Frequently
Asked Questions
- How can I see if WinPcap is
installed on my system? How can I remove it?
- After the installation, I
cannot see WinPcap under the properties of my network adapter in
control panel. Did anything go wrong?
- How can I see if WinPcap is
currently running on my Win2K/XP machine?
- The XXX WinPcap-based application doesn't
run properly on my system. Is it a WinPcap problem?
- Can I use WinPcap on a PPP
connection?
- Can I use WinPcap on a VPN connection?
- Do I need to be
Administrator in order to execute programs based on WinPcap on
Windows NT/2000/XP?
- Can I use WinPcap with
Borland development tools?
- Can I use WinPcap with
Visual Basic?
- Does WinPcap work in connection with personal
firewalls?
- When I capture on
Windows in promiscuous mode, I can see packets other than those sent
to or from my machine; however, those packets show up with a
"Short Frame" indication, unlike packets to or from my
machine. What should I do to arrange that I see those packets
in their entirety?
- Does WinPcap work with
Java?
- Does WinPcap support
the loopback device?
- On which OS can I
run WinPcap?
- Does WinPcap work on my
multiprocessor (SMP) machine?
- Which network adapters are
supported by WinPcap?
- Can I use WinPcap to drop
the incoming packets? Is it possible to use WinPcap to build a
firewall?
- Is it possible to start
WinPcap automatically when the system boots?
- I recompiled the sources of WinPcap and
the result doesn't seem to work as expected.
- I
installed Zx Sniffer on my PC, and after that, WinPcap based
applications fail to work. What's wrong?
- My application doesn't see any traffic
being sent by the machine running WinPcap.
- When I use one of the WinPcap-based applications, why do I
see only packets to or from my machine, or why do I not see all the traffic I'm expecting to see from or to the machine I'm trying
to monitor?
- If I try to compile my application using the new pcap APIs provided in WinPcap 3.1beta, the compiler fails with
"warning C4013: 'pcap_???' undefined" or "error C2065: 'PCAP_OPENFLAG_????'
: undeclared identifier" . What's the problem?
- If I try compile wpcap.dll with the project configuration "wpcap
- Win32 Debug" or "wpcap - Win32 Release" some pcap APIs (like
pcap_open() ) are not exported. Is it normal?
- I'm trying to capture from
my dialup(PPP) connection with WinPcap 3.1beta, but I cannot see any
PPP adapter. What's the problem (this information applies to
2000/XP/2003 only)?
-
How does WinPcap interfaces with Windows
Networking? Does it slow down the TCP/IP stack and applications?
-
My antivirus / antispyware detector program
reports WinPcap as a virus / trojan/ spyware! Are you hackers trying
to infect my computer?
- Does WinPcap work on Windows Vista?
- Whenever I try to create a WinPcap-based application
with Visual Studio.NET 2002 or later, I get the error "
TypeLoadException, Could not load type pcap" .
- The WinPcap installation fails with the error message "An
error occurred while installing the NPF driver ( -1 ). Please
contact the WinPcap team"
Q-1: How can I see if WinPcap is
installed on my system? How can I remove it?
A: WinPcap 2.1 or newer: go
to the control-panel, then open the "Add or Remove Programs"
applet. If WinPcap is present in your system, an entry called
"WinPcap" will be present. Double-click on it to
uninstall WinPcap.
WinPcap 2.02 or older: go to the control-panel, then open the
"Network" applet. If WinPcap is present in
your system, an entry called "Packet Capture Driver" will be
listed (in Windows NT you have to choose the "Services"
tab). Select it and press "Remove" to uninstall WinPcap.
To be absolutely sure that WinPcap has been
installed, please look at your system folder: you should find files
called packet.* and wpcap.dll. Please check the file dates: these
should be compatible with the WinPcap release dates. We've had
reports of trojans or other malware that silently install the
WinPcap driver, NPF.sys. If you've been infected by them, you'll
probably see the driver file in Windows\System32\Drivers, but no
entries in the "Add or Remove Programs" applet and no dlls.
IMPORTANT NOTE: sometimes, when uninstalling WinPcap
version 2.02 or older from the control panel's network applet in
Windows 9x, the file Windows\Packet.dll is not deleted. You must
delete this file manually, otherwise version 2.1 will not work
properly and could cause system crashes.
