signed Version 1.31. See#536.
Simplified the code base by removing a bunch of unused orunneccessary code. This includes "kernel dump mode" (MODE_DUMP)which was inherited from WinPcap 3.1 even though it had already beendeactivated there in 2005. Also removed legacy WinPcap code which allowedtheir (long discontinued) "Pro" version DLL to install the driveritself. This is not allowed by modern operating systems. We wereable to remove a bunch of code from NPFInstall.exe too. Updated theINF file to prevent npf_wifi service from being configured, since itwas never actually used.
Fix an issue causingpcap_setmode()/PacketSetMode() with a valueofMODE_CAPT to fail.MODE_CAPT is the default for new handles,so this only affects software that usesMODE_STAT and thenswitches toMODE_CAPT, or software that expects a call topcap_setmode(MODE_CAPT) on a handle already inMODE_CAPT tosucceed. Fixes#558.
When installing Npcap in WinPcap API-Compatible mode (the default),the Npcap installer will perform the uninstallation of WinPcapdirectly instead of running the WinPcap uninstaller. This preventsthe WinPcap uninstaller from rebooting the system and allows us toclean up partial or broken installations.
Further deprecate the "Legacy loopback support" option: Thenpcapwatchdog scheduled task will not check for the existence of theNpcap Loopback Adapter.
Added thePnpLockDown directive to the npcap.sys INF file foradditional Windows file protection of the driver binary.
Replaced a feature of NPFInstall.exe and the SimpleSC.dll NSISplugin with Powershell commands to improve installer size andcompatibility. May fix#226.
While you won't see it in the code itself, we dramatically improvedour automated build and testing proceses. We now run automatednative-arch builds and testing of multiple programs (particularlythe SDK Examples) on all 3 architectures (x86, x64, and ARM). Alltests are run with the debug build of the driver (assertions on) andDriver Verifier with at least standard settings, and only when thatpasses is the release build run through the same tests, also withDriver Verifier. The tests are also run in x86 emulation on x64 andARM.

Npcap 1.55 [2021-09-03]

Npcap installer can now recognize NetCfg status codes indicating that areboot is required (0x0004a020,NETCFG_S_REBOOT), and will prompt the userto reboot. In silent mode, the installer will return code 3010 (0x0bc2,ERROR_SUCCESS_REBOOT_REQUIRED) to indicate this result. Fixes#224.
The silent installer (only available in Nmap OEM) now offers bettercontrol over when to remove and reinstall an existing Npcap. You canspecify your Npcap version number or feature requirements with thenew/require_version,/require_features, and/forceoptions. Software with strict requirements might re-run at startupto ensure that Npcap hasn't been uninstalled or changed. If Npcapstill exists and meets your requirements, the installer quitsimmediately. These new options are documented athttps://npcap.com/guide/npcap-users-guide.html and Nmap OEM isdescribed athttps://npcap.com/oem/ . Fixes#523.
Fixed an installation failure (0xe0000247) on Windows 8.1/Server 2012 R2 andearlier systems which have not updated root certificates. The root certificatesare now installed to the Roots trust store. Fixes#233.
Fixed an issue since Npcap 1.30 where broadcast and subnet masks for adaptersreturned bypcap_findalldevs() were in host byte order, displaying valueslike "0.240.255.255". Fixes#525.
Libpcap 1.10.1 has been updated to include some recent changes to the libpcap-1.10release branch which extend support to adapters with the NdisMediumIP media type,including Wireguard Wintun virtual adapters. Fixes#173.
Added specific bad-value checks for issues originating in other drivers whichmay be incorrectly attributed to Npcap. These checks, in combination withadditionalconst qualifiers, should serve as assurance that Npcap is notmodifying traffic during capture and cannot be responsible for such crashes.
Powershell commands launched by the installer are now run with the-NoProfile option. Fixes#529.
Npcap SDK 1.11 released. This includes upstream libpcap changes to allow building with olderVisual Studio versions, as well as minor changes to add const qualifiers to parameters to severalPacket.dll functions. Fixes#518.
Npcap installer now uses Unicode internally. This may result in mixed-encoding install.log files.

Npcap 1.50 [2021-06-22]

Fixed#513 which prevented Npcap 1.40 from installing.
Npcap can now be installed on Windows 10 for ARM64 devices. Both ARM64 andx86 DLLs will be installed, allowing existing x86 applications such as Nmapor Wireshark to run without modification.
Npcap SDK 1.10 release coincides with this release, providing updateddocumentation and libs for ARM64.
Npcap code now passes Microsoft's Static Driver Verifier for NDIS drivers andVisual Studio's Code Analysis "AllRules" ruleset. A couple of minor andextremely-improbable bugs were fixed in addition to general code cleanup and annotation.
On Windows 8 and 8.1, the Npcap driver has been updated to NDIS 6.30,supporting network stack improvements like RSC and QoS. Windows 10 still usesNDIS 6.50 and Windows 7 uses NDIS 6.20.
Npcap is no longer distributed with SHA-1 digital signatures. Windows 7 andServer 2008 R2 will require KB4474419 in order to install Npcap. All otherplatforms support SHA-2 digital signatures by default.
Streamlined loopback packet injection to avoid using Winsock Kernel (WSK)sockets. This removes a significant amount of complexity and overhead.
Due to Microsoft'sdeprecation of cross-signed root certificates for kernel-mode code signing,Npcap 1.40 may not install correctly on Windows versions prior to Windows 10.Our testing did not show any issues, but users who experience installationfailures may use the/prior_driver=yes installation option to install theNpcap 1.31 driver instead, which has no such issues.
The "npcapwatchdog" scheduled task, which ensures the Npcap driver service isconfigured to start at boot, is now installed with a description whenpossible (Windows 7 does not support creating scheduled tasks via PowerShell).Fixes#498.
All PowerShell scripts installed or used during installation are now digitally signed.
Fix an issue where installation under Citrix Remote Access or othersituations would fail with the message "Installer runtime error 255 at76539962, Could not load SimpleSC.dll". Fixes#226.
Ensure driver signature can be validated on systems without Internet accessby installing the entire certificate chain, including the chain for thetimestamp counter-signature. This should address#233.
Fix an issue with comparing adapter names retrieved from the Registry. Thisprevented Npcap 1.31 from being used for SendToRx and other less-usedfeatures. Fixes#311.
Npcap driver no longer excludes adapters based on media type, which may allowcapture on some devices that were previously unavailable.

Npcap 1.40 [2021-06-21]

This release was retracted due to installer issues. See#513.

Npcap 1.31 [2021-04-21]

Fix a bug with the non-default legacy loopback capture support that causedall requests to open a capture handle to open the loopback capture instead.It is recommended to not select "Legacy loopback support" at installationunless you know your application relies on it. Fixes#302.
For Windows 10 and Server 2016 and later, restore the ability to capturetraffic on VMware VMnet interfaces such as the host-only and NAT virtualnetworks. This will be restored for other supported Windows versions in alater release. Fixes#304.

