WinPcap: The Windows Packet Capture Library

Change Log

Version 4.1.1, 20 oct 09

  • This release fixes a bug in the installer of WinPcap 4.1. The binaries were not digitally signed, thus preventing the WinPcap driver from working on Vista/2008/Win7/2008R2 x64.
     

Version 4.1, 19 oct 09

[From WinPcap 4.1 beta5]

  • Several fixes and updates to the installer:
    • Added installation support for Windows 7 and Server 2008 R2
    • Added a new wizard page to choose if the driver should be started automatically on boot.
    • Fixed some issues when upgrading WinPcap on Windows Vista and Server 2008 x64.
    • Better handle errors when Microsoft NetMon 2.x is not available.
    • Better detection of the target operating system, especially when the installer is run in compatibility mode.
       
  • wpcap.dll has been updated to the 1.0 branch of libpcap from http://www.tcpdump.org.
     
  • Updated the tools used for the compilation (WDK 6001.18002).

  • Bug fixing:
    • Exported pcap_setdirection()
    • Fixed a bug in the compilation of rpcapd. This bug was causing the daemon not to capture any packets.
       

Version 4.1 beta5, 08 jan 09

  • Starting from this build, WinPcap is completely compiled with Visual Studio 2005 SP1 (in order to have a single build environment for x86 and x64) and WDK6000. While the projects for Visual Studio 6 are still available in the source package, they are no longer maintained.
     
  • wpcap.dll has been updated to libpcap 1.0.0 from http://www.tcpdump.org.
     
  • The new VS2005 project files for wpcap.dll and packet.dll have been simplified a lot (i.e. less configurations!).
     
  • Big parts of the installer have been rewritten and cleaned up to account for the x64 binaries installation.
     
  • The old WanPacket DLL has been removed. The code has been merged into packet.dll.
     
  • The developer's pack includes LIB files for both x86 and x64 (for Visual Studio). At the moment we don't have the LIB files for Cygwin under x64.
     
  • The samples have been ported to Visual Studio 2005, and they compile for both x86 and x64 architectures. The old Visual Studio 6 projects are still available but not actively maintained.
     
  • Bug fixing:
    • Fixed the remote code to make it compile properly on Linux.
    • Fixed a problem with the icon in the windows control panel.
    • Fixed an installation bug under x64 for rpcapd.exe. When installing rpcapd on an x64 machine, the executable is located in c:\program files (x86), not in c:\program files.
    • Support an indefinite number of IP (v4 and v6) addresses associated with an adapter.
    • Check that IPv4 is bound to an adapter before getting the IPv4 addresses from the registry.
    • Fixed several compilation warnings in the samples.
    • Exported pcap_hopen_offline.
    • Added a missing definition of HAVE_UINT64 in the bittypes.h.
    • Fixed a bug in the filtering code for TurboCap adapters. The snaplen was completely ignored.
       

Version 4.1 beta4, 27 may 08

  • Added support for the CACE TurboCap boards within wpcap.dll.
     
  • (from libpcap) Added the new functions pcap_create(), pcap_activate(), pcap_set_XXX() (still not completely documented on Windows).
     
  • (from libpcap) Added support for various MAC addresses' syntaxes. Now the following syntaxes are supported:
    • 00:11:22:33:44:55
    • 00-11-22-33-44-55
    • 00.11.22.33.44.55
    • 001122334455.
       
  • Bug fixing:
    • Use FILE_DEVICE_SECURE_OPEN as a parameter to IoCreateDevice() when creating the I/O device from within the driver on the OSes that support it.
    • Fixed a bug in pcap_open_live() and pcap_activate(). They were failing if called on a local adapter with the syntax rpcap://\\Device....
    • Added a missing input buffer check in the read handler of the driver when working in statistics mode.
    • Optimized the code in the driver that handles the BIOCGSTATS control code (map only the needed portion of the user buffer into an MDL).
    • Fixed a possible memory leak in one of the error paths of the driver when enumerating the available adapters.
    • Cleaned up some global variable names in the driver.
       

Version 4.1 beta3, 31 jan 08

  • (from libpcap) Make some arguments of some pcap functions const pointers if that makes sense.
     
  • (from libpcap) Add some additional checks to bpf_validate(), from OpenBSD.
     
  • (from libpcap) Use bpf_validate() in install_bpf_program(), so we validate programs even when they're being processed by userland filters.
     
  • (from libpcap) Get rid of BPF_MAXINSNS - we don't have a limit on program size in libpcap/WinPcap.
     
  • (from libpcap) Support for the "addr1", "addr2", "addr3", and "addr4" link-layer address filtering keywords for 802.11.
     
  • (from libpcap) Support for filtering over 802.11 frame types with the keywords "type" and "subtype".
     