Q-2: After the installation, I
cannot see WinPcap under the properties of my network adapter in
control panel. Did anything go wrong?
A: No, if you have a recent version
of WinPcap. As Q-1 says, recent versions appear under "add/remove programs"
and not under network properties.
Q-3: How can I see if WinPcap is
currently running on my Win2K/XP/2k3 machine?
A: Click on the Start button and then on run.
Type msinfo32 . The System Information panel will show up. Choose
Software Environment, then System Drivers. The entry NPF should appear there. If you launched a WinPcap application
previously, the state should be running. Remember that
WinPcap should have been run at least one time in order to appear in
this list.
Q-4: The XXX
WinPcap-based application doesn't run properly on my system. Is it a
WinPcap problem?
A: Try
Windump.
In particular, "windump -D" reports the list of valid
adapters and shows if WinPcap is able to detect correctly your
hardware. If WinDump works, the problem is in the XXX program
and not in WinPcap, so contact the authors of XXX for help.
Q-5: Can I use WinPcap on a PPP
connection?
A: Windows 9x: We have tested WinPcap on PPP
connections under Windows 95, Windows 98 and Windows ME. In Windows
95, due to a bug in NDIS, WinPcap sometimes resets the PPP
connection. In Windows 98/ME this bug seems to be fixed, and
WinPcap seems to receive packets correctly, however it's not able to
transmit
packets.
Windows NT4/Longhorn/Vista/64 bit: these systems have limitations in the
NDIS
binding process that prevent a protocol driver from working
properly on
WAN adapters. It's not possible to capture on PPP/VPN
connections on these operating systems.
Windows 2000/XP/2003: these systems have limitations in the
NDIS
binding process that prevent a protocol driver from working
properly on
WAN adapters. WinPcap 3.1 and newer offer limited support for capturing
on dial-up adapters using a wrapper over the Microsoft NetMon
driver.
NOTES:
- it is possible to capture control packets (LCP and
NCP) using the "Generic Dialup" or "Generic NdisWan" adapter
(which is always listed even if no dialup connections are
available). Control frames are captured as Ethernet encapsulated
PPP frames.
- the PPP protocol is translated by the OS into a fake Ethernet.
You'll see Ethernet frames and not PPP frames.
- transmission is not supported.
- filtering and statistics gathering is done at user level.
Q-6: Can I use WinPcap on a
VPN
connection?
A: If you use standard Windows VPNs,
yes, with the restrictions explained in Q5. A
Windows VPN is treated by the OS as a dial-up connection, so
everything explained in Q5 applied here too.
Third party VPN implementation: some of them are not detected because of their
unclean NDIS intermediate driver structure.
Q-7: Do I need to be
Administrator in order to execute programs based on WinPcap on
Windows NT/2000/XP?
A: Yes/no. The security model of
WinPcap is quite poor, and we plan to work on it in the future. At
the moment, if you execute a WinPcap-based application for the first
time since the last reboot, you must be administrator. At the first
execution, the driver will be dynamically installed in the system,
and from that moment every user will be able to use WinPcap to sniff
the packets.
Q-8: Can I use WinPcap with
Borland development tools?
A: Note first of all that we support only Microsoft
Visual C++, so we are not able to provide help about other
compilers.
If you want to use to Use WinPcap under C++ Builder (version 5.0),
you have to use the program COFF2OMF.EXE which can be find in
the directory of BORLAND. This program gives the possibility to
convert Packet.lib and wpcap.lib (which are in the Visual C++
standart, COFF) to the OMF standart, the one of C++ Builder. For
more information type COFF2OMF in the Help of C++ Builder.
Syntax (in a DOS console) :
COFF2OMF input.lib output.lib
In this case case Input.lib = wpcap.lib or packet.lib
Q-9: Can I use WinPcap with
Visual Basic?
A: We don't support Visual Basic and
we are not able to provide help on this subject because we don't
know enough about it. BeeSync has developed an ActiveX
control that integrates the WinPcap packet capture functionality with
Visual Basic or any other programming environment supporting
Microsoft ActiveX technology. You can find it at http://www.beesync.com/products.html.
Q-10: Does WinPcap work
in connection with
personal firewalls?