Npcap 1.30 [2021-04-09]

Restore raw WiFi frame capture support, which had been broken in a few wayssince Npcap 0.9983. Additional improvements enablePacketSetMonitorMode()for non-admin-privileged processes, allowing Wireshark to correctly enablemonitor mode via checkbox without requiring WlanHelper.exe.
Fixed WlanHelper.exe to correctly set modes and channels for adapters, if runwith Administrator privileges. Fixes#122.
Improved speed ofpcap_findalldevs() by using fewer calls toGetAdaptersAddresses() and avoiding direct Registry inspection. The newmethod may result in more adapters being available for capture thanpreviously reported. See#169.
Updated Packet.dll to use modernHeapAlloc() allocation, faster than thelegacyGlobalAlloc() inherited from WinPcap.
Improve error reporting fromPacketGetAdapterNames() and related functions.

Npcap 1.20 [2021-03-10]

Upgrade wpcap.dll to libpcap 1.10. This change enables software to usepcap_set_tstamp_type() to set the packet capture time source and precisionper capture handle. The currently-supported types (seepcap-tstamp) are:
- PCAP_TSTAMP_HOST_HIPREC_UNSYNCED - default, maps toTIMESTAMPMODE_SINGLE_SYNCHRONIZATION
- PCAP_TSTAMP_HOST_LOWPREC - maps toTIMESTAMPMODE_QUERYSYSTEMTIME
- PCAP_TSTAMP_HOST_HIPREC - maps toTIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE
Fix an issue preventingWlanHelper.exe from changing WiFi parameters foradapters which caused the error message "makeOIDRequest::My_PacketOpenAdaptererror". Fixes#122 and several other reportsof the same issue.
Fixed an issue that prevented NDIS protocol drivers from reducing thehardware packet filter, even if the removed bits/filters were only set bythat protocol driver initially. This caused network interruptions on VMware systems.Fixes#106.
Fixed an issue withpcap_sendqueue_transmit() that caused it to busy-waitin an attempt to synchronize packet sends with pcap timestamps, even when theprogram did not request synchronization. Fixes#113.
The installer will now safely remove and replace broken installations due to#268.
Upgraded installer to NSIS 3, which improves compatibility with modern Windows versions.
Added application manifests to several installer tools and removed WindowsVista from the manifests of others, improving compatibility.

Npcap 1.10 [2020-12-11]

Fixed an issue where our upgrade uninstaller would trigger the#1924 BSoD crash when upgrading from Npcap 0.9988 or older toversion 0.9996 or greater. Fixes#268.
Improved handling of large packets when a very small user buffer size is specified, which couldlead to stalled captures and dropped packets.
Fix a packet corruption issue when one capture handle sets a snaplen of exactly 256 bytes andanother sets a snaplen of greater than 256 bytes and the packet size exceeds 256 bytes.
Fix accounting of free space in the kernel buffer so that bugs like the previous one do not causespace to be permanently lost, leading to dropped packets. Instead, use assertions to catch thiscondition in testing with the debug build.
Check that the npcap driver service is configured forSYSTEM_START in thenpcapwatchdogscheduled task and correct it if necessary. Windows feature updates can modify this value.

Npcap 1.00 [2020-09-25]

After more than 7 years of development and 170 previous public releases, theNmap Project is delighted to release Npcap version 1.00!
New Packet.dll functionPacketGetTimestampModes() to retrieve supportedpacket timestamping modes. These do not currently vary by adapter, butTIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE is not supported on Windows 7, forexample. Fixes#174.
Npcap driver is now only signed with SHA256 signatures on platforms otherthan Windows 7, which may resolve signature validation issues on somesystems. The Windows 7 driver is signed with SHA-1 signatures only.

Npcap 0.9997 [2020-08-25]

Fix an integer underflow in the amount of free buffer space available leadingto excessive memory consumption. Fixes#223.
Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.
Replaced object pool/slab allocator with Windows lookaside lists, improvingperformance by avoiding spinlocks and allowing the system to adjust memoryconsumption.

Npcap 0.9996 [2020-08-07]

Fix a runaway memory leak triggered by low-resources condition leading tosystem hangs. Fixes#213.
Fix a BSoD crash inNPF_Read in some high-traffic cases. Fixes#206.
Fix a handle leak in Packet.dll when enumerating interfaces. Fixes#26.
Fix an inconsistency between return value and IRP completion status inNPF_Read when an adapter is removed. Driver Verifier would cause a bugcheck(BSoD) in this case, and pcap API functions would not detect an error.Fixes#217
Improved performance by reusing allocated packet data buffers andimplementingDISPATCH_LEVEL tracking throughout the driver to speed up lockacquisition.
When upgrading from compatible recent versions (currently Npcap 0.9985 andnewer), the installer will unpack a newUninstall.exe andNPFInstall.exeprior to removing the existing installation. This resolves issues with theuninstallation process such as were common in Npcap 0.9991 through 0.9994.
Upgraded build system to Visual Studio 2019 and WDK 10.0.18362.0

Npcap 0.9995 [2020-07-10]

Fix a BSoD crash inNPF_Read when NDIS filter module is detached from theadapter. Fixes#194
On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10WFP compatibility, supporting network stack improvements like RSC.Fixes#196.
Correctly obey maximum frame size for an adapter by queryingOID_GEN_MAXIMUM_TOTAL_SIZE instead of using MTU, which does not includespace for the link layer header. Fixes#186.
Fix detection of processes using Npcap resources during uninstall or upgrade.The fix for#2015 had broken this so suchprocesses were not terminated, leading to failed installations.
Obey snaplen (pcap_set_snaplen()) even if a packet filter is not set. Thisis a backported change from upstream libpcap that corrects a deficiency thathas been present in all previous versions of WinPcap and Npcap.Fixes#201.
Improvements to object pool/slab allocator to allow nonpaged memory to befreed when not in use.
When installing Npcap OEM in silent mode, avoid runningC:\Uninstall.exe ifno existing Npcap installation is present.

Npcap 0.9994 [2020-06-12]

Fix a BSoD crash inNPF_ReleaseOpenInstanceResources due to miscounting ofnumber of open Loopback capture instances. Fixes#185.
Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing adata structure that already contained packet data.
Ensure our SHA-1 code signing certificate is also installed on systems whichmay require it. This was preventing installation on older platforms sinceNpcap 0.9991.
Fix a crash inNPFInstall.exe that happened when trying to rebind Npcap tothe network stack as part of some installations. Reported by Microsoft AppAssure ISV Outreach Team.
When multiple packets are indicated in a singleFilterReceiveNetBufferListscallback, only get a single timestamp for all of them. Avoids extra calls toKeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended upmeasuring Npcap processing delay, not actual packet arrival time.
Fix a potential NULL pointer deref issue inObjpool.h macros if anallocation were to fail and return a NULL pointer.
Fix parsing ofpnputil.exe output that resulted in Npcap drivers not beingcleared from the DriverStore before installing or upgrading. This led toolder drivers being preferred in some cases, such as installing an unsigneddriver in test mode.
Move all capture- and injection-related initialization code out ofNPF_OpenAdapter, improving efficiency of operations like listing adaptersor performing OID requests without starting a full capture.
Added SAL annotations to most driver functions to improve static analysis.Found one issue related to using a NULL NDIS handle in an allocationfunction, which is not supported on Windows 7.
Allow driver to load even if there is a problem initializing loopback captureor injection functions. The loopback capture device will simply beunavailable in that case.

