Frequently Asked
Questions |
Q-1: I installed WinPcap through
the setup program provided on the website, but this program was too
fast to install something. What was wrong?
A: Nothing. WinPcap has correctly
installed and the driver and DLLs were correctly copied to the
system folder. It is simply very fast, which is not usual in
Windows. You can now run the applications.
Q-2: How can I see
if WinPcap is installed on my system? How can I remove
it?
A: WinPcap 2.1 or newer: go to
the control-panel, then open the "add/remove programs" applet.
If WinPcap is present in your system, an entry called "WinPcap" will
be present. Double-click on it to uninstall
WinPcap. WinPcap 2.02 or older: go to the control-panel,
then open the "Network" applet. If WinPcap is present in your
system, an entry called "Packet Capture Driver" will be listed (in
Windows NT you have to choose the "Services" tab). Select it and
press "Remove" to uninstall WinPcap.
To be absolutely sure that WinPcap has been installed, please
look at your system folder: you should find files called packet.*
and wpcap.dll. Please check the file dates: these should be
compatible with the WinPcap release dates.
IMPORTANT NOTE: sometimes, when uninstalling WinPcap
version 2.02 or older from the control panel's network applet in
Windows 9x, the file Windows\Packet.dll is not deleted. You must
delete this file manually, otherwise version 2.1 will not work
properly and could cause system crashes.
Q-3: How can I see if WinPcap is
currently running on my W2k machine?
A: You can open Control Panel,
Administrative Tools, Computer Management, then choose System Tools,
System Information, Software Environment, Drivers. File NPF
should appear there. If you launched a WinPcap application
previously, it should appear as running.
Q-4: Can I use WinPcap on a PPP
connection?
A: We have tested WinPcap on PPP
connections under Windows 95, Windows 98 and Windows ME. In Windows
95, due to a bug in NDIS, WinPcap sometimes resets the PPP
connection. In Windows 98/ME this bug appears to be corrected, and
WinPcap seems to work properly. Under Windows NT and Windows 2000
there are problems with the binding process, that prevents a
protocol driver from working properly on the WAN adapter.
Q-5: Do I need to be Administrator
in order to execute programs based on WinPcap on Windows
NT/2000?
A: Yes/no. The security model of
WinPcap is quite poor, and we plan to work on it in the future. At
the moment, if you execute a WinPcap-based application for the first
time since the last reboot, you must be administrator. At the first
execution, the driver will be dynamically installed in the system,
and from that moment every user will be able to use WinPcap to sniff
the packets.
Q-6: Does the packet driver support
multiple instance programs?
A: Yes, starting from version 2.02.
There are no drawbacks in using multiple applications at the same
time, except for the increased CPU load.
Q-7: Can I use WinPcap with
Borland developing tools?
A: We support only Microsoft
Visual C++. Borland compilers need a .lib file whose format is
different compared to the Microsoft one. You can generate such a
file by using a utility provided by Borland, by typing
implib -acf PacketBCB.lib packet.dll
In case you are interested in Borland Delphi, you can contact
Lars Peter Christiansen (http://home1.stofanet.dk/nitezhifter),
Denmark. We do not know anything else about Borland C++
Builder.
In any case, WinPcap 2.1 comes as dll (WPcap.dll) instead
of static library. This makes things much simpler.
Q-8: Can I use WinPcap with Visual
Basic?
A: We don't support Visual Basic and
we are not able to provide help on this subject because we don't
know enough about this language. BeeSync has developed an ActiveX
control that integrates winpcap packet capture functionality with
Visual Basic or any other programming environment supporting
Microsoft ActiveX technology. You can find it at http://www.beesync.com/products.html.
Q-9: Does WinPcap work with
firewalls?
A: We got several reports saying that
WinPcap does not work well if a firewall is installed on the same
machine as WinPcap. We do not plan to solve this problem soon; a
remedy consists in disabling (temporarily) the firewall
functions.
Q-10: When I capture on
Windows in promiscuous mode, I can see packets other than those sent
to or from my machine; however, those packets show up with a "Short
Frame" indication, unlike packets to or from my machine. What
should I do to arrange that I see those packets in their
entirety?
A: In at least some cases, this
appears to be the result of PGPnet running on the network interface
on which you're capturing; turn it off on that interface.
Q-11: Does WinPcap work with
Java?
A: We do not directly support Java.
However you can find a Java wrapper for WinPcap at http://www.goto.info.waseda.ac.jp/~fujii/jpcap/index.html.
Q-12: Does WinPcap support
loopback devices?
A: No. Only physical interfaces are
supported. This is a limitation of Windows and not of WinPcap.
Q-13: On which OS can I run
WinPcap?
A: WinPcap can run on all the main
Win32 operating systems: Windows 95,98,ME, NT4 and 2000. Windows
XP is supported from version 2.3 beta. A version for Windows CE
is currently under development.
WinPcap does not work on SMP machines, because we don't
have multiprocessor computers on which develop/test it.
Q-14: Which network adapters are
supported?
A: The NPF device driver was developed
to work primarily with Ethernet adapters. Support for other MACs was
added during the development, but Ethernet remains the preferred
one. The main reason is that all our development stations have
Ethernet adapters so all our tests were made on this type of
network. However, the current situation is:
- Windows 95/98/ME: the packet driver works correctly on
Ethernet networks. It works also on PPP WAN links, but with some
limitations (for example it is not able to capture the LCP and NCP
packets). FDDI, ARCNET, ATM and Token Ring should be supported,
however we did not test them because we do not have the hardware,
so do not expect them to work perfectly.
- Windows NT4/2000: the packet driver works correctly on
Ethernet networks. We were not able to make it working on PPP WAN
links, because of binding problems on the NDISWAN adapter. As in
Win9x, FDDI, ARCNET, ATM and Token Ring should be supported,
but are not granted to work perfectly.
Q-15: Can I use WinPcap to drop
the incoming packets? Is it possible to use WinPcap to build a
firewall?
A: No. WinPcap is implemented as a
protocol, therefore it is able to capture the packets, but it can't
be used to drop them. The filtering capabilities of WinPcap work
only on the sniffed packets. In order to intercept the packets
before the TCP/IP stack, you must create an intermediate
driver.
Q-16: Is it possible to start
WinPcap automatically when the system boots?
A: You can change the start settings
of the NPF service to "automatic" or "system". A way to do this is
changing the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start from
0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1
(SERVICE_SYSTEM_START). This works only in Windows NTx.
Q-17: WinPcap is not able to work
on my multiprocessor machine. Is there anything I can
do?
A: If you absolutely need to use
WinPcap, try to add /NUMPROCS=1 to c:\boot.ini. This forces the
machine to activate only one processor.
|