A: We got several reports saying
that WinPcap does not work well if a personal firewall is installed on the
same machine as WinPcap. The typical problem is the impossibility to
capture all or part of the traffic from an adapter, but some users
reported strange behaviors (like some packets disappearing) on the
transmit side too.
Most of the times, the problem is caused by
non-standard interactions between the firewall and the network stack
of the OS, so there not a lot to do on our side; the suggested remedy consists in
uninstalling the firewall.
Note: uninstalling, and not disabling, because some
firewalls (like ZoneAlarm) keep having strange behaviors even
when they are disabled.
Q-11: When I capture on
Windows in promiscuous mode, I can see packets other than those sent
to or from my machine; however, those packets show up with a
"Short Frame" indication, unlike packets to or from my
machine. What should I do to arrange that I see those packets
in their entirety?
A: In at least some cases, this
appears to be the result of PGPnet running on the network interface
on which you're capturing; turn it off on that interface.
Q-12: Does WinPcap work with
Java?
A: We do not directly support Java.
However you can find a Java wrapper at
http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html and
http://jnetpcap.sourceforge.net/.
Q-13: Does WinPcap support
the loopback device?
A: No. Only physical interfaces are
supported. This is a limitation of Windows and not of WinPcap.
Q-14: On which OS can I
run WinPcap?
A: WinPcap can run on all the main
Win32 operating systems:Windows 95, 98, ME, NT4, 2000, XP, 2003,
Vista (formerly known as "Longhorn").
The overall situation is the
following one:
- Windows 95,98, ME: Support for Windows
95/98/ME has been dropped starting from WinPcap 4.0
beta3. The source packages still include the code base
for those operating systems, but the setup executable
will refuse to install. The last versions supporting
such operating systems are WinPcap 3.1 (stable) and
WinPcap 4.0 beta2 (unstable), however they are no longer
supported by the WinPcap team, so if you encounter any
problem you are on your own.
- Windows XP/2003: WinPcap 2.3 or
newer is required.
- Windows XP/2003 (x64): WinPcap 3.2
alpha1 or newer is required. Capture from dialup/VPN adapters is not
supported on 64 bit platforms.
- Vista/Longhorn (x86): WinPcap 3.1 should
work, but with limited functionality. PPP is not
supported, and IPv6 addresses are not listed. We
strongly suggest upgrading to WinPcap 4.0 or
newer for better support on Windows Vista. Please refer
to FAQ Q-28 for more details on
Vista support.
- Vista/Longhorn (x64): WinPcap 4.0 or newer is
required.
Q-15: Why
doesn't WinPcap work on my multiprocessor (SMP) machine?
A: Support for SMP machines has been included starting from
version 3.0. Please update your installation of WinPcap.
Q-16: Which network adapters are
supported by WinPcap?
A: The WinPcap device driver was
developed to work primarily with Ethernet (10/100/1000) adapters. Support for
other MACs was added during the development, but Ethernet remains
the most tested one. A pretty complete list of supported adapters is
maintained by the AirSnare team at http://www.micro-logix.com/WinPcap/Supported.asp,
you are encouraged to use that page to report the results of your
experiences with WinPcap. REMEMBER that this list is created by
WinPcap Users, so it cannot be considered official or 100% reliable.
The overall situation is:
- Windows 95/98/ME: the packet driver works ok on
Ethernet networks. It works also on PPP WAN links, but with some
limitations (for example it is not able to capture the LCP and
NCP packets). FDDI, ARCNET, ATM and Token Ring should be
supported, however we did not test them because we do not have
the hardware.
- Windows NT4/2000/XP/2003/Vista: the packet driver works ok on
Ethernet networks. As for dial-up adapters and VPN
connections, read Q5 and Q6.
As in Win9x, FDDI, ARCNET, ATM and Token Ring are
supported, but not tested by us.
- Wireless adapters: these adapters may present problems, because they are not
properly supported by the Windows Kernel. Some of them are
not detected, other don't support promiscuous mode. In the best
case, WinPcap is able to see an Ethernet emulation and not the
real transiting packets: this means that the 802.11 frames are
transformed into fake Ethernet frames before being captured, and
that control frames are not received.
