Pentest Tools

Published on April 20th, 2016 📆 | 4488 Views ⚑


Npcap — Windows Packet Sniffing Library


Nmap Project’s packet sniffing library for Windows, based on
WinPcap/Libpcap improved with NDIS 6 and LWF

Npcap is an update of WinPcap to NDIS 6 Light-Weight Filter (LWF) technique. It supports Windows Vista, 7, 8 and 10. It is sponsored but not officially supported by the Nmap Project and finished by Yang Luo underGoogle Summer of Code 2013 and 2015. It also received many helpful tests from Wireshark andNetScanTools.



  • NDIS 6 Support

    Npcap makes use of new LWF driver in Windows Vista and later (the legacy driver is used on XP). It’s faster than the legacy NDIS 5 Intermediate technique. One reason is that packet data stucture has changed (fromNDIS_PACKET to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle extra packet structure conversion.

  • “Admin-only Mode” Support

    Npcap supports to restrict its use to Administrators for safety purpose. If Npcap is installed with the option Restrict Npcap driver’s access to Administrators only checked, when a non-Admin user tries to start a user software (Nmap, Wireshark, etc), the User Account Control (UAC) dialog will prompt asking for Administrator privilege. Only when the end user chooses Yes, the driver can be accessed. This is similar to UNIX where you need root access to capture packets.

  • “WinPcap Compatible Mode” Support

    “WinPcap Compatible Mode” is used to decide whether Npcap should coexist With WinPcap or be compatible with WinPcap. With “WinPcap Compatible Mode” OFF, Npcap can coexist with WinPcap and share the DLL binary interface with WinPcap. So the applications unaware of Npcap SHOULD be able to use Npcap automatically if WinPcap is unavailable. The applications who knows Npcap’s existence can choose to use Npcap or WinPcap first. The key about which is loaded first is DLL Search Path. With “WinPcap Compatible Mode” OFF, Npcap installs its DLLs into C:\Windows\System32\Npcap\ instead of WinPcap’s C:\Windows\System32\. So applications who want to load Npcap first must make C:\Windows\System32\Npcap\ precedent to other paths in ways such as calling SetDllDirectory, etc. Another point is Npcap uses service name npcap instead of WinPcap’s npf with “WinPcap Compatible Mode” OFF. So applications using net start npf for starting service must use net start npcap instead. If you want 100% compatibility with WinPcap, you should install Npcap choosing “WinPcap Compatible Mode” (Install Npcap in WinPcap API-compatible Mode). In this mode, Npcap will install its Dlls in WinPcap’s C:\Windows\System32\and use the npf service name. It’s notable that before installing in this mode, you must uninstall WinPcap first (the installer wizard will prompt you that).

  • Loopback Packets Capture Support

    Now Npcap is able to see Windows loopback packets using Windows Filtering Platform (WFP) technique. After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping (IPv4) or ping ::1 (IPv6).

  • Loopback Packets Send Support

    Besides loopback packets capturing, Npcap can also send out loopback packets based on Winsock Kernel (WSK) technique. A user software (e.g. Nmap) can just send packets out using Npcap Loopback Adapter like other adapters. Npcap Loopback Adapter will automatically remove the packet’s Ethernet header and inject the payload into Windows TCP/IP stack, so this kind of loopback packet never go out of the machine.

  • Raw 802.11 Packets Capture Support

    Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to install the -wifi version Npcap to enable this feature. When your adapter is in Monitor Mode, Npcap will supply all 802.11 data + control + management packets with radiotap headers. When your adapter is in Managed Mode, Npcap will only supply 802.11 data packets with radiotap headers. More details about radiotap here:



Npcap tries to keep the original WinPcap architecture as much as possible. As the table shows, you will find it very similar with WinPcap.

File                     Src Directory            Description
wpcap.dll                wpcap                    the libpcap API, added "loopback support" to original WinPcap
Packet.dll               packetWin7\Dll           the Packet API for Windows, added "Admin-only Mode" to original WinPcap
npf.sys (or npcap.sys)   packetWin7\npf           the driver, ported from NDIS 5 to NDIS 6, we support two names: npf or npcap, based on whether Npcap is installed in "WinPcap Compatible Mode"
NPFInstall.exe           packetWin7\NPFInstall    a LWF & WFP driver installation tool we added to Npcap
NPcapHelper.exe          packetWin7\Helper        the helper program for "Admin-only Mode", will run under Administrator rights
WlanHelper.exe           packetWin7\WlanHelper    a tool is used to set/get the operation mode (like monitor mode) for a wireless adapter


For softwares that use Npcap loopback feature

Npcap’s loopback adapter device is based on Microsoft KM-TEST Loopback Adapter (Win8 and Win10) or Microsoft Loopback Adapter (Vista, Win7). It is an Ethernet adapter, and Npcap has changed its behavior and rename it to Npcap Loopback Adapter, to make it see the real loopback traffic only. The traffic captured by original WinPcap will not appear here.