Npcap 0.9993 [2020-06-05]

Fix a BSoD crash inNPF_DoInternalRequest triggered by suspending thesystem while a capture is running. Added source annotations to allow staticanalysis to catch bugs like this in the future. Fixes#181.
Fix a bug introduced in Npcap 0.9992 which caused loopback capture to fail ifany loopback capture had been previously started and finished.
Fix packet length calculation for loopback capture. The packet length wasbeing counted twice, leading to junk data being appended to captured packets.
If installation fails for any reason other than a failure to uninstall theprevious version of Npcap, the current version's uninstaller will be used toclean up any partial installation. The only remaining files will be theinstall.log andNPFInstall.log in the Npcap installation directory.
Replaced ReadWriteLock mechanisms with improvedNDIS_RW_LOCK_EX new in NDIS6.20 for improved performance.
Moved object pool for captured packets from the filter module (adapter)object to the open instance (pcap handle) to allow memory to be recoveredafter a capture is closed.

Npcap 0.9992 [2020-06-03]

Npcap issues are now tracked ontheir own Github Issuespage, separate from Nmap issues. Many existingissues have been migrated, and issue numbers may have changed.
Rewrote the kernel packet capture buffer code again to avoid requiring aseparate worker thread. Instead, captured packets are held directly in asynchronized queue. The worker thread introduced in Npcap 0.9991 was unableto keep up with the volume of packet requests, leading to buffer bloat andreduced performance.
Avoid initializing loopback capture-related functions and processing packetsas soon as an adapter is opened. This will improve performance since adaptersare opened as part of listing adapters.
Fix a crash in NPFInstall.exe when terminating processes which are usingNpcap resources. This could lead to failed installations and message windowsabout "A LWF & WFP driver installation tool has stopped working."
Update Npcap from NDIS 6.10 to NDIS 6.20, which limits its compatibility toWindows 7 and higher. Closes#167.
Fix a bug in Npcap 0.9991 which prevented packets from being captured until aBPF filter had been set. Fixes#168 (migratedfrom nmap/nmap#2037).
Allow capture statistics and captured packets remaining in the buffer to beretrieved when an adapter is removed. Fixesnmap/nmap#2036.
Use WMI instead of the Windows 10-onlyGet-NetAdapter Powershell cmdlet inthe DiagReport tool. Fixesnmap/nmap#611.

Npcap 0.9991 [2020-05-04]

Switched our code signing certificate back to DigiCert after some users foundolder Windows versions could not validate the signature on our driver forversions 0.9985 through 0.9990. The driver is again dual-signed with SHA-1and SHA-2 certificates. See#2012.
Major changes to management of Npcap driver's circular packet buffer,switching from per-CPU unshared segments to a single worker thread managing aqueue of work items. This improves buffer utilization, reduces the amount oftime spent processing in the network stack, and should reduce packet loss.See#1967.
Several performance-related improvements to the NDIS filter driver: Switchedfrom SpinLocks to ReadWriteLocks for several crucial shared data structures,which will improve performance by reducing resource contention onmultiprocessor systems, and introduced an object-pool allocation pattern forseveral frequently-used short-lifetime objects, improving performance byreducing memory allocations.
Again restore "unused" NDIS filter callbacks which cause Windows 7 to loseconnectivity when they are removed. See#1998.
Include debug symbols forwpcap.dll in our debug symbols zip file athttps://npcap.com/#download . Fixes#1844.
Fixed#1996: heap corruption inNPFInstall.exe since Npcap 0.9989 leading to hung installs when the "raw802.11 traffic" option was checked.
Fixed#2014: Npcap OEM silent installproduced a dialog when installing over an existing installation of the sameversion.
Uninstaller improvements related to removing the installation directory,properly killing processes using Npcap DLLs, not leaving a partialinstallation if a step fails. Fixes#2013and#2015.

Npcap 0.9990 [2020-04-04]

Improve compatibility with WinPcap's behavior regarding injected traffic.WinPcap uses inefficient loopback to capture all outbound traffic, but allowsPacketSetLoopbackBehavior() to avoid this for injected traffic. Because ofNpcap's more efficient design, injected traffic was never looped back up toprotocol drivers, causing problems for some users who relied on this behavior.Now, injected traffic follows the same path as with WinPcap, though ordinarytraffic is unaffected. For highest efficiency without loopback, usePacketSetLoopbackBehavior(NPF_DISABLE_LOOPBACK). Fixes#1343,#1929, andGNS3/gns3-gui#2936
No longer honorNDIS_PACKET_TYPE_ALL_LOCAL set viaPacketSetHwFilter().This packet filter causes all local traffic to be routed through an unoptimizedloopback path within NDIS, which was necessary to capture outgoing traffic inWinPcap but is no longer needed in Npcap. Instead, this value will be treated asNDIS_PACKET_TYPE_DIRECTED | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST.
Fix a bug that causedTIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE to fall back toTIMESTAMPMODE_QUERYSYSTEMTIME even whenKeQuerySystemTimePrecise() wasavailable. Fix by Mauro Levra inPR#23.
Installer will now install an intermediate CA cert that was missing from somesystems, which is needed to verify the driver's digital signature. Onlyaffects Windows versions prior to Windows 10.
Backport a fix from libpcap needed to properly supportNdisMediumWirelessWan. See#1573.
Include experimental support for AirPcap cards ifairpcap.dll (notincluded) is installed.

Npcap 0.9989 [2020-03-19]

Fix a BSOD crash inNPF_OpenAdapter due to reading past the end of astring. Fixes#1924
Fix a BSOD crash (NULL pointer dereference) inNPF_Restart.Fixes#1964.
Fix a memory leak in the Loopback WFP filter. Additionally, WFP callbackswill be unregistered when all loopback captures are closed, reducing impactof related code when not in use. Fixes#1966.
New Packet.DLL functionPacketSetTimestampMode() allows a user program toset the method used to timestamp packets as they arrive. See#1775.Supported modes are:
- TIMESTAMPMODE_SINGLE_SYNCHRONIZATION - default monotonic timestamps basedonKeQueryPerformanceCounter()
- TIMESTAMPMODE_QUERYSYSTEMTIME - low-precision wall clock time based onKeQuerySystemTime()
- TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE - high-precision wall clock timebased onKeQuerySystemTimePrecise(), new in this release and onlyavailable on Windows 8 and newer. See#1407.
Remove some problematic timestamp modes:TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP andTIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP were undocumented;TIMESTAMPMODE_RDTSC was x86-only and not suitable for multi-processorsystems. See#1829.
The Npcap SDK 1.05 will be released to include the newPacketSetTimestampMode() function.

Npcap 0.9988 [2020-03-05]

If a capture is in progress when the system is suspended, it will continuewithout interruption after the system is woken. This also prevents captureinterruptions when the OS makes certain network stack changes.Fixes#1903.
If the npcap driver is stopped, Packet.dll will attempt to start itautomatically. This feature requires Administrator privilege and had beenremoved in Npcap 0.9983. Fixes#1911.
Fix the check for fragmented packets in loopback capture.ClosesPR #22.
Eliminate clone/block/inject pattern from loopback capture except for packetsalready injected by Npcap. Should fix#1529and#1789.
Fix an issue in the Npcap OEM installer where silent mode would not detect afailure to install the npcap driver. Fixes#1910.
Improve the installer to avoid broken installations and allow the installerto continue if a broken installation is detected. Fixes#1935.
Formally removed support for Windows Vista and Server 2008 r1, whichare no longer supported by Microsoft either. This allows us to supportnewer Windows WFP and NDIS features for better performance andcompatibility. Folks who must still run these ancient Windows releasesshould use Npcap version 0.9984 fromhttps://npcap.com/dist/?C=M;O=D. That was the last Npcap releaseto support the old (and less secure) SHA-128 driver signaturesrequired by these Windows Vista/2008. Please note that Windows Server2008 r2 and Windows 7 are still supported in this release even thoughthey have also passed their Microsoft end-of-life dates.

