This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing outgoing packets with NPCAP

0

I asked a similar question a few months ago and after some additional information, I think the answer is the xPCAP being used. With WinPCAP, I don't see certain messages emanating from my computer. If I focus the capture to a particular host and ping that host, I only see the responses. The important information I was interested in seeing was the raw UDP traffic between my computer and the remote system (an embedded serial terminal server interface without the benefit of being able to do any captures). With WinPCAP, Wireshark did not report any UDP data transfers.

In looking through other Q&A's, I saw notes to use NPCAP from the NMAP project. I downloaded NPCAP (latest version - 0.07) installed it and uninstalled WinPCAP. Using NPCAP, I was able to see all of the data - ping send/receive and UDP traffic to and from my computer. I have seen other responses that lack of sent data was due to other applications (VPN, AV, etc) interfering with the data transfer. Since NPCAP can capture and display the data, I don't believe that interference is the issue.

This was good until I rebooted my computer. After the reboot, none of my network connections were operational. I uninstalled NPCAP and the networks were operational again. In the event that the latest version of NPCAP had an issue, I removed it and installed the last version of the prior release (0.06r19). This had the same behavior.

SO, why am I posting this here instead of on the NPCAP issues site (really the NMAP site)? That site appears to be oriented towards developers. I simply want to know if other users have experienced this and/or if others have suggestions about other capture drivers that might work better. Additionally, is there any information about whether or not WinPCAP is in active support and development? There don't appear to be any version changes in the last 3 years.

Thanks,

Ed.

asked 09 May '16, 09:59

ejhellertc's gravatar image

ejhellertc
11224
accept rate: 0%

WinPcap development is effectively dead. Npcap is likely to replace WinPcap in the Wireshark installer at some point in the future.

(09 May '16, 14:33) grahamb ♦

2 Answers:

0

Hi @ejhellertc,

I'm the author of Npcap. Thanks for using it!

This was good until I rebooted my computer. After the reboot, none of my network connections were operational. I uninstalled NPCAP and the networks were operational again. In the event that the latest version of NPCAP had an issue, I removed it and installed the last version of the prior release (0.06r19). This had the same behavior.

There are a few cases reporting that network disconnection fails after installing Npcap. But this disconnection will be gone after 1) wait for 90 seconds, or 2) disable and re-enable the adapter icon in ncpa.cpl, or 3) reboot.

You said your system won't connect to network after reboot. Have you tried 1) or 2)?

I suspect it's because you have installed some incompatible software. It can be VPN, anti-virus, firewall or other network related software. We are maintaining an incompatible software list at the bottom of https://github.com/nmap/npcap. So you can uninstall all those potential softwares one by one. And see which one causes the issue. Then report it to me.

SO, why am I posting this here instead of on the NPCAP issues site (really the NMAP site)? That site appears to be oriented towards developers. I simply want to know if other users have experienced this and/or if others have suggestions about other capture drivers that might work better. Additionally, is there any information about whether or not WinPCAP is in active support and development? There don't appear to be any version changes in the last 3 years.

The best place to fire an issue about Npcap is at GitHub Issues of Nmap: https://github.com/nmap/nmap/issues. You can also post the question here, but it may be slow to be handled because I won't be notified as @sindy said.

answered 10 May '16, 03:46

Yang%20Luo's gravatar image

Yang Luo
9117
accept rate: 4%

I retried Npcap. During the installation, I did not enable the start on boot option. This may have effectively performed the "Wait 90 seconds", as my other network connections come up now. WS runs and captures all the data I need. The delay to load the driver when WS starts (if it does) does not seem appreciable.

I also read somewhere that there is a limit on the number of hooks or filters that Win7 can handle. I had some duplicate MS VPN connections which I removed. I am not sure, but that may have helped as well.

Thanks, Ed.

(10 May '16, 08:53) ejhellertc

0

Since NPCAP can capture and display the data, I don't believe that interference is the issue.

Although it may be hard to believe, the interference really is the issue. The point is that WinPcap and NPcap hook as "filters" (actually filtering out no packets but only using the API intended for packet filters) to the software stack between the NIC driver and the higher protocol layers, but each of them hooks in at a different layer. The filters of those security software products hook to the same places too, sometimes "bridging over" the WinPcap's "filter" in one or both directions. So if such a (carelessly implemented) security software's driver hooks at the same level like WinPcap does, NPcap may still see the frames (and probably vice versa, there's not much security software hooking in at Ndis 6 yet).

NPcap is a work in progress and more or less a one-man show. But that one man, @Yang Luo, is really responsive, so if you have an issue with NPcap, the best thing to do is to open an issue at that "developer-oriented" site and provide the information. Woes on loosely related sites are much less efficient (as it takes Yang Luo longer to notice them).

answered 09 May '16, 13:38

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 09 May '16, 13:39