The IP address of Npcap Loopback Adapter is usually like 169.254.x.x. However, this IP is totally meaningless. Softwares using Npcap should regard this interface’s IP address as (IPv4) and ::1 (IPv6). This work can’t be done by Npcap because Windows forbids any IP address to be configured as or ::1 as they’re reserved.

The MAC address of Npcap Loopback Adapter is usually like 02:00:4C:4F:4F:50. However, this address is meaningless too. Softwares using Npcap should think this interface doesn’t own a MAC address, as the loopback traffic never goes to link layer. For softwares using Npcap to capture loopback traffic, the MAC addresses in captured data will be all zeros (aka00:00:00:00:00:00). For softwares using Npcap to send loopback traffic, any MAC addresses can be specified as they will be ignored. But notice that ether_type in Ethernet header should be set correctly. Only IPv4 and IPv6 are accepted. Other values like ARP will be ignored. (You don’t need an ARP request for loopback interface)

The MTU of Npcap Loopback Adapte is hard-coded to 65536 by Npcap. Softwares using Npcap should get this value automatically and no special handling is needed. This value is determined personally by me and doesn’t mean Windows loopback stack can only support packet size as large as 65536. So don’t feel weird if you have captured packets whose size are larger than it.

[adsense size='1']

Don’t try to make OID requests to Npcap Loopback Adapter except OID_GEN_MAXIMUM_TOTAL_SIZE (MTU). Those requests will still succeed like other adapters do, but they only make sense for NDIS adapters and Npcap doesn’t even use the NDIS way to handle the loopback traffic. The only handled OID request by Npcap is OID_GEN_MAXIMUM_TOTAL_SIZE. If you query its value, you will always get 65550 (65536 + 14). If you try to set its value, the operation will always fail.

To conclude, a software that wants to support Npcap loopback feature should do these steps:

  • Detect Npcap Loopback Adapter’s presence, by reading registry value Loopback at key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf (or npcap if you installed Npcap With “WinPcap Compatible Mode” OFF). If Loopback value exists, it means Npcap Loopback Adapter is OK. Then perform the following steps.
  • Treat the IP address of Npcap Loopback Adapter as (IPv4) and ::1 (IPv6).
  • Treat the MAC address of Npcap Loopback Adapter as 00:00:00:00:00:00.
  • If you use IP Helper API to get adapter list, you will get an interface named like Loopback Pseudo-Interface 1. This interface is a DUMMY interface by Microsoft and can’t be seen in NDIS layer. And tt also takes the IP address. A good practise for softwares is merging the entry of Npcap Loopback Adapter and the entry of Loopback Pseudo-Interface 1 into one entry, like what I have implemented for Nmap (see the Other code (for developers)part).
  • Don’t make use of OID requests for Npcap Loopback Adapter except OID_GEN_MAXIMUM_TOTAL_SIZE requests.


For softwares that use Npcap raw 802.11 feature


  1. Install the latest -wifi version Npcap (npcap-nmap-%VERSION%-wifi.exe): Npcap has two separate releases, two versions: normal version and -wifi version. Their only difference is: normal version Npcap will see packets with fake Ethernet headers for wireless adapters, but -wifi version Npcap will see packets with Radiotap + 802.11 headers for wireless adapters.
  2. Run WlanHelper.exe with Administrator privilege. Type in the index of your wireless adapter (usually 0) and pressEnter. Then type in 1 and press Enter to to switch on the Monitor Mode. WlanHelper.exe also supports parameters to be used in an API manner, run WlanHelper.exe -h for details.
  3. An example: launch Wireshark and capture on the wireless adapter, you will see all 802.11 packets (data + control + management). Here you should make your software interact with Npcap using the WinPcap API (open the adapter, read packets, send packets, etc).
  4. If you need to return to Managed Mode, run WlanHelper.exe again and input the index of the adapter, then type in 0and press Enter to to switch off the Monitor Mode.

[adsense size='1']


Run installer\Build.bat: build all DLLs and the driver. The DLLs need to be built using Visual Studio 2013. And the driver needs to be built using Visual Studio 2015 with Windows SDK 10 10586 & Windows Driver Kit 10 10586.

  1. Run installer\Deploy.bat: copy the files from build directories, and sign the files for Non-WinPcap Compatible Mode.
  2. Run installer\Deploy_WinPcap.bat: copy the files from build directories, and sign the files for WinPcap Compatible Mode.
  3. Run installer\Gen_Installer_Only.bat: Generate an installer named npcap-nmap-%VERSION%.exe using NSIS large strings build with the SysRestore plug-in (special build for Npcap), and sign the installer.


Windows Packet Sniffing Library: Npcap Usage

Interactive way:

Run WlanHelper without parameters.


Command-line API way:
  1. Run netsh wlan show interfaces, get the GUID for the interface.
  2. Run WlanHelper -h to see the usage. {Interface Name} refers to the GUID in the above step.


Command Usage:
WlanHelper {Interface Name} mode [*null*|managed|monitor]
*null* - get interface mode
managed - set interface mode to managed mode (aka ExtSTA)
monitor - set interface mode to monitor mode (aka NetMon)



Source && Download

Leave a Reply

Your email address will not be published.