Npcap 0.9987 [2020-02-03]

Fix an issue where Npcap begins dropping large packets, then smaller onesuntil finally all packets are dropped. Our fix changes the way remaining freespace in the kernel buffer is calculated, which ought to prevent the freespace accounting from drifting from reality. Fixes#1891.
Fix a potential race condition when opening the loopback capture adapter. Iftwo threads simultaneously determine that the WFP filters need to beregistered, each may open a handle to the WFP engine using the same globalpointer, leading to a double-free when the second one tries to close thehandle.
Allow Packet.dll and the npcap driver to skip loopback-related operations,including WFP and WSK setup, if theLoopbackSupport Registry key is setto 0. This configuration will not be supported by the installer, but mayserve as a workaround for problems that may be related to Npcap's loopbacktraffic capture and injection capability.
Ensure open handles to the Service Control Manager are closed on error inPacketGetFileVersion. Fixes#1882.

Npcap 0.9986 [2019-12-17]

Fix a driver signing issue that made Npcap 0.9985 uninstallable on defaultconfigurations of Windows 8.1 and older, as well as certain older WindowsServer releases. Fixes#1856.

Npcap 0.9985 [2019-12-13]

The Nmap Project's (Insecure.Com LLC) code signing certificate has beenrenewed, and no longer exists as a SHA-1 certificate. Windows Vista andServer 2008 may therefore not recognize the digital signatures on thefilter driver so a warning may be presented upon install. Please notethat Microsoft is ending support for these operating systems in January 2020.
WinPcap API-compatible mode no longer installs a separate filter driver.Packet.DLL will translate NPF device names so that they are all serviced bythe npcap.sys driver. The npf.sys driver has been removed. See#1812.
Improve the speed ofpcap_findalldevs by reducing the number of calls toGetAdaptersAddresses, removing a redundant function call, and improvingbuffer reallocation. Patch by Tomasz Moń(#20).
Temporary DLLs unpacked during installation are now signed with our codesigning certificate. Certain strict application whitelisting systems werecomplaining about unsigned DLL's loaded from a temporary directory.
Fixed a bug in the uninstaller preventing downgrades to prior versions ofNpcap. On 64-bit Windows, the driver filenpcap.sys was not properlyremoved, and Windows would not replace it with any older version. Fixes#1686.

Npcap 0.9984 [2019-10-30]

Update libpcap to 1.9.1. Seethe libpcap CHANGESfilefor this release. This update addresses several CVE-identified vulnerabilities.
Address several code quality issues identified by Charles E. Smith ofTangible Security using Coverity source code analysis.
Fixed processing of the "enforced" value for several command-line installeroptions. Fixes#1719.
TheDisplayName value in the Uninstall registry key for Npcap no longerincludes the version number, which has always been available in theDisplayVersion value. Instead, it will include the product name andedition, e.g. "Npcap" or "Npcap OEM". This value will also be recorded in theEdition value under the npcap service's Parameters registry key.
Fixed a couple of issues with theDiagReport toolused for bug report diagnostics: remove extraneous partial output lines(#1760), and avoid relying on the Serverservice to determine privilege level (#1757).

Npcap 0.9983 [2019-08-30]

Npcap can now detect newly-added network adapters without restarting thedriver. Fixes#664.
Loopback capture and injection no longer requires the Npcap Loopback Adapterto be installed. This is a minor API change, so Nmap 7.80 and earlier willstill require the adapter to do localhost scans, but Wireshark and most othersoftware will not require changes. Loopback capture uses the device nameNPF_Loopback instead ofNPF_{GUID}, whereGUID has to be looked up inthe Registry. The Npcap Loopback Adapter can still be installed by selecting"Legacy loopback support" in the installer or using the/loopback_support=yes command-line option. TheLoopbackSupport Registryvalue will always be 0x00000001.
TheDltNull Registry setting and the/dlt_null installer option are nolonger supported. Loopback capture will use theDLT_NULL link type asdescribedin the tcpdumpdocumentation. Loopback packetinjection will also use this link type instead of requiring a dummy Ethernetheader to be constructed. TheDltNull Registry value will still be presentand set to1 for software that consults this value.
Some operations likepcap_stats() can now be completed even after theadapter that was in use is removed. See#1650.
Fixed a crash that could happen when stopping the driver during a loopbacktraffic capture. Fixes#1678.

Npcap 0.9982 [2019-07-30]

Fix the packet statistics functionality used bypcap_stats(), which wasbroken in 0.9981. Fixes#1668.
Rework the flow of packets through the WFP callout driver that implementsloopback traffic capture. This should prevent clobbering of redirect contextdata reported in#1529.
Restore the/dlt_null installer option to default to "yes" since it hasbeen defaulting to "no" since Npcap 0.992. UsingDLT_NULL for loopbackcapture is slightly more efficient than creating a dummy Ethernet header,which was the default before.

Npcap 0.9981 [2019-07-23]

When upgrading Npcap, do not uninstall the existing Npcap until the userclicks the Install button. Previously, the existing Npcap was uninstalledprior to the first options screen, so that canceling the upgrade left noworking Npcap on the system.
Redefine the I/O control codes used by Npcap using theCTL_CODE macro toensure proper access control and consistent parameter passing. This is not apublished API, but the change will require that Packet.DLL and the npcapdriver are the same version.
Fix a 1-byte overrun in NPFInstall.exe when killing processes with Npcap DLLsin use.
In cases where PacketOpenAdapter is given an adapter name in UTF-16LE,translate it to ASCII before doing string operations on it. See#1575.
Significant reorganization of internal data structures to reduce memory useand initialization overhead.

Npcap 0.997 [N/A]

Internal testing build, no public release.

Npcap 0.996 [2019-06-15]

Fix a crash when stopping the npcap driver service, such as when upgradingNpcap,DRIVER_IRQL_NOT_LESS_OR_EQUAL inNPF_DetachAdapter. Since Npcap0.994 and 0.995 may crash when upgrading, the installer will offer to disablethe npcap driver service if it is running, allowing the user to reboot andattempt the install again, avoiding a crash. Fixes#1626.
Ensure the uninstaller for the previous version of Nmap is called whenupgrading. Npcap 0.95 through 0.995 erroneously skipped this step in simplenon-silent upgrades, which could cause multiple Npcap Loopback Adapters to beinstalled.

Npcap 0.995 [2019-05-10]

Fix a crash reported via Microsoft crash telemetry,DRIVER_IRQL_NOT_LESS_OR_EQUAL inNPF_NetworkClassify introduced in Npcap0.994. Fixes#1591.