  • Bug fixing:
    • Fixed a bug when generating wireless filters in the form "link src host ...". The source address was not retrieved properly.
    • Added some more logic in the installer to account for errors while installing the Network Monitor component (NetMon). If NetMon is not available, we install a version of packet.dll that doesn't depend on it.
    • Fixed two bugs in the original OpenBSD filter validation code, one that caused it to reject all filters that used multiply instructions, and another that caused it to reject all filters that used divide instructions.
    • Fixed a bug in the filter engine in the driver. When the packet to filter is split into two buffers, under some circumstances the engine was not checking the right bytes in the packet.
       

Version 4.1 beta2, 15 nov 07

  • Disabled support for monitor mode (also called TME, Table Management Extensions) in the driver. This module suffers from several security vulnerabilities that could result in BSODs or privilege escalation attacks. This fix addresses a security vulnerability reported by the iDefense Labs here.
     
  • Added a small script to integrate the libpcap sources into the WinPcap tree automatically.
     
  • Moved the definition of all the I/O control codes to ioctls.h.
     
  • Cleaned up and removed some build scripts for the developer's pack.
     
  • Migrated the driver compilation environment to WDK 6000.
     
  • Enabled PreFAST driver compilation for the x64 build.
     
  • Added some doxygen directives to group the IOCTL codes and JIT definitions in proper groups.
     
  • Integrated the IOCTL codes into one single set shared by packet.dll and driver.
     
  • Modified the installer to return the win32 error code instead of -1 in case of failure in the error messages.
     
  • Added some #define directives to selectively disable the TME functionality for WAN (i.e. Netmon-assisted) devices.
     
  • Added a VS2005 project to easily edit the files of the driver.
     
  • Removed some useless #include directives in the driver and packet.dll.
     
  • Migrated several conditional directives (#ifdef/#endif) to the defines of the DDK/WDK e.g. _X86_ and _AMD64_.
     
  • Added a check to warn users that remote-ext.h should not be included directly.
     
  • Removed ntddndis.h from the WinPcap sources. It's included into the Microsoft Platform SDK.
     
  • Removed devioctl.h from the WinPcap sources. It's included into the Microsoft DDK/WDK.
     
  • Removed ntddpack.h from the WinPcap sources. It's an old header file from the original DDK Packet sample, and it's not used by WinPcap.
     
  • Removed several useless files from the WinPcap developer's pack:
    • all the TME extension header files
    • devioctl.h
    • gnuc.h
    • ntddndis.h
    • ntddpack.h
    • pcap-int.h.
       
  • Bug fixing:
    • Fixed a possible buffer overrun on x64 machines with more that 32 CPUs/cores.
    • Fixed an implicit cast problem compiling the driver on x64.
    • Fixed a bug in the installer causing a mis-detection of a previous WinPcap installation.
    • Fixed two bugs related to memory deallocation in packet.dll. We were using free() instead of GlobalFreePtr(), and there was a missing check as to when to deallocate a chunk of memory.
    • Added a missing NULL pointer check in pcap_open().
    • Moved a misplaced #ifdef WIN32 in pcap_open().
    • Fixed a bug in the send routine of the driver that could cause a crash under low resources conditions.
       

Version 4.0.2, 09 nov 07

  • Disabled support for monitor mode (also called TME, Table Management Extensions) in the driver. This module suffers from several security vulnerabilities that could result in BSODs or privilege escalation attacks. This fix addresses a security vulnerability reported by the iDefense Labs here.
     
  • Bug fixing:
    • Added a missing NULL pointer check in pcap_open()
    • Fixed a misplaced #ifdef WIN32 directive in pcap_open().
    • Fixed a bug in the send routine of the driver that could cause a crash under low resources conditions.
    • Fixed a bug in the installer causing a mis-detection of a previous WinPcap installation
    • Minor cleanup of some #define directives in the driver (to disable the TME extensions).
       

Version 4.1 beta, 03 jul 07

  • Added support for the Per Packet Info (PPI) link type.
     
  • wpcap.dll has been updated to the libpcap 0.9.6 branch from http://www.tcpdump.org.
     
  • Bug fixing:
    • Fixed a bug in pcap_open_live() by which we were silently ignoring a failure when switching into promiscuous mode. This fix solves the outstanding issue of wireless cards that fail to go into promiscuous mode and do not capture any packet.
    • Experimental fixes to the BPF compiler (pcap_compile()) to better support filters over 802.11.
    • Minor fixes to remove several PFD (PreFAST for Drivers) warnings.
    • (from libpcap 0.9.6) added additional filter operations for 802.11 frame types
    • (from libpcap 0.9.6) fixes to discard unread packets when changing filters.
       