Again, refer to the
http://www.micro-logix.com/WinPcap/Supported.asp
to discover if your adapter works. If it doesn't, you can use
the trick explained in this video to capture its traffic.
For real wireless capture, CACE Technologies offers the
AirPcap
adapter, specifically designed to sniff 802.11 traffic,
including control frames, management frames and power
information. AirPcap at this time is the only solution for
capturing raw 802.11 traffic with WinPcap. More details can be found
on the
AirPcap product page.
Q-17: Can I use WinPcap to drop
the incoming packets? Is it possible to use WinPcap to build a
firewall?
A: No. WinPcap is implemented as a
protocol, therefore it is able to capture the packets, but it can't
be used to drop them before they reach the applications. The filtering capabilities of WinPcap work
only on the sniffed packets. In order to intercept the packets
before the TCP/IP stack, you must create an intermediate
driver.
Q-18: Is it possible to start
WinPcap automatically when the system boots?
A: You can change the start settings
of the NPF service to "automatic" or "system". A
way to do this is changing the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start
from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START).
This works only in Windows NTx.
Q-19: I
recompiled the sources of WinPcap and the result doesn't seem to
work as expected.
A: If you used Microsoft Visual
Studio 6, try to install the service pack 5 and compile again.
Q-20: I
installed Zx Sniffer on my PC, and after that, WinPcap based
applications fail to work. What's wrong?
A: Zx Sniffer uses a custom packet
capture driver that is very similar to WinPcap, which
conflicts with WinPcap. You have to uninstall ZxSniffer to make
WinPcap working. Q-21:
My application doesn't see any traffic being sent by the
machine running WinPcap.
A: If you are running some form of
VPN client software, it might be causing this problem; people have
seen this problem when they have Check Point's VPN software
installed on their machine. If that's the cause of the problem, you
will have to remove the VPN software in order to make the
application see outgoing packets.
Q-22:
When I use one of the WinPcap-based
applications, why do I see only packets to or from my
machine, or why do I not see all the traffic I'm expecting to see
from or to the machine I'm trying to monitor?
A: This might be because the
interface on which you're capturing is plugged into a switch; on a
switched network, unicast traffic between two ports will not
necessarily appear on other ports - only broadcast and multicast
traffic will be sent to all ports.
Note that even if your machine is plugged into a hub, the "hub"
may be a switched hub, in which case you're still on a switched
network.
Note also that on the Linksys Web site, they say that their
auto-sensing hubs "broadcast the 10Mb packets to the port that
operate at 10Mb only and broadcast the 100Mb packets to the ports
that operate at 100Mb only", which would indicate that if you sniff
on a 10Mb port, you will not see traffic coming sent to a 100Mb
port, and vice versa. This problem has also been reported for
Netgear dual-speed hubs, and may exist for other "auto-sensing" or
"dual-speed" hubs.
Some switches have the ability to replicate all traffic on all
ports to a single port so that you can plug your analyzer into that
single port to sniff all traffic. You would have to check the
documentation for the switch to see if this is possible and, if so,
to see how to do this. See, for example:
Note also that many firewall/NAT boxes have a switch built into
them; this includes many of the "cable/DSL router" boxes. If you
have a box of that sort, that has a switch with some number of
Ethernet ports into which you plug machines on your network, and
another Ethernet port used to connect to a cable or DSL modem, you
can, at least, sniff traffic between the machines on your network
and the Internet by plugging the Ethernet port on the router going
to the modem, the Ethernet port on the modem, and the machine on
which you're running tcpdump into a hub (make sure it's not a
switching hub, and that, if it's a dual-speed hub, all three of
those ports are running at the same speed.
If your machine is not plugged into a switched network
or a dual-speed hub, or it is plugged into a switched network but
the port is set up to have all traffic replicated to it, the problem
might be that the network interface on which you're capturing
doesn't support "promiscuous" mode, or because your OS can't put the
interface into promiscuous mode. Normally, network interfaces supply
to the host only:
- packets sent to one of that host's link-layer addresses;
- broadcast packets;
- multicast packets sent to a multicast address that the host
has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in
which they supply to the host all network packets they see. Tcpdump
will try to put the interface on which it's capturing into
promiscuous mode unless the -p option was specified.