Npcap 0.994 [2019-05-07]

Fix the installer options screen, which would immediately proceed toinstallation when you clicked on the "Support loopback traffic" option. Fixes#1577.
Use the/F option toSCHTASKS.EXE in the installer so that thenpcapwatchdog task can be successfully overwritten if it is present, thoughnewer uninstallers also remove the task. Fixes#1580.
Fix theCheckStatus.bat script run by thenpcapwatchdog scheduled task tocorrectly match output ofreg.exe on non-English systems. Fixes#1582.
Improve synchronization between WFP (Loopback) and NDIS (control) functionswithin the driver, which ought to improve stability during systemsleep/suspend events, particularly an access violation inNPF_NetworkClassify observed via Microsoft crash telemetry.

Npcap 0.993 [2019-04-27]

Complete the fix for#1398 that was onlypartially applied in Npcap 0.992. Due to this partial fix, the user-providedbuffer was double-freed, resulting in aBAD_POOL_CALLER BSoD. This issuewas separately reported as#1568, and has beenissued the identifier CVE-2019-11490.
Fix output ofpcap_lib_version to again report "Npcap version 0.993, basedon libpcap version 1.9.0" instead of "libpcap version 1.9.0 (packet.dllversion 0.992)". Npcap 0.992 was the only version affected. Fixes#1566.
Fix a regression in loopback capture that was causing the loopback adapter tobe missing frompcap_findalldevs until the driver was manually stopped andrestarted. Fixes#1570.
Remove installer interface option "Automatically start the Npcap driver atboot time." Command-line and registry settings are still respected, butautomatic start will be the default for all new installations, since manualstart results in delays in network connectivity at boot. See#1502.
Avoid interpreting null or uninitialized memory as out-of-band media-specificinformation for purposes of constructing the Radiotap header when capturingin raw 802.11 monitor mode. Fixes#1528.
Ensure the uninstaller removes thenpcapwatchdog scheduled task.
Avoid an uninstaller failure if DLLs and executables are in use duringuninstall by causing them to be deleted at reboot. See#1555.

Npcap 0.992 [2019-03-24]

Update libpcap to 1.9.0. Seethe libpcap CHANGESfilefor this release and#1506.
Fix a bug in the fix for#1406 that causedcapture filters to reject all packets when the packet header was offset fromthe start of the kernel data structure.
Fix a bug in the fix for#1398 that causedBSoD (BAD_POOL_CALLER) due to mismatch in functions used to allocate andfree a data structure.
Remove installer interface option "Use DLT_NULL as the loopback interface'link layer protocol instead of DLT_EN10MB." Command-line and registrysettings are still respected, butDLT_NULL will be the default for all newinstallations.
Remove installer interface option "Support 802.1Q VLAN tag when capturing andsending data," which was unsupported for three years. Support may be restoredin future releases, but the option has not had any effect in earlierinstallers.

Npcap 0.991 [2019-03-14]

Fix a bug in the BPF packet filter engine that caused capture filters withbyte offsets to reject packets due to fragmentation withinNET_BUFFERstructures. See#1406 and#1438.
Fix a bug that caused several network device drivers to crash when using thepcap_sendqueue_transmit function, due to queued network packets beingallocated from paged memory that paged out before the drivers accessed it.See#1398.
Fix a crash (SYSTEM_EXCEPTION_NOT_HANDLED_M) inWSKCloseSocket due todouble-free, reported via Microsoft crash telemetry.
Fix a BSOD inherited from WinPcap triggered whenPacketGetStats is calledwith low system resources. See#1517.
Properly quote the path to theCheckStatus.bat script in thenpcapwatchdog scheduled task. See#1513.
Fix errors when installing in WinPcap API-compatible mode over WinPcap whenNpcap install directory does not already exist. See#1456.

Npcap 0.99-r9 [2019-01-22]

Install a scheduled task at startup to check whether the Npcap LoopbackAdapter has been removed and restore it. Windows 10 feature updates removethe Adapter. See#1416.
Package the correct driver version. On some platforms, the Npcap 0.99-r8installer would install the Npcap 0.99-r7 driver.
Fix a crash (REFERENCE_BY_POINTER) inNPF_ReleaseOpenInstanceResourcesreported via Microsoft crash telemetry. See#1419.

Npcap 0.99-r8 [2018-12-17]

Revert to usingSERVICE_SYSTEM_START for the "Automatically start Npcap atboot" option. The previous value,SERVICE_AUTO_START had been introduced asa workaround for network interruption on Windows 7 that was finally solved inNpcap 0.99-r7. See#1208.
Removed extra Registry keywords from Npcap Loopback Adapter which werecausing it to not appear properly in Windows API calls.Fixes#1368.
Detect in-use WinPcap installations before attempting to overwrite DLLs.Offer to terminate the processes just as we do for in-use Npcap.
Improved documentation based on WinPcapdocumentation including updates for Npcap changes. Example code builds onVisual Studio 2015 and works with Npcap. Npcap SDK 1.01 includes these changes.
Fix a crash inNPF_RegisterCallouts reported via Microsoft crash telemetrycaused by a failure when opening the Npcap Loopback Adapter for packetcapture.
On Windows 8 and Server 2012, Npcap will rebind to network adapters afterinstallation to ensure a more complete fix to#1031.

Npcap 0.99-r7 [2018-07-05]

Fixed the installer so that Npcap in WinPcap API-compatible mode can doloopback capture. This capability is not guaranteed for future releases, butwas only missing from 0.99-r3 to 0.99-r6. Native-mode Npcap was unaffected.Fixes#1213
Added a script,FixInstall.bat, to fix common problems with installations,such as those caused by Windows 10 feature upgrades.See#1216
Improved stability by restoring certain passthrough NDIS callbacks that arenot used, but appear to cause connectivity problems if omitted.See#1208.

Npcap 0.99-r6 [2018-06-12]

Fixed installation on Windows 8 and Server 2012 so that Npcap is able tocapture on adapters without requiring a reboot. Fixes#1031.
Fixed loss of networking on Windows 7 when Npcap was configured to start atboot. UsingAUTO_START instead ofSYSTEM_START for the Npcap driverservice solves the problem. Fixes#1208.
Fixed a crash reported via Microsoft crash telemetry,DRIVER_IRQL_NOT_LESS_OR_EQUAL inNPF_IOControl when settingOID_GEN_CURRENT_LOOKAHEAD. Fixes#1194.
Fixed certain interactions between processes with open Npcap handles thatcould allow one process to stop other running captures from receivingpackets. Fixes#1035.

Npcap 0.99-r5 [2018-05-01]

Restored installer code to silently uninstall WinPcap if silent installationin WinPcap API-compatible mode is needed (Npcap OEM only).
Removed several optional passthrough driver functions that can be handledmore efficiently by NDIS, since Npcap was not using them.
Added validation of IRP parameters for additional security.
Fixed a crash reported via Microsoft crash telemetry,DRIVER_IRQL_NOT_LESS_OR_EQUAL inNPF_SendCompleteExForEachOpen when thesystem is suspended. Fixes#1193.
Bundle and install the correct public code signing certificate. Thecertificate used to sign Npcap was updated for Npcap 0.99-r4, but the publiccert file included was not, leading to some unwanted publisher trust dialogsduring installation.

