WinPcap: the Free Packet Capture Architecture for Windows


Last modified: Monday, November 26, 2001 13.35

Frequently Asked Questions

 

Q-1: I installed WinPcap through the setup program provided on the website, but this program was too fast to install something. What was wrong?

A: Nothing. WinPcap has correctly installed and the driver and DLLs were correctly copied to the system folder. It is simply very fast, which is not usual in Windows. You can now run the applications.

 

Q-2: How can I see if WinPcap is installed on my system? How can I remove it?

A: WinPcap 2.1 or newer: go to the control-panel, then open the "add/remove programs" applet.  If WinPcap is present in your system, an entry called "WinPcap" will be present.  Double-click on it to uninstall WinPcap.
WinPcap 2.02 or older: go to the control-panel, then open the "Network" applet. If WinPcap is present in your system, an entry called "Packet Capture Driver" will be listed (in Windows NT you have to choose the "Services" tab). Select it and press "Remove" to uninstall WinPcap.

To be absolutely sure that WinPcap has been installed, please look at your system folder: you should find files called packet.* and wpcap.dll. Please check the file dates: these should be compatible with the WinPcap release dates.

IMPORTANT NOTE: sometimes, when uninstalling WinPcap version 2.02 or older from the control panel's network applet in Windows 9x, the file Windows\Packet.dll is not deleted. You must delete this file manually, otherwise version 2.1 will not work properly and could cause system crashes. 

 

Q-3: How can I see if WinPcap is currently running on my W2k machine?

A: You can open Control Panel, Administrative Tools, Computer Management, then choose System Tools, System Information, Software Environment, Drivers. File NPF should appear there. If you launched a WinPcap application previously, it should appear as running.

 

Q-4: Can I use WinPcap on a PPP connection?

A: We have tested WinPcap on PPP connections under Windows 95, Windows 98 and Windows ME. In Windows 95, due to a bug in NDIS, WinPcap sometimes resets the PPP connection. In Windows 98/ME this bug appears to be corrected, and WinPcap seems to work properly. Under Windows NT and Windows 2000 there are problems with the binding process, that prevents a protocol driver from working properly on the WAN adapter.

 

Q-5: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use WinPcap to sniff the packets.

 

Q-6: Does the packet driver support multiple instance programs?

A: Yes, starting from version 2.02. There are no drawbacks in using multiple applications at the same time, except for the increased CPU load.

 

Q-7: Can I use WinPcap with Borland developing tools?

A: We support only Microsoft Visual C++. Borland compilers need a .lib file whose format is different compared to the Microsoft one. You can generate such a file by using a utility provided by Borland, by typing

implib -acf PacketBCB.lib packet.dll

In case you are interested in Borland Delphi, you can contact Lars Peter Christiansen (http://home1.stofanet.dk/nitezhifter), Denmark.
We do not know anything else about Borland C++ Builder.

In any case, WinPcap 2.1 comes as dll (WPcap.dll) instead of static library. This makes things much simpler.

 

Q-8: Can I use WinPcap with Visual Basic?

A: We don't support Visual Basic and we are not able to provide help on this subject because we don't know enough about this language. BeeSync has developed an ActiveX control that integrates winpcap packet capture functionality with Visual Basic or any other programming environment supporting Microsoft ActiveX technology. You can find it at http://www.beesync.com/products.html.

 

Q-9: Does WinPcap work with firewalls?

A: We got several reports saying that WinPcap does not work well if a firewall is installed on the same machine as WinPcap. We do not plan to solve this problem soon; a remedy consists in disabling (temporarily) the firewall functions.

 

Q-10: When I capture on Windows in promiscuous mode, I can see packets other than those sent to or from my machine; however, those packets show up with a "Short Frame" indication, unlike packets to or from my machine.  What should I do to arrange that I see those packets in their entirety?

A: In at least some cases, this appears to be the result of PGPnet running on the network interface on which you're capturing; turn it off on that interface.

 

Q-11: Does WinPcap work with Java?

A: We do not directly support Java. However you can find a Java wrapper for WinPcap at http://www.goto.info.waseda.ac.jp/~fujii/jpcap/index.html.

Q-12: Does WinPcap support loopback devices?

A: No. Only physical interfaces are supported. This is a limitation of Windows and not of WinPcap.

Q-13: On which OS can I run WinPcap?

A: WinPcap can run on all the main Win32 operating systems: Windows 95,98,ME, NT4 and 2000. Windows XP is supported from version 2.3 beta. A version for Windows CE is currently under development.

WinPcap does not work on SMP machines, because we don't have multiprocessor computers on which develop/test it.

 

Q-14: Which network adapters are supported?

A: The NPF device driver was developed to work primarily with Ethernet adapters. Support for other MACs was added during the development, but Ethernet remains the preferred one. The main reason is that all our development stations have Ethernet adapters so all our tests were made on this type of network. However, the current situation is:

  • Windows 95/98/ME: the packet driver works correctly on Ethernet networks. It works also on PPP WAN links, but with some limitations (for example it is not able to capture the LCP and NCP packets). FDDI, ARCNET, ATM and Token Ring should be supported, however we did not test them because we do not have the hardware, so do not expect them to work perfectly.
  • Windows NT4/2000: the packet driver works correctly on Ethernet networks. We were not able to make it working on PPP WAN links, because of binding problems on the NDISWAN adapter. As in Win9x,  FDDI, ARCNET, ATM and Token Ring should be supported, but are not granted to work perfectly.

 

Q-15: Can I use WinPcap to drop the incoming packets? Is it possible to use WinPcap to build a firewall?

A: No. WinPcap is implemented as a protocol, therefore it is able to capture the packets, but it can't be used to drop them. The filtering capabilities of WinPcap work only on the sniffed packets. In order to intercept the packets before the TCP/IP stack, you must create an intermediate driver. 

 

Q-16: Is it possible to start WinPcap automatically when the system boots?

A: You can change the start settings of the NPF service to "automatic" or "system". A way to do this is changing the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START). This works only in Windows NTx.

 

Q-17: WinPcap is not able to work on my multiprocessor machine. Is there anything I can do? 

A: If you absolutely need to use WinPcap, try to add /NUMPROCS=1 to c:\boot.ini. This forces the machine to activate only one processor.