Npcap 1.70

Installer, debug symbols, and SDK available from https://npcap.org/#download

• Major overhaul of Packet.dll to improve performance of PacketGetAdapterNames(), used by
  pcap_findalldevs(), and PacketOpenAdapter(), used in all libpcap functions that return a
  pcap_t. Reduced calls to GetAdaptersAddresses(), properly caching results for short periods.
  Errors from lower functions are correctly propagated, making diagnosis of failures easier. Fixes
  #168, #61, and #586.

• PacketGetNetType() now always sets the LinkSpeed field to 0. Many adapters did not support the OID
  that was being used to get the link speed, and libpcap (Npcap's published API) does not pass this
  information through, so there should be no impact on the majority of software. Software that needs
  link speed may use pcap_oid_get_request() or GetAdaptersAddresses() to get the information.

• The undocumented char PacketLibraryVersion[] export has been removed. The PacketGetVersion()
  function is the documented way to get the runtime version of the Packet.dll library.

• Packet injection operations (pcap_inject(), PacketSendPacket(), pcap_sendqueue_transmit(),
  and PacketSendPackets()) now properly pend the related Write IRP until the NBLs have
  been returned by NDIS. This may make packet injection more efficient.

• Packet injection operations are no longer limited to one at a time. Multiple threads can issue
  multiple send operations concurrently on the same capture handle without issue, unless system
  resource limits result in allocation failures. Additionally, WinPcap's limit of 256 concurrent
  sends on each adapter has been removed. Each Write call is still synchronous, however.

• Loopback packet capture and injection now uses fewer WFP filters and callbacks, avoids duplicate
  packet processing, uses inspection rather than blocking filters, and persists callout driver
  objects while still removing callout filters when captures are not using them. These and other
  improvements increase loopback capture efficiency and reduce interference with other network
  components.

• Npcap is only supported on Windows 7 SP1 and later, and requires KB4474419 to support SHA-2
  signature validation. The installer will now check these specific requirements, rather than
  attempting an installation that will fail anyway.

• Added timeouts to subprocess executions in the installer to prevent a hung installation.

• Fixed a minor issue with Npcap OEM's silent installer: Npcap 1.55 and later ought to avoid
  reinstalling the same version if the existing installation options match the requested options,
  but /winpcap_mode=no would never match.

• Packet sendqueue operations (pcap_sendqueue_transmit(), PacketSendPackets())
  with time synchronization (sync parameter) have been improved to use timed waits when
  possible, only falling back to busy wait for inter-packet delays of less than 50
  microseconds. Time difference calculations have been revised to avoid integer overflows
  and loss of precision. Fixes #580.

• Packet sendqueue operations now more strictly check timestamp order. If an out-of-order
  timestamp is encountered, the packet will not be transmitted. PacketSendPackets() will
  set the last error value to ERROR_INVALID_TIME. Since packets may be
  reported slightly out-of-timestamp-order on multiprocessor machines due to
  processing delays, only timestamps that are more than 1ms earlier than the
  preceding timestamp will generate the error.

• Npcap is now built with the Win11 SDK and WDK (10.0.22000). We look forward to
  implementing support for the exciting new features of NDIS and WFP.

• Improve capture handle state transitions within the Npcap driver. State mismatches led
  to issues like #584, where the wrong error code was
  reported when the adapter was detached and reattached.

• Fix an issue where raw WiFi capture handles (/dot11_support install option) would not
  reattach after a network disconnect and reconnect. Normal handles got this ability in
  Npcap 1.60, but raw WiFi frame captures (monitor mode) did not take advantage of it.
  Fixes #591.

• Npcap now avoids setting hardware packet filters (OID_GEN_CURRENT_PACKET_FILTER,
  PacketSetHwFilter()) that the miniport does not declare support for. This may improve
  compatibility with WWAN (e.g. 3G and LTE) and VPN connections.

• Npcap now tracks the original lookahead value (OID_GEN_CURRENT_LOOKAHEAD,
  PacketSetMaxLookahead()) before requesting the max value from the miniport, and restores it once
  the capture handle is closed. The practice of setting the lookahead to max value was inherited
  from WinPcap, and may be changed in the future subject to performance testing.