Npcap 0.99-r4 [2018-04-19]

On Windows 7, if Npcap driver installation fails due to maximum NDIS filtersinstalled, attempt to increase the limit. No such limit exists on otherWindows versions. Fixes#1182.
Avoid some cmd.exe popup windows during installation. See#1188.
Improve the license to allow unlimited copies of Npcap to be used(removes the 5 copy limitation) if the copies are solely used forNmap and/or Wireshark.

Npcap 0.99-r3 [2018-04-06]

Fix recording of the Npcap Loopback Adapter's name in the service registrykey. Loopback packet injection was broken in WinPcap API-compatible mode inNpcap 0.99-r1 and 0.99-r2. Fixes#1165.
Fix a double-close of a Registry key which could cause a crash in Packet.dllwhen debugging. Fixes#1163.

Npcap 0.99-r2 [2018-03-13]

Fix installer to work on 32-bit Windows.

Npcap 0.99-r1 [2018-03-05]

We now offer an Npcap OEM Edition internal-use license. Thisprovides all the advantages of Npcap OEM (such as the silentinstaller) and removes the 5-copy limitation of the free Npcap,while also providing for commercial support and updates. It isfor companies who only want to use Nmap internally. We also stilloffer the Npcap OEM redistribution license for companies wanting toredistribute Npcap with their software. Seehttps://npcap.com/oem/.
Improved installation of the Npcap Loopback Adapter, ensuring it can becorrectly removed and reinstalled.
Packet.DLL now only looks in the driver service'sParameters Registry keyfor installation options; in future releases, Npcap may stop writing theseoptions to theHKLM:\Software\Npcap registry key.
When NpcapHelper.exe is used for UAC elevation, the pipe it uses tocommunicate with the calling process is now restricted to the user SID of thecalling process. Previously, any user could cause NpcapHelper to obtainhandles to other devices, though the handles were only valid for the callingprocess.
Performed Visual Studio Code Analysis on Packet.DLL and cleaned up severalcode health issues.
Improved debug logging, error checking, and diagnostics throughout.

Npcap 0.98 [2018-01-10]

Fix digital signatures for some files: OEM drivers were missing the MicrosoftAttestation signature required for Windows 10 1703, and the installer wasmissing the SHA-1 signature required for Windows Vista.

Npcap 0.97 [2017-11-27]

Only include data rate and channel fields in the RadioTap header if they arereported by the underlying WiFi card driver. See#1036.
When the Npcap installer detects that WinPcap is present, it will default toinstalling in WinPcap API-compatible mode, replacing WinPcap. This can bechanged by the user in the interactive installer, or by setting the/winpcap_mode=no command-line option.
The Silent installation feature of the Npcap installer is now limited to theNpcap OEM edition.

Npcap 0.96 [2017-10-31]

Set the*IfType,*MediaType, and*PhysicalMediaType registry values forthe Npcap Loopback Adapter. The values set should reduce the amount ofconfiguration that Windows attempts to do on the adapter, preventing it frombeing labeled "Unknown Network."
Record the ID of the Npcap Loopback Adapter in the registry when creating it,instead of only in the installer. This allows users to remove and create theadapter with NPFInstall directly, without requiring a reinstallation of Npcap.
Expand the Npcap public license to allow 5 installations rather than only 1.
Fix memory layout and accounting when writing Radiotap headers in raw 802.11monitor mode. Fixes#1001,#1028, and#1036.

Npcap 0.95 [2017-10-19]

When upgrading, existing installation options will be retrieved from theRegistry. Command-line installer options will still override these.
The installer detects Win10pcap as distinct from WinPcap; since the installercannot uninstall Win10pcap, WinPcap API-compatible mode will be disabled inthe installer when it is present. Fixes#999.
The npcap.cat file is no longer dual-signed; since it was not a PEexecutable, only one signature is supported. The invalid signature wascausing some installation failures. Fixes#994.
Silent installs will not downgrade the Npcap version unless the new/downgrade=yes option is given. Any version ofNpcap OEMwill be considered a "newer version" than any non-OEM version.

Npcap 0.94 [2017-08-29]

Npcap no longer prevents checksum offloading and Large Send Offloading onadapters that support them. This may cause problems with sniffing outgoingpackets on those interfaces when those features are enabled, but users candisable them through standard Windows configuration means. Fixes#989

Npcap 0.93 [2017-07-27]

Move the driver's Service Registry values from theHKLM:\SYSTEM\CurrentControlSet\Services\npcap key to theParameterssubkey. Applying Windows upgrades such as Windows 10 Creators Update deletesnonstandard values from the service key; the Parameters subkey is where theseshould be stored instead.
Prevent the installer/uninstaller from crashing when faced with an incompleteNpcap installation, such as that created by applying a Windows versionupgrade. Safely distinguish between old WinPcap installations and brokenNpcap-in-WinPcap-API-mode installations. Fixes#906

Npcap 0.92 [2017-06-12]

Force overwrite of files in installer, since uninstallers from versions0.78r5 through 0.81 do not remove npcap.sys, leading to mismatched driver vsDLL versions.
New installer commandline option to skip setting a restore point:/disable_restore_point=yes

Npcap 0.91 [2017-06-06]

Fix WiFi interruption with certain hardware. This is a regression introducedin Npcap 0.90, which had optimistically removed the fix from 0.10-r15.

Npcap 0.90 [2017-05-26]

Fix BSOD introduced in 0.85; Locking while being cleaned up is bad.
Fix WiFi interruption on Windows 7 in some circumstances, as demonstrated byinability to connect when Kaspersky Internet Security is installed.

Npcap 0.86 [2017-04-12]

Fix BSOD introduced in 0.85; wrong driver build had been packaged. Fixes#840

Npcap 0.85 [2017-04-10]

Fix BSOD by reverting to simpler pre-0.82 data structures but retaining thespinlock improvement that was the core of that fix.

Npcap 0.84 [2017-03-28]

Fix a failure of 64-bit Npcap when installed in Admin-Only mode.#814

Npcap 0.83 [2017-03-04]

Fix a crash caused by recieving loopback traffic after Windows starts tosleep.#721
Don't override CLI installer options like/wpcap_mode when WinPcap isfound.#717
Restore the uninstaller instruction that deletes the npcap driver files.

Npcap 0.82 [2017-02-23]

Fix a crash that happened when many concurrent processes were using Npcap.If several of these quit during processing of a packet, the linked list ofprocesses could become corrupted. Solved this by using a fixed array withcopy-and-swap instead.

Npcap 0.81 [2017-02-16]

Moved distribution of executable installer tohttp://npcap.com/ from Github.
Write log files in UTF-8 encoding to preserve localized error messages.
Report human-readable error when LWF filter fails to be installed.
Add*NdisDeviceType=1 key to registry for Loopback adapter. Fixes#653

Npcap 0.80 [2017-01-09]

Signed the uninstaller executable.
Removed the legacy code supporting Windows XP and earlier.
Added this CHANGELOG
Fixed a few null pointer dereferences that may have led to Blue Screens undersome scenarios.
Restored changes from 0.78 r2 through 0.78 r4 that were accidentally omittedfrom 0.78 r5.

Npcap 0.78 r5 [2016-12-15]

Microsoft Attestation-signed drivers for Windows 10, required in Win10 1607.See#492
Removed Windows XP support from the executable installer. XP users can useWinPcap instead, as that is all that we were installing on that platform.