Version 4.0.1, 03 jul 07

  • Bug fixing:
    • Fixed a bug in the dispatcher of the BIOCGSTATS IOCTL that caused a BSOD if the parameters passed from user level were invalid. This fix addresses a security vulnerability reported by the iDefense Labs in this advisory.
    • Fixed a bug in the routine installing NetMon. A request to reboot was not caught properly, resulting in an installation error message.
    • Minor fixes to remove several PFD (PreFAST for Drivers) warnings.
    • Added a missing check for the Mdl in the write dispatcher routine.
       

Version 4.0, 29 jan 07

  • Added support for Vista x64 by digitally signing all the binaries of the WinPcap distribution.
     
  • Better error handling in the installer - if the installation of the Microsoft Network Monitor Driver (NetMon) fails.
     
  • Improved the documentation layout and readability - updated the style sheet and migrated to Doxygen 1.5.1.
     

Version 4.0 beta3, 06 dec 06

  • Removed support for Windows 9x/ME. Sources still available.
     
  • Enabled the generation of PDB files for the release build, too.
     
  • Raised the compilation warning level to /W4 for packet.dll and wanpacket.dll. Fixed a large amount of warnings.
     
  • Added some initial support for the NpfIm capture engine into packet.dll. Such support is still disabled at compilation time.
     
  • Rewritten the packet.dll debugging code completely to make use of the new TRACE_xxx macros.
     
  • Moved all the code managing strings to the strsafe.h ones (StringCchXXX).
     
  • Refreshed the Vista build configuration of packet.dll. Now we fully support AirPcap adapters and the IP Helper API on Vista x86.
     
  • Added support for AirPcapWrite() into packet.dll, i.e. support for transmission with AirPcap adapters.
     
  • Minor cleanup in the scripts to build the developer's pack.
     
  • Bug fixing:
    • Added a check for bogus return values from NdisRequest() (Query). The Nortel Contivity VPN Client V04_65.18 has a bug in the driver by which a request for OID_GEN_LINK_SPEED pretends to have written a buffer larger than the one passed as input (BytesWritten > InputBufferLength).
    • Fixed a bug where, in certain scenarios, the AirPcap adapter entries in the adapter list were duplicated.
    • Fixed some memory leaks in packet.dll when dealing with AirPcap adapters.
    • Fixed several ancillary packet.dll APIs that were crashing if used with AirPcap adapters.
    • PacketSetReadTimeout() was returning failure in case of AirPcap adapters.
    • Fixed a couple of bugs in the UserLevelBridge sample.
    • Added a missing return value check in the tcptop sample.
    • Fixed a dependency problem in the wpcap.dll project.
    • Fixed some minor errors and typos in the documentation.
       

Version 4.0 beta2, 20 oct 06

  • wpcap.dll has been updated to libpcap 0.9.5 from http://www.tcpdump.org.
     
  • Bug fixing:
    • Fixed a synchronization problem when accessing the BPF filter and the kernel buffer in the npf.sys kernel driver. Instead of using some custom made synchronization code, the standard Windows spinlocks are used.
       

Version 4.0 beta1, 23 aug 06

  • Added support for AirPcap adapters.
     
  • Rewritten the transmit code in the driver (NPF_Write()), in order to improve its solidity:
    • the IRP is not marked as pending
    • we use a different algorithm to stop transmitting when the packets are all pending
    • added a new NdisEvent for the management of the transmit operations.
    • added a counter used upon transmission with NPF_Write() to keep track of the number of pending packets.
       
  • Added a global version header file that is used for all the modules of WinPcap.
     
  • Updated the license in the installer and on the web to account for the third party source files used by WinPcap and libpcap.
     
  • Updated the documentation that explains how to write an application based on wpcap.dll.
     
  • Removed some useless files in the source tree (these files that are automatically generated by the build process or no longer in use).
     
  • Removed some useless files from the developer's pack.
     
  • Bug fixing:
    • Fixed a bug by which the caplen field of a WAN packet was set to a random number (usually 0 for the first packets of a capture). This was causing WinPcap not to work at all on dialup/VPN adapters.
    • Fixed a bug in the BIOCSETOID/BIOCREQUESTOID code: in one error management path we were not releasing the NDIS binding context with NPF_StopUsingBinding().
    • Fixed a bug in some samples (when compiled under VS2005): localtime() accepts a time_t variable, which happens to be a 32bit value with VS6/VS2003, and a 64bit value when compiled under VS2005.
    • Fixed a bug in some samples: added a const qualifier for the packet data returned by pcap_next_ex().
    • Fixed a couple of bugs in the remote capture code that were causing wpcap.dll to fail when a read timeout occurred, and a failure to use the remote capture deamon (rpcapd) when compiled on a big-endian machine.
    • Added the usual #ifndef/#define and #ifdef _cplusplus stuff to win32_extensions.h
    • Minor fixes to the samples.
    • Minor fixes to avoid some compilation warnings under Cygwin.
    • Minor layout fixes to the documentation.
       