Npcap 1.60

Installer and debug symbols available from https://npcap.org/#download

• Npcap can now tolerate network disconnections or NDIS stack
  modifications that previously resulted in programs like Wireshark
  stopping with the error "PacketReceivePacket error: The device has
  been removed. (1617)". This error may still be returned, but user
  programs can consider it a transient error. If the network is
  reconnected, capture can resume on the same handle. Fixes
  #506.

• Improved validation for IRP parameters, resolving potential BSoD
  crashes that could be triggered by software interacting directly
  with the driver's device interface. These bugs still affect the last
  releases of WinPcap. Thanks to Ilja Van Sprundel from IOActive for
  reporting them.

• Fix an issue with NX pool compatibility that caused Npcap 1.50 and
  1.55 to fail to run on some Windows 7 systems. Fixes
  #536.

• Fix how the installer handles /option=enforced, which was broken
  in Npcap 1.55. Fixes #556.

• Concurrently released the Npcap SDK Version 1.12, which fixes native
  ARM compilation by including the ARM64 wpcap.lib, among other
  changes. The SDK now has its own change log at
  https://github.com/nmap/npcap/blob/master/SDK_CHANGELOG.md.

• Further driver source code hardening to catch more bugs
  before they manifest in worse ways. This includes adding more SAL
  annotations for code analysis, extra assertions, etc.

• The /prior_driver installer option now selects the Npcap 1.30
  driver, since Microsoft's cross-certificate expired 30 minutes
  before we signed Version 1.31. See
  #536.

• Simplified the code base by removing a bunch of unused or
  unneccessary code. This includes "kernel dump mode" (MODE_DUMP)
  which was inherited from WinPcap 3.1 even though it had already been
  deactivated there in 2005. Also removed legacy WinPcap code which allowed
  their (long discontinued) "Pro" version DLL to install the driver
  itself. This is not allowed by modern operating systems. We were
  able to remove a bunch of code from NPFInstall.exe too. Updated the
  INF file to prevent npf_wifi service from being configured, since it
  was never actually used.

• Fix an issue causing pcap_setmode()/PacketSetMode() with a value
  of MODE_CAPT to fail. MODE_CAPT is the default for new handles,
  so this only affects software that uses MODE_STAT and then
  switches to MODE_CAPT, or software that expects a call to
  pcap_setmode(MODE_CAPT) on a handle already in MODE_CAPT to
  succeed. Fixes #558.

• When installing Npcap in WinPcap API-Compatible mode (the default),
  the Npcap installer will perform the uninstallation of WinPcap
  directly instead of running the WinPcap uninstaller. This prevents
  the WinPcap uninstaller from rebooting the system and allows us to
  clean up partial or broken installations.

• Further deprecate the "Legacy loopback support" option: The
  npcapwatchdog scheduled task will not check for the existence of the
  Npcap Loopback Adapter.

• Added the PnpLockDown directive to the npcap.sys INF file for
  additional Windows file protection of the driver binary.

• Replaced a feature of NPFInstall.exe and the SimpleSC.dll NSIS
  plugin with Powershell commands to improve installer size and
  compatibility. May fix #226.

• While you won't see it in the code itself, we dramatically improved
  our automated build and testing proceses. We now run automated
  native-arch builds and testing of multiple programs (particularly
  the SDK Examples) on all 3 architectures (x86, x64, and ARM). All
  tests are run with the debug build of the driver (assertions on) and
  Driver Verifier with at least standard settings, and only when that
  passes is the release build run through the same tests, also with
  Driver Verifier. The tests are also run in x86 emulation on x64 and
  ARM.

Npcap 1.55

Installer and debug symbols available from https://npcap.org/#download . Npcap SDK 1.11 was released concurrently, with only minor changes to const-ness of some function parameters in Packet32.h and additional documentation on installer options.

• Npcap installer can now recognize NetCfg status codes indicating that a
  reboot is required (0x0004a020, NETCFG_S_REBOOT), and will prompt the user
  to reboot. In silent mode, the installer will return code 3010 (0x0bc2,
  ERROR_SUCCESS_REBOOT_REQUIRED) to indicate this result. Fixes #224.