However, some network interfaces don't support promiscuous mode, and
some OSes might not allow interfaces to be put into promiscuous
mode.
If the interface is not running in promiscuous mode, it won't see
any traffic that isn't intended to be seen by your machine. It
will see broadcast packets, and multicast packets
sent to a multicast MAC address the interface is set up to receive.
You should ask the vendor of your network interface whether it
supports promiscuous mode. If it does, you should ask whoever
supplied the driver for the interface (the vendor, or the supplier
of the OS you're running on your machine) whether it supports
promiscuous mode with that network interface.
In the case of token ring interfaces, the drivers for some of
them, on Windows, may require you to enable promiscuous mode in
order to capture in promiscuous mode. Ask the vendor of the card how
to do this, or see, for example,
this information on promiscuous mode on some Madge token ring
adapters (note that those cards can have promiscuous mode
disabled permanently, in which case you can't enable it).
In the case of wireless LAN interfaces, it appears that, when
those interfaces are promiscuously sniffing, they're running in a
significantly different mode from the mode that they run in when
they're just acting as network interfaces (to the extent that it
would be a significant effor for those drivers to support for
promiscuously sniffing and acting as regular network
interfaces at the same time), so it may be that Windows drivers for
those interfaces don't support promiscuous mode.
For real wireless capture, CACE Technologies offers the
AirPcap
adapter, specifically designed to sniff 802.11 traffic,
including control frames, management frames and power
information. AirPcap at this time is the only solution for
capturing raw 802.11 traffic with WinPcap. More details can be found
on the
AirPcap product page.
Q-23:
If I try to compile my application using the new pcap APIs provided in WinPcap 3.1beta, the compiler fails with
"warning C4013: 'pcap_???' undefined" or "error C2065: 'PCAP_OPENFLAG_????'
: undeclared identifier" . What's the problem?
A: The following new pcap APIs
provided in WinPcap 3.1beta work only if "HAVE_REMOTE" is
defined:
- pcap_open()
- pcap_findalldevs_ex()
- pcap_createsrcstr()
- pcap_parsesrcstr()
- pcap_setsampling()
- pcap_remoteact_accept()
- pcap_remoteact_list()
- pcap_remoteact_close()
- pcap_remoteact_cleanup()
You can define HAVE_REMOTE
- in your source/header files, with
#define HAVE_REMOTE ,
before including pcap.h
- through a compiler/project option
Q-24:
If I try compile wpcap.dll with the project configuration "wpcap
- Win32 Debug" or "wpcap - Win32 Release" some pcap APIs (like
pcap_open() ) are not exported. Is it normal?
A: Yes, this is normal. Some pcap
APIs (the ones listed in FAQ Q-23) are compiled and exported only in
the "wpcap - Win32 ??? REMOTE ???" configurations, because they
depend on the remote capture stuff.
Q-25: I'm trying to capture from
my dialup(PPP) connection with WinPcap 3.1beta, but I cannot
(capture from)/see any
PPP adapter. What's the problem (this information applies to
2000/XP/2003 only)?
A: First of all, WinPcap 3.1 uses
the Microsoft NetMon driver to capture from dialup and VPN
connection. This driver is installed automatically with the WinPcap
setup. You can see this driver by looking at the properties of each
network card or dialup connection (tab "General" or "Networking",
depending on the adapter, it's listed as "Network Monitor Driver").
If you have accidentally removed this driver from your machine, you
can reinstall it by issuing the following command (with
administrator privileges) from the WinPcap installation folder, which is \Program
Files\WinPcap :
NetMonInstaller.exe i
Secondly, in order to capture, you must have "Power Users" or
"Administrators" privileges on Windows 2000 and XP, and "Power Users
+ Network Configuration Operations" or "Administrators" privileges
on Windows Server 2003. If you do not have such privileges, WinPcap
3.1beta will list such adapters, but you won't be able to open them
(with pcap_openXXX or PacketOpenAdapter).
Q-26: How does WinPcap interfaces
with Windows Networking? Does it slow down the TCP/IP stack and
applications?
A: Inside the Windows kernel,
WinPcap runs as a protocol driver. It's at the same level of
tcpip.sys, and like the TCP/IP stack it receives the packets from
the underlying NIC driver, but only when at least one
WinPcap-based tool is capturing. This means that when WinPcap is
installed but not capturing, the impact on the system is
nonexistent.