Version 4.0 alpha1, 10 may 06

  • Various modifications to the Windows NTx driver npf.sys:
    • General rewriting of all the functions dispatching the open/close/cleanup/bind/unbind requests from the operating system. This should should solve a number of crashes when an adapter is disabled, removed or "repaired".
    • Rewrote the IOCTL dispatcher managing the NDIS_REQUESTs to the driver. This should solve a number of crashes dispatching an NDIS_REQUEST when the adapter has been removed/disabled.
    • Rewrote several parts of the tracing code.
    • Moved from named to unnamed events for the shared read events. This fix solves a large number of issues with the closing of handles.
    • Merged the x86-64 modifications into the main trunk.
    • Cleaned up the compilation scripts.
       
  • Added all the new tracing infrastructure into packet.dll NTx version.
     
  • Removed the ODS and ODSEx macros from the packet32.h include files, as they are private debugging macros.
     
  • Updated some parts of the documentation related to the compilation of WinPcap and related samples under Visual Studio 6.
     
  • Cleaned up the installer:
    • added more error checking and reporting when the driver and remote capture capture service are not installed correctly.
    • removed the 'dial-home' page at the beginning of the installation.
    • Cleaned up some error messages in the message boxes.
       
  • Added support for remote capture into pcap_dispatch(). Thanks to Guy Harris for the patch.
     
  • Added the PCAP_OPENFLAG_NOCAPTURE_LOCAL to pcap_open(). This flag instructs an adapter not to capture the packets sent by itself, and is useful to build applications like network bridges.
     
  • Added the UserBridge sample application, that implements a user-level bridge between two winpcap interfaces.
     
  • Bug fixing:
    • [From Guy Harris] PacketSetReadEventTimeout() had some bugs in the DAG code path (INFINITE vs. IMMEDIATE timeouts were messed up).
    • Added some check to verify the result of MmGetSystemAddressForMdl(Safe).
    • Minor fixes to remove some PREfast warnings in the compilation of the npf.sys driver.
    • Minor patches to properly compile packet.dll and wpcap.dll under Cygnus and MingW32. Thanks to "deadchicken" for the patches.
    • Added a patch to set the last error to ERROR_INSUFFICIENT_BUFFER if the buffer passed to PacketGetAdapterNames() is too small.
    • Fixed a couple of buffer overruns while creating the device name to be opened with CreateFile().
    • Fixed a couple of buffer overruns while copying the devices within AddAdapter(). Added a check to prevent copying truncated names in adapter names in ADAPTER_INFO (if the adapter name is too long, we simply skip it).
    • Fixed a couple of memory leaks found in AddAdapter() by Real Blanchet.
    • Fixed a bug that prevented WinPcap 3.2a1 to work correctly on Windows 9x.
       

Version 3.2 alpha1, 18 dec 05

  • Added support for x86-64 (AMD64) under Windows XP/2003.
    Under 64bit platforms, the NPF driver is 64bit, and the user level DLLs (packet.dll and wpcap.dll) are 32bit. As a consequence, it's possible to run any 32bit WinPcap-based application without any recompilation.
    The x86-64 NPF driver has the following limitations:
    • BPF filters are not JITted to x86-64 instructions (filters are interpreted).
    • The MONITOR_MODE (used mainly by Analyzer) is not supported.
    • it's not possible to change the timestamping mode using the registry key
            HKLM\System\CurrentControlSet\Services\NPF\TimestampMode.
      Timestamps are always computed using KeQueryPerformanceCounter().

    Moreover, due to the lack of the NetMon COM component on the 64bit version of Windows, dialup adapters are not supported.
     

  • wpcap.dll has been updated to libpcap 0.9.4 from http://www.tcpdump.org.
     
  • Added a patch file containing the patches for remote capture against the vanilla libpcap sources.
     
  • Better error handling in the installer.
     
  • Applied some patches to the bpf_filter and verifier (from Guy Harris):
    • BPF programs with no instructions
    • BPF_STX and BPF_LDX|BPF_MEM instructions that have out-of-range offsets (which could be made to fetch or store into arbitrary memory locations);
    • BPF_DIV instructions with a constant 0 divisor (that's a check also done at run time).
    • In addition, it makes the k field in BPF instructions unsigned, as it is in other BPF interpreters
       
  • Enabled PREFast (static code analysis tool from the Microsoft DDK) on the x86 build of the driver.
     