• Npcap installer's silent mode now offers better control over when to remove
  and reinstall an existing Npcap installation. Documentation has been updated
  for the new installation options /require_version, /require_features, and
  /force and will be published with the new Npcap SDK 1.11. Fixes #523.

• Fixed an installation failure (0xe0000247) on Windows 8.1/Server 2012 R2 and
  earlier systems which have not updated root certificates. The root certificates
  are now installed to the Roots trust store. Fixes #233.

• Fixed an issue since Npcap 1.30 where broadcast and subnet masks for adapters
  returned by pcap_findalldevs() were in host byte order, displaying values
  like "0.240.255.255". Fixes #525.

• Libpcap 1.10.1 has been updated to include some recent changes to the libpcap-1.10
  release branch which extend support to adapters with the NdisMediumIP media type,
  including Wireguard Wintun virtual adapters. Fixes #173.

• Added specific bad-value checks for issues originating in other drivers which
  may be incorrectly attributed to Npcap. These checks, in combination with
  additional const qualifiers, should serve as assurance that Npcap is not
  modifying traffic during capture and cannot be responsible for such crashes.

• Powershell commands launched by the installer are now run with the
  -NoProfile option. Fixes #529.

• Npcap SDK minor change to add const qualifiers to parameters to several Packet.dll functions.

• Npcap installer now uses Unicode internally. This may result in mixed-encoding install.log files.

Npcap 1.50

Installer and debug symbols available from https://npcap.org/#download

• Fixed #513 which prevented Npcap 1.40 from installing.

• All PowerShell scripts installed or used during installation are now digitally signed.

• Npcap can now be installed on Windows 10 for ARM64 devices. Both ARM64 and
  x86 DLLs will be installed, allowing existing x86 applications such as Nmap
  or Wireshark to run without modification.

• Npcap SDK 1.10 release coincides with this release, providing updated
  documentation and libs for ARM64.

• Npcap code now passes Microsoft's Static Driver Verifier for NDIS drivers and
  Visual Studio's Code Analysis "AllRules" ruleset. A couple of minor and
  extremely-improbable bugs were fixed in addition to general code cleanup and annotation.

• On Windows 8 and 8.1, the Npcap driver has been updated to NDIS 6.30,
  supporting network stack improvements like RSC and QoS. Windows 10 still uses
  NDIS 6.50 and Windows 7 uses NDIS 6.20.

• Npcap is no longer distributed with SHA-1 digital signatures. Windows 7 and
  Server 2008 R2 will require KB4474419 in order to install Npcap. All other
  platforms support SHA-2 digital signatures by default.

• Streamlined loopback packet injection to avoid using Winsock Kernel (WSK)
  sockets. This removes a significant amount of complexity and overhead.

• Due to Microsoft's deprecation of cross-signed root certificates for kernel-mode code signing,
  Npcap 1.40 may not install correctly on Windows versions prior to Windows 10.
  Our testing did not show any issues, but users who experience installation
  failures may use the /prior_driver=yes installation option to install the
  Npcap 1.31 driver instead, which has no such issues.

• The "npcapwatchdog" scheduled task, which ensures the Npcap driver service is
  configured to start at boot, is now installed with a description when
  possible (Windows 7 does not support creating scheduled tasks via PowerShell).
  Fixes #498.

• Fix an issue where installation under Citrix Remote Access or other
  situations would fail with the message "Installer runtime error 255 at
  76539962, Could not load SimpleSC.dll". Fixes #226.

• Ensure driver signature can be validated on systems without Internet access
  by installing the entire certificate chain, including the chain for the
  timestamp counter-signature. This should address #233.

• Fix an issue with comparing adapter names retrieved from the Registry. This
  prevented Npcap 1.31 from being used for SendToRx and other less-used
  features. Fixes #311.

• Npcap driver no longer excludes adapters based on media type, which may allow
  capture on some devices that were previously unavailable.

Npcap 1.40

RELEASE RETRACTED Due to #513, we have retracted Npcap 1.40 and have released Npcap 1.50 to address this issue.