Note in particular that the WinPcap driver is loaded inside the
kernel only when the first capture application opens an adapter
after a machine boot.
When WinPcap runs, it doesn't directly interact with TCP/IP.
However especially under high network loads, the WinPcap activity
(in particular the one at software interrupt level) will impact on
TCP/IP responsiveness.
Note: To unload the WinPcap driver (under Windows NT4, 2000, XP
and 2003), the following command can be used:
net stop npf
Q-27:
My antivirus / antispyware program reports WinPcap as a virus /
trojan/ spyware! Are you hackers trying to infect my computer?
A: WinPcap is not a virus. WinPcap
is an industry standard library used by
many tools,
several of which commercial, and developed by a respected team of
people. However, since it's free and since it's an easy and powerful
way to receive and transmit low-level network traffic, it seems that
some virus writers used it too. As a result, at least once a month
we have somebody complaining its antivirus program tells him that
WinPcap is a virus. Your antivirus program should detect the
virus itself, not the libraries used by it. It's like saying
the MS Winsock is a virus because some trojans use sockets to send
or receive data on the network.
So, please contact your antivirus company and tell them to fix the
problem.
Q-28: Does WinPcap work on Windows
Vista?
A:
WinPcap 3.1: The installer is
able to correctly detect and install the product on Microsoft
Windows Vista Beta1 (x86). However WinPcap has not been fully
tested on this newly released operating system, since Windows Vista
Beta1 was released less than two weeks before WinPcap 3.1. No other
builds of Vista have been tested.
Additionally, the support for this operating system is limited. In
particular, these are the known limitations:
- Capturing from dialup/VPN adapters is disabled.
- No support for IPv6 (update: WinPcap 4.0 beta3).
- WinPcap can fail listing the adapters if the TCP/IP protocol
stack is not enabled.
WinPcap 4.0 beta2: The installer is able to
correctly detect and install the product on Microsoft
Windows Vista Beta2 (x86). No other builds of Vista (RC1,
RC2) have been tested.
Additionally, the support for this operating system is limited. In
particular, these are the known limitations:
- Capturing from dialup/VPN adapters is disabled.
- No support for IPv6 (update: WinPcap 4.0 beta3).
- WinPcap can fail listing the adapters if the TCP/IP protocol
stack is not enabled.
WinPcap 4.0 beta3: The installer is able to
correctly detect and install the product on Microsoft
Windows Vista RTM (x86). No other builds of Vista (BETA1,
BETA2, RC1, RC2) have been
tested. Moreover, capturing from dialup/VPN adapters is not
supported.
WinPcap 4.0 or newer: The installer is able to
correctly detect and install the product on Microsoft
Windows Vista RTM (x86 and x64). No other builds of Vista (BETA1,
BETA2, RC1, RC2) have been
tested. Moreover, capturing from dialup/VPN adapters is not
supported.
Previous WinPcap versions: No support for Vista.
Windows Vista (x64): WinPcap 4.0 or newer is
required.
Q-29: Whenever I try to create a WinPcap-based application
with Visual Studio.NET 2002 or later, I get the error "TypeLoadException, Could not load type pcap" .
A: You are using Managed C++ (i.e.
you executable is targeted to the .NET CLR, Common Language
Runtime).
The problem is due to the fact that the standard WinPcap
include file "pcap.h" contains only a forward declaration of
"struct pcap", but not the actual definition of it. As a
consequence, the Managed C++ compiler does not emit any
metadata for that type, since there's no definition for it.
There are two solutions to the problem:
- Include "
pcap-int.h " instead of "pcap.h ". This
includes the actual definition for the type "struct pcap "
- Add a fake definition of "
struct pcap ". The simplest one
is "struct pcap{}; ".
Q-30:
The WinPcap installation fails with the error message "An
error occurred while installing the NPF driver ( -1 ). Please
contact the WinPcap team".
A: This error is usually caused by
an antivirus or antimalware software that incorrectly detects the
WinPcap kernel driver (NPF) as malware. This is because in the past
some malware tools have been developed over the WinPcap library.
The workaround is to disable
such antivirus/antimalware programs while installing WinPcap.
|