  • Bug fixing:
    • Added a patch in PacketGetAdapterNames() to set the last error to ERROR_INSUFFICIENT_BUFFER if the buffer passed to the function is too small. Modified pcap_findalldevs() so that it correctly handles this situation.
    • Fixed a bug in PacketGetAdapterNames(): the requested buffer size to correctly return all the adapter names was wrongly computed (overestimated of 3-4 bytes)
    • Fixed a problem while listing the adapters under Win9x: if the key HKLM\System\CurrentControlSet\Services\Class\Net\<number> did not contain an NDIS key, the code was going into an infinite loop.
    • Minor fixes the documentation.
    • Fixed the prototype for the JITted BPF filter function under x86; thanks to this patch, we no longer need to manually fix the stack pointer after the JITted function returns.
       

Version 3.1, 5 aug 05

  • New installation script based on the NSIS installer. The new installer should be able to detect any previous version of WinPcap, remove it on request and install the new version, decreasing the number of situations in which a reboot is necessary. Moreover, by connecting to the WinPcap website, the installer is able to tell the user if more recent versions of WinPcap are available. 
     
  • wpcap.dll has been updated to libpcap 0.9.3 from http://www.tcpdump.org.
     
  • General cleanup of the documentation (now aligned to libpcap 0.9.3).
     
  • Modified the documentation, so that packet.dll is no longer available in the standard developer's pack.
     
  • Added to the developer's pack a set of libpcap-compatible samples, suitable to be compiled against vanilla libpcap
     
  • Exported the following new functions from wpcap.dll: pcap_list_datalinks() and pcap_dump_ftell().
     
  • Removed pcap_file() from the exports because of incompatibilities with the Microsoft C runtime (CRT).
     
  • General cleanup of the existing samples.
     
  • Renamed the NdisWanAdapter to GenericDialupAdapter, to make the use of this adapter more clear for the users.
     
  • Removed some useless files in the source tree and in the documentation.
     
  • Bug fixing:
    • Fixed several bugs in the kernel BPF filter function when the packet is stored into two not contiguous buffers. This bug shows up as missing packets in the capture while the machine is using personal firewalls and certain antivirus softwares.
    • Fixed a problem related to the NetMon COM component initialization. This bug caused random access violation errors while listing the adapters.
    • Removed a duplicated initialization of an event in the driver.
    • Added a check in packet.dll that prevents listing and opening of FireWire adapters, since they have a broken interface with NDIS and can cause blue screens.
    • Fixed a memory leak in PacketGetAdaptersIPH().
    • Fixed a check that could cause PacketSendPackets() to crash packet.dll.
    • Minor fixes.
       

Version 3.1 beta4, 4 nov 04

  • wpcap.dll has been updated to libpcap 0.8.3 from http://www.tcpdump.org.
     
  • Added a note in the documentation that states that the kernel dump feature is disabled due to incompatibilities with the new kernel buffer.
     
  • Minor fixes to the documentation.
     
  • Removed some useless files.
     
  • Bug fixing:
    • Fixed a bug related to COM initialization in WanPacket.dll, by which WanAdapters were not working correctly if the calling thread was using COM with a different threading model.
    • Fixed a problem in AddAdapterIPH(), by which no adapter was actually added with this function because of a UNICODE/ASCII mismatch. Basically, AddAdapterIPH() received an ASCII adapter name, and tried to open it with PacketOpenAdapterNPF(), which accepts UNICODE strings, only.
    • Fixed a bug in the remote capture code due to concurrency issues when spawning a new thread.
    • Fixed a problem related to the generation of grammar files with flex in the CygWin makefile.
    • Fixed a couple of memory leaks in PacketGetAdapterNames(). PacketGetAdapterNames() seems to be still leaky, but the source of the leak seems to be a leaky API in the Microsoft IpHelperAPI, at least on WinXP SP1.
    • Added some code that frees the global list of adapters when packet.dll is unloaded (i.e. when DllMain() is called with DLL_PROCESS_DETACH).
    • Fixed a bug that caused the adapters not to be listed on terminal services. The bug was caused by the lack of the "\\global" prefix in front of the adapter names.
    • Fixed a bug related to adapter opening in the pcap_filter example. Fixed the usage string that was wrong.
    • Fixed a bug in the JIT code of the driver that could potentially cause a BSOD if two threads try to set a filter (that will be jitted) at the same time.
    • Fixed a bug by which the driver fails to return any packet with a read after an IOCTL_SETBUFFER has changed the buffer size. The bug is due to some missing counter resets.
    • Fixed some debugging messages in the NT driver that were not macroed with IF_LOUD.

Version 3.1 beta3, 15 may 04

  • Bug fixing:
    • Fixed a bug related to device listing if TCP/IP is not installed: on 2000/XP if TCP is not installed, it reported "you must install TCP/IP", and this was plain wrong.
    • Added PacketSetSnapLen() under Win9x. Without this function, wpcap.dll fails to load on Win9x.
    • PacketGetAdapterNames() has been rewritten under Win9x, in order to comply to the correct behavior specified in the documentation.
       

