Npcap 0.9997

Installer and debug symbols available from https://npcap.org/#download

• Fix an integer underflow in the amount of free buffer space available leading
  to excessive memory consumption. Fixes #223.

• Significantly reduced per-packet memory overhead for packets in the kernel capture buffer.

• Replaced object pool/slab allocator with Windows lookaside lists, improving
  performance by avoiding spinlocks and allowing the system to adjust memory
  consumption.

Npcap 0.9996

Installer and debug symbols available from https://npcap.org/#download

• Fix a runaway memory leak triggered by low-resources condition leading to
  system hangs. Fixes #213.

• Fix a BSoD crash in NPF_Read in some high-traffic cases. Fixes #206.

• Fix a handle leak in Packet.dll when enumerating interfaces. Fixes #26.

• Fix an inconsistency between return value and IRP completion status in
  NPF_Read when an adapter is removed. Driver Verifier would cause a bugcheck
  (BSoD) in this case, and pcap API functions would not detect an error.
  Fixes #217

• Improved performance by reusing allocated packet data buffers and
  implementing DISPATCH_LEVEL tracking throughout the driver to speed up lock
  acquisition.

• When upgrading from compatible recent versions (currently Npcap 0.9985 and
  newer), the installer will unpack a new Uninstall.exe and NPFInstall.exe
  prior to removing the existing installation. This resolves issues with the
  uninstallation process such as were common in Npcap 0.9991 through 0.9994.

• Upgraded build system to VisualStudio 2019 and WDK 10.0.18362.0

Npcap 0.9995

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_Read when NDIS filter module is detached from the
  adapter. Fixes #194

• On Windows 10, the Npcap driver has been updated to NDIS 6.50 and Windows 10
  WFP compatibility, supporting network stack improvements like RSC.
  Fixes #196.

• Correctly obey maximum frame size for an adapter by querying
  OID_GEN_MAXIMUM_TOTAL_SIZE instead of using MTU, which does not include
  space for the link layer header. Fixes #186.

• Fix detection of processes using Npcap resources during uninstall or upgrade.
  The fix for #2015 had broken this so such
  processes were not terminated, leading to failed installations.

• Obey snaplen (pcap_set_snaplen()) even if a packet filter is not set. This
  is a backported change from upstream libpcap that corrects a deficiency that
  has been present in all previous versions of WinPcap and Npcap.
  Fixes #201.

• Improvements to object pool/slab allocator to allow nonpaged memory to be
  freed when not in use.

• When installing Npcap OEM in silent mode, avoid running C:\Uninstall.exe if no existing Npcap installation is present.

Npcap 0.9994

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_ReleaseOpenInstanceResources due to miscounting of
  number of open Loopback capture instances. Fixes #185.

• Fix corrupted and missing packets in Npcap 0.9992 and 0.9993 due to reusing a
  data structure that already contained packet data.

• Fix a crash in NPFInstall.exe that happened when trying to rebind Npcap to
  the network stack as part of some installations. Reported by Microsoft App
  Assure ISV Outreach Team.

• When multiple packets are indicated in a single FilterReceiveNetBufferLists
  callback, only get a single timestamp for all of them. Avoids extra calls to
  KeQueryPerformanceCounter or KeQuerySystemTimePrecise which only ended up
  measuring Npcap processing delay, not actual packet arrival time.

• Fix a potential NULL pointer deref issue in Objpool.h macros if an
  allocation were to fail and return a NULL pointer.

• Fix parsing of pnputil.exe output that resulted in Npcap drivers not being
  cleared from the DriverStore before installing or upgrading. This led to
  older drivers being preferred in some cases, such as installing an unsigned
  driver in test mode.

• Move all capture- and injection-related initialization code out of
  NPF_OpenAdapter, improving efficiency of operations like listing adapters
  or performing OID requests without starting a full capture.

• Added SAL annotations to most driver functions to improve static analysis.
  Found one issue related to using a NULL NDIS handle in an allocation
  function, which is not supported on Windows 7.

• Allow driver to load even if there is a problem initializing loopback capture
  or injection functions. The loopback capture device will simply be
  unavailable in that case.

Npcap 0.9993

Installer and debug symbols available from https://npcap.org/#download

• Fix a BSoD crash in NPF_DoInternalRequest triggered by suspending the
  system while a capture is running. Added source annotations to allow static
  analysis to catch bugs like this in the future. Fixes #181.