Npcap 0.78 r4 [2016-12-10]

Fixed the bug that "Npcap Loopback Adapter" can't be uninstalled.

Npcap 0.78 r3 [2016-12-10]

The uninstaller allows users to terminate processes that are using Npcap.

Npcap 0.78 r2 [2016-12-03]

The uninstaller lists the processes that are currently using Npcap,preventing a clean uninstall.

Npcap 0.78 [2016-11-23]

The uninstaller warns when it is unable to delete DLLs that are in use byapplications.

Npcap 0.11 [2016-11-21]

Updated the WDK from 10.0.10586 to 10.0.14393.

Npcap 0.10 r18 [2016-11-08]

Improved the error message of invalid adapter name in WlanHelper.

Npcap 0.10 r17 [2016-11-07]

Built WlanHelper.exe in Unicode instead of Multi-Byte. This will fix thewrong display of non-English characters.

Npcap 0.10 r16 [2016-11-07]

Fixed the bug that some functions of WlanHelper.exe doesn't work.

Npcap 0.10 r15 [2016-11-05]

Fixed the bug that using Npcap to capture at the first time causes limitedconnectivity on Wi-Fi adapters.

Npcap 0.10 r14 [2016-11-03]

Fixed the bug that Npcap mode and WinPcap compatible mode can't use theloopback interface at the same time.

Npcap 0.10 r13 [2016-11-01]

Added the/sign_mode option for installer to choose to install SHA1-signed orSHA2-signed drivers.

Npcap 0.10 r12 [2016-10-25]

Fixed the issue that Nping shows both protocol unreachable and successfulreplies for "nping ".

Npcap 0.10 r11 [2016-10-24]

Fixed the issue that Nping shows both protocol unreachable and successfulreplies for "nping 127.0.0.1".

Npcap 0.10 r10 [2016-10-23]

The uninstaller will not show the finish page if run with "/Q".

Npcap 0.10 r9 [2016-10-17]

Fixed the BSoD that happens when the OS sleeps after using Npcap LoopbackAdapter.

Npcap 0.10 r8 [2016-10-16]

Improved the error messages of WlanHelper.exe.

Npcap 0.10 r7 [2016-10-08]

Raw 802.11 capture is provided without re-installing the driver!

Npcap 0.10 r6 [2016-10-04]

Fixed the BSoD thatNPF_RemoveFromGroupOpenArray() referenced the freed grouphead.

Npcap 0.10 r5 [2016-10-03]

Fixed the "PAGE FAULT IN NONPAGED AREA" BSoD about the group adapter removalreported by Pavel.

Npcap 0.10 r4 [2016-10-02]

Fixed some BSoDs that causes the system to halt.

Npcap 0.10 r3 [2016-10-02]

Now NPFInstall debug traces will be logged intoC:\Program Files\Npcap\NPFInstall.log

Npcap 0.10 r2 [2016-09-21]

Fixed the BSoD thatNPF_TapEx() accessed the CPU buffer of theOPEN_INSTANCEthat was released.

Npcap 0.10 [2016-09-20]

Fixed the bug thatPacketGetNetType() doesn't return the correctDLT_NULLvalue on Nmap.

Npcap 0.09-r9 []

Npcap 0.09-r8 []

Npcap 0.09-r7 []

Npcap 0.09-r6 []

Npcap 0.09-r5 []

Npcap 0.09-r4 []

Npcap 0.09-r3 []

Npcap 0.09-r2 []

Npcap 0.09-r13 []

Npcap 0.09-r12 []

Npcap 0.09-r11 []

Npcap 0.09-r10 []

Npcap 0.09 []

Npcap 0.08-r9 []

Npcap 0.08-r8 []

Npcap 0.08-r7 []

Npcap 0.08-r6 []

Npcap 0.08-r5 []

Npcap 0.08-r4 []

Npcap 0.08-r3 []

Npcap 0.08-r2 []

Npcap 0.08-r10 []

Npcap 0.08 []

Npcap 0.07-r9 []

Npcap 0.07-r8 []

Npcap 0.07-r7 []

Npcap 0.07-r6 []

Npcap 0.07-r5 []

Npcap 0.07-r4 []

Npcap 0.07-r3 []

Npcap 0.07-r2 []

Npcap 0.07-r17 []

Npcap 0.07-r16 []

Npcap 0.07-r15 []

Npcap 0.07-r14 []

Npcap 0.07-r13 []

Npcap 0.07-r12 []

Npcap 0.07-r11 []

Npcap 0.07-r10 []

Npcap 0.07 []

Npcap 0.06-r19 []

Npcap 0.06-r18 []

Npcap 0.06-r17 []

Npcap 0.06-r16 []

Npcap 0.06-r15 []

Npcap 0.06-r14 []

Npcap 0.06-r13 []

Npcap 0.06-r12 []

Npcap 0.06-r11 []

Npcap 0.06-r10 []

Npcap 0.06-r9 []

Npcap 0.06-r8 []

Npcap 0.06-r7 []

Npcap 0.06-r6 []

Npcap 0.06-r5 []

Npcap 0.06-r4 [2016-03-04]

The uninstallation window won't close itself now.
Fixed the problem that the uninstallation process won't end in the Task Manager.
System restore point will not be created in the uninstallation phase.
Improved the text display of the installer.

Npcap 0.06-r3 [2016-03-03]

Improved the creating system restore point support. Now Npcap installer willcreate a Windows system restore point named Before Npcap %VERSION% installsbefore actual installation process and create a point named Before Npcap%VERSION% uninstalls before uninstallation.

Npcap 0.06-r2 [2016-03-01]

Made the loopback feature optional in the installer. This option is checkedby default.
Improved the creating system restore point logic by removing nestedcreation. A modified SysRestore plug-in is used:https://github.com/hsluoyz/SysRestore

Npcap 0.06 [2016-02-29]

Fixed the bug reported by yyjdelete that Npcap causes BSoD if the user tries to disable the adapter while sending packets.

Npcap 0.05-r16 [2016-02-29]

Added creating system restore point support. Now the installer has added anoption called Create a system restore point before installing Npcap. It thisoption is checked, Npcap installer will create a Windows system restorepoint named Before installing Npcap before actual installationprocess. Returning back to this point will roll back all changes made byNpcap. Note: this option is NOT checked by default.

Npcap 0.05-r15 [2016-02-28]

Added debug symbols support. Now Npcap will release new versions shippingwith the corresponding debug symbols. These PDB files will help debuggingBSoDs and user-mode crashes of Npcap binaries. Seehttps://github.com/nmap/npcap/releases/tag/v0.05-r15.

Npcap 0.05-r14 [2016-02-25]

Fixed the driver signing error in Win7. We used the legacy SHA1 code signingcert to sign the Npcap driver in Win7, so no need for Win7 users to installKB3033929 patch any more.
This version Npcap is supposed to have fixed all signing errors, so it willsuccessfully install on all the platforms: Vista, Win7, Win8, Win8.1 andWin10 without any prerequisites.

Npcap 0.05-r13 [2016-02-20]

Fixed a driver signing error in Vista. Seehttps://github.com/nmap/npcap/releases/tag/v0.05-r13.