Version 3.1 beta2, 3 may 04

  • Added some code to show a fake NdisWan adapter, useful to capture LCP/NCP packets. This adapter is always listed on 2000/XP/2003 (if you have enough privileges), even if you don't have any PPP/VPN/... connection established.
     
  • Added a check in the installer, so that the installation fails if you don't have administrator privileges.
     
  • Added a check so that NdisWan adapters  (PPP, VPN, ...) are listed only if you can capture from them.
     
  • Added a new sample program, which gets the MAC address of an interface using packet.dll
     
  • Modified the access to the global list of adapters in packet.dll under NT4/2000/XP/2003. Now packet.dll should be thread-safe.
     
  • Bug fixing:
    • fixed some resource leaks in the remote capture daemon (rpcapd).
    • fixed a couple of resource leaks in packet.dll.
    • fixed some meaningless last error messages set by PacketOpenAdapter() (e.g. "The operation completed successfully").
    • fixed a shortcoming in pcap_findalldevs(), by which the adapters where not listed if they couldn't fit into a 8kB buffer.
    • fixed a memory leak in pcap_lookupdev().
    • fixed some bugs related to adapters listing:
      • some adapters were not listed, especially if some registry keys are messed up.
      • in some situations the listing failed with the message "Attempt to release a mutex not owned by caller"
      • if PacketGetAdapterNames() failed, it returned the wrong number of needed bytes for the input buffer.
    • fixed a buffer overrun in npf.sys that caused crashes (BSODs) when there are too many adapters in the registry.
    • fixed a bug in npf.sys that caused blue screens (BSODs) when you try to send "jumbo" packets, i.e. packets bigger than the maximum frame size for the selected link type.
    • minor bug fixes.
       

Version 3.1 beta, 3 feb 04

  • Support for capture on NdisWan, with the following features:
    • Based on the NetMon API, does NOT use NPF.sys
    • Works with PPP (dial-up) and VPN links
    • Works on Windows 2000 and XP, only
    • Packet transmission is not supported
    • Packet filtering is done at user level
       
  • wpcap.dll has been updated to libpcap 0.8.1 from http://www.tcpdump.org.
     
  • Support for DAG cards, based on the Windows version of the 2.5 Endace Dag driver.
     
  • The method used by the driver to timestamp packets can now be changed without recompiling the driver, modifying a registry key:
             HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
    Possible values are
    • 0 (default) -> Timestamps generated through KeQueryPerformanceCounter, less reliable on SMP/HyperThreading machines, precision = some microseconds
    • 2 -> Timestamps generated through KeQuerySystemTime, more reliable on SMP/HyperThreading machines, precision = scheduling quantum (10/15 ms)
    • 3 -> Timestamps generated through the i386 instruction RDTSC, less reliable on SMP/HyperThreading/SpeedStep machines, precision = some microseconds
       
  • The driver is now started by the SCM with GENERIC_READ privileges rather than ALL_ACCESS. This allows not-administrator users to start and run WinPcap.
     
  • Changes to the wpcap.dll API:
    • pcap_findalldevs() and pcap_findalldevs_ex() return IPv6 addresses
    • pcap_findalldevs_ex() is now able to list local adapters, remote adapters, and the list of capture files present in a given folder.
       
  • Changes/additions to the Packet.dll API:
    • The code to gather interface information has been mostly rewritten, in order to be more modular and source independent. IP Helper API is now used in addition to registry scanning.
    • PacketGetNetInfoEx() now returns IPv6 addresses besides IPv4 ones.
    • modified the format of the npf_if_addr structure, that PacketGetNetInfoEx() uses to return the network address of an interface.  In order to provide enough space for an IPv6 address, npf_if_addr is now made of three struct sockaddr_storage rather than three struct sockaddr. Since the former is 128 bytes while the latter is 16 bytes, old applications will not be compatible with the new PacketGetNetInfoEx().
    • PacketGetAdapterNames() now returns the names of the adapter in ASCII rather than in Unicode. Since the main purpose of PacketGetAdapterNames() is feeding data to pcap_findalldevs() and since pcap_findalldevs() needs ASCII names, the new PacketGetAdapterNames() avoids a conversion in wpcap.dll and uniforms the data format with the one of Windows 9x (this potentially simplifies the code of the applications). As a consequence of this modification, old applications won't work properly with the new PacketGetAdapteNames() on NT/2k/XP/2k3.
    • PacketOpenAdapter() now takes an ascii adapter rather than a UNICODE one. This is a consequence of the fact that PacketGetAdapterNames() returns ASCII strings: they can be immediately passed to PacketOpenAdapter(). (note: internal conversion is provided so that a UNICODE adapter name will be correctly opened, however the prototype changes and this could generate warning when compiling old applications).
    • For the same reason, PacketGetNetInfoEx() takes an ASCII adapter string rather than a UNICODE one. Internal conversion is provided for backward compatibility in this case, too.
    • PacketGetVersion() now retrieves the version number from the dll binary.
    • Added a PacketGetDriverVersion() function that returns the version number of NPF.sys.
    • The structure NetType has been modified to support link layers faster than 4 gigabits: the size of the LinkSpeed field is now 64 bits instead of 32 bits. This impacts on the PacketGetNetType() function too. As a consequence of this modification, old applications won't work properly with the new PacketGetNetType().
       