• Fix a bug introduced in Npcap 0.9992 which caused loopback capture to fail if
  any loopback capture had been previously started and finished.

• Fix packet length calculation for loopback capture. The packet length was
  being counted twice, leading to junk data being appended to captured packets.

• If installation fails for any reason other than a failure to uninstall the
  previous version of Npcap, the current version's uninstaller will be used to
  clean up any partial installation. The only remaining files will be the
  install.log and NPFInstall.log in the Npcap installation directory.
  Fixes #170

• Replaced ReadWriteLock mechanisms with improved NDIS_RW_LOCK_EX new in NDIS
  6.20 for improved performance.

• Moved object pool for captured packets from the filter module (adapter)
  object to the open instance (pcap handle) to allow memory to be recovered
  after a capture is closed.

Npcap 0.9992

Installer and debug symbols available from https://npcap.org/#download

• Npcap issues are now tracked on their own Github Issues
  page, separate from Nmap issues. Many existing
  issues have been migrated, and issue numbers may have changed.

• Rewrote the kernel packet capture buffer code again to avoid requiring a
  separate worker thread. Instead, captured packets are held directly in a
  synchronized queue. The worker thread introduced in Npcap 0.9991 was unable
  to keep up with the volume of packet requests, leading to buffer bloat and
  reduced performance.

• Avoid initializing loopback capture-related functions and processing packets
  as soon as an adapter is opened. This will improve performance since adapters
  are opened as part of listing adapters.

• Fix a crash in NPFInstall.exe when terminating processes which are using
  Npcap resources. This could lead to failed installations and message windows
  about "A LWF & WFP driver installation tool has stopped working."

• Update Npcap from NDIS 6.10 to NDIS 6.20, which limits its compatibility to
  Windows 7 and higher. Closes #167.

• Fix a bug in Npcap 0.9991 which prevented packets from being captured until a
  BPF filter had been set. Fixes #168 (migrated
  from nmap/nmap#2037).

• Allow capture statistics and captured packets remaining in the buffer to be
  retrieved when an adapter is removed. Fixes nmap/nmap#2036.

• Use WMI instead of the Windows 10-only Get-NetAdapter Powershell cmdlet in
  the DiagReport tool. Fixes nmap/nmap#611.

Npcap 0.9991

Installer, SDK, and debug symbols available from https://npcap.org/#download

• Switched our code signing certificate back to DigiCert after some users found
  older Windows versions could not validate the signature on our driver for
  versions 0.9985 through 0.9990. The driver is again dual-signed with SHA-1
  and SHA-2 certificates. See #2012

• Major changes to management of Npcap driver's circular packet buffer,
  switching from per-CPU unshared segments to a single worker thread managing a
  queue of work items. This improves buffer utilization, reduces the amount of
  time spent processing in the network stack, and should reduce packet loss.
  See #1967.

• Several performance-related improvements to the NDIS filter driver: Switched
  from SpinLocks to ReadWriteLocks for several crucial shared data structures,
  which will improve performance by reducing resource contention on
  multiprocessor systems, and introduced an object-pool allocation pattern for
  several frequently-used short-lifetime objects, improving performance by
  reducing memory allocations.

• Again restore "unused" NDIS filter callbacks which cause Windows 7 to lose
  connectivity when they are removed. See #1998.

• Include debug symbols for wpcap.dll in our debug symbols zip file at
  https://npcap.org/#download . Fixes #1844.

• Fixed #1996: heap corruption in
  NPFInstall.exe since Npcap 0.9989 leading to hung installs when the "raw
  802.11 traffic" option was checked.

• Fixed #2014: Npcap OEM silent install
  produced a dialog when installing over an existing installation of the same
  version.

• Uninstaller improvements related to removing the installation directory,
  properly killing processes using Npcap DLLs, not leaving a partial
  installation if a step fails. Fixes #2013
  and #2015.