Npcap 0.05-r12 [2016-02-16]

Signed the installer with better signing method

Npcap 0.05-r11 [2016-02-16]

Npcap 0.05 r11: Added firewall (Block-Rx) support. Seehttps://github.com/nmap/npcap/releases/tag/v0.05-r11.

Npcap 0.05-r10 [2016-02-04]

Added different Timestamp modes support like original WinPcap. Seehttps://github.com/nmap/npcap/releases/tag/v0.05-r10

Npcap 0.05-r9 [2016-02-04]

Updated wpcap.dll from VS2005 to VS2013 and Packet.dll, NPFInstall.exe andNPcapHelper.exe from VS2010 to VS2013.
Additionally, I rolled back the driver signing improvement in 0.05r8. Because it will show a Program Compatibility Assistant window said awell signed driver is needed. However, it's not true because npcap driverruns well by testing net start npf. To avoid this false message, I rolledback to the original signing commands.

Npcap 0.05-r8 [2016-02-01]

Now Npcap driver will be signed in both SHA1 and SHA256 digest algorithmsand with timestamp. This improvement will help the driver installation onVista and Win7. This is an issue reported by Graham Bloice (see graham'sanswer inhttps://ask.wireshark.org/questions/46689/failed-to-create-npcap-service).

Npcap 0.05-r7 [2016-01-28]

Now send-to-Rx adapters can be multiple. The string specified in registry's SendToRx value should be semicolon-separated.

An example for one send-to-Rx adapter:'\Device{754FC84C-EFBC-4443-B479-2EFAE01DC7BF}

An example for two send-to-Rx adapters:'\Device{754FC84C-EFBC-4443-B479-2EFAE01DC7BF};\Device{F5A00000-E19A-4D17-B6D9-A23FE1852573}

Npcap 0.05-r6 [2016-01-27]

Now Npcap can have a send-to-Rx adapter. The send-to-Rx adapter will injectall its packets to "Receive Path" (Rx) instead of normal "Send Path"(Tx). So that instead of sending traffic to the network, the adapter willpretend to receive the injected traffic from the network in this way.
Currently only one send-to-Rx adapter is supported by specifying SendToRxvalue in Npcap driver service's registry key (need to restart the driver totake effect).
Npcap driver service's registry key is usually in:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf. In this key. Youneed to manually create a REG_SZ value named SendToRx, the value is the nameof the adapter you want to be send-to-Rx adapter. The name is usually likeformat of \Device{F5A00000-E19A-4D17-B6D9-A23FE1852573}. You can query thisvalue using Nmap's nmap --iflist command, you will get a similar value like\Device\NPF_{F5A00000-E19A-4D17-B6D9-A23FE1852573}, but they are NOT THESAME. You need to remove the NPF_ in this string and copy it to registry'sSendToRx value. Then reboot the driver by net stop npf and net start npf.

Npcap 0.05-r5 [2016-01-11]

Fixed the bug reported by Nuno Antonio Dias Ferreira that Npcap fails toretrieve the adapter list using NPF registry way.

Npcap 0.05-r4 [2015-12-17]

Fixed the bug reported by Tenzin Rigden that Npcap installer fails toinstall correct files in /S silent mode.

Npcap 0.05-r3 [2015-11-25]

Added Npcap's support for Vista, Npcap now will prepare separate binariesfor Vista.

Npcap 0.05-r2 [2015-11-05]

Fixed the bug reported by Amos Sheldon that Npcap causes BSoD:ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY when using Wireshark on Win8, 10 x86.

Npcap 0.05 [2015-09-11]

Added the "DON'T LOOPBACK" feature, if software setPacketSetLoopbackBehavior() by disable, self-sent packets will not bereceived again.
Built the installer using NSIS with strlen_8192, so system "PATH" will beupdated normally in most cases (PATH is less than 8192).
Added 128 CPU core support for Npcap, or Npcap will cause BSoD when runningon 128-core system.
Improved the appearance and text of the installer.

Npcap 0.04-r9 [2015-08-31]

Fixed the bug that Npcap can't capture real loopback traffic after system isresumed from standby.

Npcap 0.04-r8 [2015-08-25]

Now PCAP_IF_LOOPBACK flag in pcap_if_t struct will be set for "NpcapLoopback Adapter" both for DLT_NULL mode and Fake Ethernet mode.

Npcap 0.04-r7 [2015-08-24]

PCAP_IF_LOOPBACK flag in pcap_if_t struct will be set for "Npcap LoopbackAdapter" now, only for DLT_NULL mode
Fixed the bug that DLT_NULL mode can't be disabled in the driver.

Npcap 0.04-r6 [2015-08-23]

Packet.dll will return NdisMediumNull for "Npcap Loopback Adapter" now.

Npcap 0.04-r5 [2015-08-21]

Finished the DLT_NULL protocol support. But there's a problem that Wiresharkdidn't parse the loopback packets right, need fix.

Npcap 0.04-r4 [2015-08-21]

Npcap driver will return 65550 as "Maximum Packet Size" instead of default1514 for "Npcap Loopback Adapter", which refers to Linux implementation.

Npcap 0.04-r3 [2015-08-18]

Fixed the bug reported by Pascal Quantin that WSK code fails to init if itis run without Administrator right, the effect is Npcap loopback adaptercan't be opened.

Npcap 0.04-r2 [2015-08-16]

Modified wpcap.dll version to 0.04, and improved the error trace message forWinsock Kernel socket operations.

Npcap 0.04 [2015-08-15]

Fixed the SYSTEM_SERVICE_EXCEPTION BSoD caused by NdisFOidRequest call, thismay help to fix the BAD_POOL_CALLER BSoD (I said "may" because this BSoDcan't be reproduced).
Modified Nmap and Nping to be able to send loopback packets on Windows OS,here's a bug, Nmap still can't see reply packets. But the request and replypackets can be seen in Wireshark.

Npcap 0.03-r6 [2015-08-06]

Changed to static linked.

Npcap 0.03-r5 [2015-08-06]

Npcap can send loopback packets now!

Npcap 0.03-r4 [2015-08-05]

WSKTest can send IPv4 and IPv6 loopback packets based on Ethernet headernow.
Added IPv6 send support for WSKTest.
WSKTest can send a self-constructed ICMPv4 request packet now
Fixed the INF file lacking section issue in WSKTest.
Updated WSKTest from VS 2013 to VS 2015.

Npcap 0.03-r3 [2015-08-03]

Npcap 0.03-r2 [2015-07-30]

Improved WSK send code, update code format

Npcap 0.03 [2015-07-27]

Npcap 0.02-r4 [2015-07-26]

Npcap 0.02-r3 [2015-07-24]

Npcap 0.02-r2 [2015-07-22]

Fixed the bug that "Npcap Loopback Adaprer" renaming fails in Win10 non-English editions.

Npcap 0.02 [2015-07-22]

Solve the "system error 2" issue

Npcap 0.01-r2 [2015-07-19]

Npcap 0.01 [2015-06-23]

Add option to restrict Npcap usage to Windows users with admin rights ratherthan all users.

Npcap Birthday (First Public Code Checkin)! [2013-06-24]

Npcap's birthday! While Gordon "Fyodor" Lyon and Yang Luo had been workingon the idea for a couple of months, June 24, 2013 was the date that Yangchecked in the first actual code with the Npcap name!

Movatterモバイル変換