  • Packet sampling
    • added the capability to perform packet sampling instead of just packet capture. This feature can be turned on through the new pcap_setsampling() function.
    • This feature is available on local captures, offline captures, and remote captures.
    • Please note that this feature is highly experimental.
       
  • Remote capture
    • Improved support on FreeBSD and Linux.
    • Fixed a bug in UDP data trasfer
    • Support for packet sampling (only if the remote daemon runs on a Win32 machine; it does not work on Linux and FreeBSD).
       
  • Updated the documentation
    • Many examples have been rewritten in order to use the new pcap_open() and pcap_findalldevs_ex() functions.

Version 3.01 alpha , 13 jun 03

  • Modified interface for function pcap_findalldevs_ex in order to support local files listing
  • pcap_findalldevs_ex supports local device, remote device, and local file listing
  • Updated makefiles in order to compile on UNIX
  • Support for remote capture (and remote daemon) in Linux and BSD (in addiction to Win32)
  • Simplified architecture for the remote capture; now pthreads are needed only by the rpcapd daemon; standard libpcap does no longer need phtreads
  • Added initial support for remote packet sampling (local packet sampling is still to be done)
  • pcap_fileno returns a valid description also in case of a remote capture, so that the 'select()' function can be used to check if packets are waiting to be read
  • Improved docs
  • Started modifying the Developer's Pack examples in order to use the new system calls (pcap_open, pcap_findalldevs_ex, etc), although this process has not been completed
  • Bug fixing:
    • Fixed a bug that prevented the remote capture (active mode) working in Windows XP
    • Fixed a bug that caused the driver not to list any adapter under NT4/2k/XP/2k3.

Version 3.0 , 10 apr 03

  • pcap_read_ex API
    • We have changed the name of this API to pcap_next_ex. The signature of this API is the same as the old one (pcap_read_ex).
  • Bug fixing:
    • fixed a bug that caused a kernel memory leak when pcap_setbuff is called repeatedly on the same adapter
    • fixed a bug that caused pcap_setbuff to fail if the buffer is too small
    • fixed a bug in the win9x driver that could cause an infinite loop
    • several minor fixes (thanks to Dave Korn)

Version 3.0 beta, 10 feb 03

  • New features of the NPF device driver:
    •  support for SMP machines
    • kernel buffering rewritten from scratch to support SMP machines
    • remote capture.
  • Bug fixing:
    • fixed a bug related to Terminal Services
  • NdisWan support:
    • due to the large number of messages reporting problems (blue screens) with VPNs, PPTP and such connections, we have disabled the support for NdisWan adapters. As a consequence, it is not possible to capture from PPP (neither NdisWanIp, nor NdisWanBh, nor NdisWanBfIn/Out...). At the moment we have no plans to fix the problem with VPNs, PPTP, PPP unless we get a generous sponsorship.

NOTE:: due to some problems with the new kernel buffer, the "kernel-dump" feature (dump to disk directly from kernel mode) has been disabled at the moment. 

  • Bug fixing:
    • fixed a bug in the driver that caused a blue screen when stopping or uninstalling WinPcap.

Version 3.0 alpha 3, 7 oct 02

  • Bug fixing:
    • fixed a bug in the driver that caused an unhandled exception error with all winpcap-based applications under NT4/2K/XP.