Npcap 0.9990

Installer, SDK, and debug symbols available from https://npcap.org/#download

• Improve compatibility with WinPcap's behavior regarding injected traffic.
  WinPcap uses inefficient loopback to capture all outbound traffic, but allows
  PacketSetLoopbackBehavior() to avoid this for injected traffic. Because of
  Npcap's more efficient design, injected traffic was never looped back up to
  protocol drivers, causing problems for some users who relied on this behavior.
  Now, injected traffic follows the same path as with WinPcap, though ordinary
  traffic is unaffected. For highest efficiency without loopback, use
  PacketSetLoopbackBehavior(PACKET_DISABLE_LOOPBACK). Fixes #1343,
  #1929, and GNS3/gns3-gui#2936

• No longer honor NDIS_PACKET_TYPE_ALL_LOCAL set via PacketSetHwFilter().
  This packet filter causes all local traffic to be routed through an unoptimized
  loopback path within NDIS, which was necessary to capture outgoing traffic in
  WinPcap but is no longer needed in Npcap. Instead, this value will be treated as
  NDIS_PACKET_TYPE_DIRECTED | NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST.

• Fix a bug that caused TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE to fall back to
  TIMESTAMPMODE_QUERYSYSTEMTIME even when KeQuerySystemTimePrecise() was
  available. Fix by Mauro Levra in PR#23.

• Installer will now install an intermediate CA cert that was missing from some
  systems, which is needed to verify the driver's digital signature. Only
  affects Windows versions prior to Windows 10.

• Backport a fix from libpcap needed to properly support
  NdisMediumWirelessWan. See #1573.

• Include experimental support for AirPcap cards if airpcap.dll (not
  included) is installed.

Npcap 0.9989

Installer, debug symbols, and SDK available from https://npcap.org/#download

• Fix a BSOD crash in NPF_OpenAdapter due to reading past the end of a
  string. Fixes #1924

• Fix a BSOD crash (NULL pointer dereference) in NPF_Restart.
  Fixes #1964.

• Fix a memory leak in the Loopback WFP filter. Additionally, WFP callbacks
  will be unregistered when all loopback captures are closed, reducing impact
  of related code when not in use. Fixes #1966.

• New Packet.DLL function PacketSetTimestampMode() allows a user program to
  set the method used to timestamp packets as they arrive. See #1775.
  Supported modes are:

  • TIMESTAMPMODE_SINGLE_SYNCHRONIZATION - default monotonic timestamps based
    on KeQueryPerformanceCounter()
  • TIMESTAMPMODE_QUERYSYSTEMTIME - low-precision wall clock time based on
    KeQuerySystemTime()
  • TIMESTAMPMODE_QUERYSYSTEMTIME_PRECISE - high-precision wall clock time
    based on KeQuerySystemTimePrecise(), new in this release and only
    available on Windows 8 and newer. See #1407.

• Remove some problematic timestamp modes:
  TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_WITH_FIXUP and
  TIMESTAMPMODE_SYNCHRONIZATION_ON_CPU_NO_FIXUP were undocumented;
  TIMESTAMPMODE_RDTSC was x86-only and not suitable for multi-processor
  systems. See #1829.

• The Npcap SDK 1.05 will be released to include the new
  PacketSetTimestampMode() function.

Npcap 0.9988

Installer and debug symbols available from https://npcap.org/#download

• If a capture is in progress when the system is suspended, it will continue
  without interruption after the system is woken. This also prevents capture
  interruptions when the OS makes certain network stack changes.
  Fixes #1903.

• If the npcap driver is stopped, Packet.dll will attempt to start it
  automatically. This feature requires Administrator privilege and had been
  removed in Npcap 0.9983. Fixes #1911.

• Fix the check for fragmented packets in loopback capture.
  Closes PR #22.

• Eliminate clone/block/inject pattern from loopback capture except for packets
  already injected by Npcap. Should fix #1529
  and #1789.

• Fix an issue in the Npcap OEM installer where silent mode would not detect a
  failure to install the npcap driver. Fixes #1910.

• Improve the installer to avoid broken installations and allow the installer
  to continue if a broken installation is detected. Fixes #1935.

• Formally removed support for Windows Vista and Server 2008 r1, which are no longer supported by Microsoft either. This allows us to support newer Windows WFP and NDIS features for better performance and compatibility. Folks who must still run these ancient Windows releases should use Npcap version 0.9984 from https://nmap.org/npcap/dist/?C=M;O=D. That was the last Npcap release to support the old (and less secure) SHA-128 driver signatures required by these Windows Vista/2008. Please note that Windows Server 2008 r2 and Windows 7 are still supported in this release even though they have also passed their Microsoft end-of-life dates.