Npcap 1.31

Installer and debug symbols available from https://npcap.org/#download

• Fix a bug with the non-default legacy loopback capture support that caused
  all requests to open a capture handle to open the loopback capture instead.
  It is recommended to not select "Legacy loopback support" at installation
  unless you know your application relies on it. Fixes #302.

• For Windows 10 and Server 2016 and later, restore the ability to capture
  traffic on VMware VMnet interfaces such as the host-only and NAT virtual
  networks. This will be restored for other supported Windows versions in a
  later release. Fixes #304.

Npcap 1.30

Installer and debug symbols available at https://npcap.org/#download

• Restore raw WiFi frame capture support, which had been broken in a few ways
  since Npcap 0.9983. Additional improvements enable PacketSetMonitorMode()
  for non-admin-privileged processes, allowing Wireshark to correctly enable
  monitor mode via checkbox without requiring WlanHelper.exe.

• Fixed WlanHelper.exe to correctly set modes and channels for adapters, if run
  with Administrator privileges. Fixes #122.

• Improved speed of pcap_findalldevs() by using fewer calls to
  GetAdaptersAddresses() and avoiding direct Registry inspection. The new
  method may result in more adapters being available for capture than
  previously reported. See #169.

• Updated Packet.dll to use modern HeapAlloc() allocation, faster than the
  legacy GlobalAlloc() inherited from WinPcap.

• Improve error reporting from PacketGetAdapterNames() and related functions.

Npcap 1.20

Installer, SDK and debug symbols available from https://npcap.org/#download

• Upgrade wpcap.dll to libpcap 1.10. This change enables software to use
  pcap_set_tstamp_type() to set the packet capture time source and precision
  per capture handle. The currently-supported types (see
  pcap-tstamp) are:

  • PCAP_TSTAMP_HOST_HIPREC_UNSYNCED - default, maps to TIMESTAMPMODE_SINGLE_SYNCHRONIZATION
  • PCAP_TSTAMP_HOST_LOWPREC - maps to TIMESTAMPMODE_QUERYSYSTEMTIME
  • PCAP_TSTAMP_HOST_HIPREC - maps to TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE

• Fix an issue preventing WlanHelper.exe from changing WiFi parameters for
  adapters which caused the error message "makeOIDRequest::My_PacketOpenAdapter
  error". Fixes #122 and several other reports
  of the same issue.

• Fixed an issue that prevented NDIS protocol drivers from reducing the
  hardware packet filter, even if the removed bits/filters were only set by
  that protocol driver initially. This may fix #106.

• Fixed an issue with pcap_sendqueue_transmit() that caused it to busy-wait
  in an attempt to synchronize packet sends with pcap timestamps, even when the
  program did not request synchronization. Fixes #113.

• The installer will now safely remove and replace broken installations due to
  #268.

• Upgraded installer to NSIS 3, which improves compatibility with modern Windows versions.

• Added application manifests to several installer tools and removed Windows
  Vista from the manifests of others, improving compatibility.

Npcap 1.10

Installer and debug symbols available from https://npcap.org/#download

• Fixed an issue where our upgrade uninstaller would trigger the
  #1924 BSoD crash when upgrading from Npcap 0.9988 or older to
  version 0.9996 or greater. Fixes #268.

• Improved handling of large packets when a very small user buffer size is specified, which could
  lead to stalled captures and dropped packets.

• Fix a packet corruption issue when one capture handle sets a snaplen of exactly 256 bytes and
  another sets a snaplen of greater than 256 bytes and the packet size exceeds 256 bytes.

• Fix accounting of free space in the kernel buffer so that bugs like the previous one do not cause
  space to be permanently lost, leading to dropped packets. Instead, use assertions to catch this
  condition in testing with the debug build.

• Check that the npcap driver service is configured for SYSTEM_START in the npcapwatchdog
  scheduled task and correct it if necessary. Windows feature updates can modify this value.

Npcap 1.00

Installer and debug symbols available from https://npcap.org/#download

• After more than 7 years of development and 170 previous public releases, the
  Nmap Project is delighted to release Npcap version 1.00!

• New Packet.dll function PacketGetTimestampModes() to retrieve supported
  packet timestamping modes. These do not currently vary by adapter, but
  TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE is not supported on Windows 7, for
  example. Fixes #174.