Version 3.0 alpha 2, 20 sept 02

  • Moved the creation of the symbolic links for NT/2k/XP from user level to  kernel. This correction allows dynamic loading/unloading of the driver  through "net start npf" - "net stop npf". It is now possible to uninstall  and reinstall WinPcap without the need to reboot the machine.
  • Bug fixing:
      (thanks to Andreas John for the help <ajdatasoft@gmx.at>)  
    • added a #pragma definition in time_calls.h to make the driver compile with DDK build 2600
    • Fixed some erroneous checks in the driver's packet handler. Now the packet sizes are always reported correctly and the buffer has no inconsistencies, even under heavy loadss
    • Fixed a bug that caused system crash while sending packets
    • Minor fixes.
  • New features and optimizations of the NPF device driver:
    • JIT compiler for the BPF virtual machine
    • Dump to disk from kernel mode
    • Buffered sends
    • System-related optimizations (timestamps, data copies, interaction with NDIS)
    • further low-level optimizations
    • New kernel-level monitoring system, that includes extensions to the BPF interpreter. 
      NOTEE: this feature is experimental and not yet documented
    www.tcpdump.org and compile it inside WinPcap.
  • Additions to the wpcap.dll API:
    • pcap_findalldevs() to obtain the installed devices and their parametrs
    • send queues for high-speed synchronized packet injection
    • pcap_read_ex(), an alternative the traditional callback system of libpcap
    • pcap_live_dump() to save traffic dumps from kernel mode
    • pcap_stats_ex() that reports the number of captured packets in addition to the statistics returned by pcap_stats(). Note that a new function was created to grant backward compatibility. 
  • New developer's pack, with the new libraries and several additional samples Improved ACPI support: now the driver continues to work after a system hybernation
  • Bug fixing:
    • different capture instances are now globally synchronizes
    • rename packet.a in libpacket.a for easier usage from cygwin
    • removed some memory leaks in the driver. The XP driver verifier doesn't complain any more. Moreover, all the memory allocations in the driver are now tagged for easier memory leak detection.
    • fixed a data structure overlapping that sometimes messed up the read event under WinNTx
    • Corrected a wrong registry path that caused PacketGetNetInfoEx() not to work properly under WinNT4

Version 2.3, 28 mar 02

  • New installation applet based on Ghost installer. This should hopefully solve the large number of problems of the old Installshield version that we used previously.
  • Version numbers in the installation and in the binaries.
  • The code to retrieve the addresses of the adapters was updated, PacketGetNetInfo() was rewritten and a new function called PacketGetNetInfoEx() has been added to packet.dll. 
  • The name of the WinPcap drivers has been changed from packet.sys/packet.vxd to npf.sys/npf.vxd. This is transparent to the applications and should avoid conflicts with other drivers.
  • Updates to the developer's pack, that is now based on the includes and libraries of WinPcap 2.3. Some bugs were corrected in the samples.
  • Bug fixing:
    • Correct use of the lookahead buffer in Packet_tap
    • Use of snprintf instead of sprintf in pcap-win32.c
    • fixed wrong memory accesses in bpf_filter_with_2_buffers())
    • many minor fixes in the drivers and in the libraries
  • Upgrade to libpcap 0.6.2 from www.tcpdump.orgg
  • Support for Windows XP
  • Support for plug & play  under Windows 2000 and Windows XP Improved dynamic installation: WinPcap can now work on systems without TCP/IP
  • Bug fixing

Version 2.2, 30 jul 01

  • Support for cygwin. Thanks to the work of Nate Lawson, WinPcap and WinDump can now be compiled with cygwin
  • The developer's pack contains all the necessary to develop WinPcap-based applications with gcc under cygwin
  • Improved interaction with the driver using the shared event: asynchronous access is available again
  • Unsupported network adapters are automatically hidden to the applications. This should provide  a more immediate interface to final users
  • Bug fixing
      Various fixes to the developer's pack (thanks to Hernan Ochoa and Aleš Povalač)
    • others/minors

Version 2.1, 15 mar 01

    Wizard-based installation without the need of the control panel
  • Support for Windows ME www.tcpdump.org)
  • The libpcap library is now in WPcap.dll and does not require to be statically linked to the applications
  • Totally rewritten read architecture with higher performance in Windows NTx
  • Asynchronous access to the packet driver is no longer supported
  • Support for more network architectures: Token Ring (experimental)
  • New source tree organization
  • pcap_lookupnet in Windows NTx now returns the correct netmask
  • out of order packets in Windows NTx
  • applied patches sent by Guy Harris and other ethereal guys
  • Windows 2000 support improved
  • PacketGetAdapterNames() improved to handle particular situations and registry messes
  • other/minor fixes 
  • An adapter has now an associated event that can be used to perform a WaitForXXXObject(), obtaning a result similar to a select() in Unix
  • Version 2.02, 30 mar 000

    • Added support for Windows 2000 (without ACPI compatibility)
    • Support of multiple instances in Windows 95/988
    • Statistics mode
    • Fast multiple writes in Windows NT and Windows 2000
    • Bug fixing
    • New source code organization
    • New documentation, new examples
    • Changed license terms to Berkeley-style
    • Various performance optimizations in the filtering and capture processes
    • Minor improvements to libpcap
    • Bug fixing
    • New documentation

    Version 2.0, 21 aug 99

    • BPF filtering implemented into the kernel
    • Kernel buffering
    • Synchronous access to the driver
    • Variuos performance improvements
    • First release of WinDump as a stand-alone tool

    Version 1.0, 31 mar 99

    • First working Release
    • BPF filtering at user level
    • No kernel bufferingg

     

     
     
     


    Last modified: Tuesday, October 20, 2009 13.13