Npcap packet driver отключить

Обновлено: 07.07.2024

A guide to Npcap, a packet capture and network analysis framework for Windows, for users and software developers. Npcap is a modern, safe, and compatible update to WinPcap.

Table of Contents

Introduction

This Manual describes the programming interface and the source code of Npcap. It provides detailed descriptions of the functions and structures exported to programmers, along with complete documentation of the Npcap internals. Several tutorials and examples are provided as well.

What is Npcap?

Npcap is an architecture for packet capture and network analysis for Windows operating systems, consisting of a software library and a network driver.

Most networking applications access the network through widely-used operating system primitives such as sockets. It is easy to access data on the network with this approach since the operating system copes with the low level details (protocol handling, packet reassembly, etc.) and provides a familiar interface that is similar to the one used to read and write files.

Sometimes, however, the “ easy way ” is not up to the task, since some applications require direct access to packets on the network. That is, they need access to the “ raw ” data on the network without the interposition of protocol processing by the operating system.

The purpose of Npcap is to give this kind of access to Windows applications. It provides facilities to:

capture raw packets, both the ones destined to the machine where it's running and the ones exchanged by other hosts (on shared media)
filter the packets according to user-specified rules before dispatching them to the application
transmit raw packets to the network
gather statistical information on the network traffic

This set of capabilities is obtained by means of a device driver, which is installed inside the networking portion of the Windows kernel, plus a couple of DLLs.

All of these features are exported through a powerful programming interface, easily usable by applications. The main goal of this manual is to document this interface, with the help of several examples.

What kind of programs use Npcap?

network and protocol analyzers
network monitors
traffic loggers
traffic generators
user-level bridges and routers
network intrusion detection systems (NIDS)
network scanners
security tools

What Npcap can't do

Npcap receives and sends the packets independently from the host protocols, like TCP/IP. This means that it isn't able to block, filter or manipulate the traffic generated by other programs on the same machine: it simply “ sniffs ” the packets that transit on the wire. Therefore, it does not provide the appropriate support for applications like traffic shapers, QoS schedulers and personal firewalls.

Npcap Features

Npcap has many exciting features that set it above other packet capture solutions:

Built for modern Windows : Npcap is written for Windows 10, Windows 8.1, Windows 8, and Windows 7. Using up-to-date NDIS versions, it allows you to capture traffic without slowing down the network stack. Npcap is implemented as a NDIS 6 Lightweight Filter driver, faster and with less overhead than the legacy NDIS 5 Protocol Driver used by WinPcap.

WinPcap compatibility : Npcap is a drop-in replacement for WinPcap in most applications.

Updated cross-platform libpcap API : The libpcap API allows cross-platform packet capture applications to target Linux, Windows, macOS, BSD, Solaris and others. Npcap includes the latest version of libpcap, providing the best solution for compatibility, performance, functionality, and security.

Loopback packet capture and injection : Npcap is able to see Windows loopback packets using the Windows Filtering Platform (WFP). Npcap supplies an interface named “ NPF_Loopback ” , with the description “ Adapter for loopback capture. ” Wireshark users can choose this adapter to capture all loopback traffic the same way as other non-loopback adapters. Packet injection works as well with pcap_inject() .

Raw 802.11 Packet Capture Support : Npcap is able to see 802.11 frames instead of emulated Ethernet frames on ordinary wireless adapters. You need to select the Support raw 802.11 traffic (and monitor mode) for wireless adapters option in the installation wizard to enable this feature. When your adapter is in “ Monitor Mode ” , Npcap will supply all 802.11 data + control + management packets with Radiotap headers. When your adapter is in “ Managed Mode ” , Npcap will only supply Ethernet packets. Npcap directly supports using Wireshark to capture in “ Monitor Mode ” . Npcap also provides the WlanHelper.exe tool to manually configure WiFi PHY parameters. See more details about this feature in the section called “For software that uses Npcap raw 802.11 feature”.

“ Admin-only Mode ” Support : Npcap supports restricting its use to Administrators for safety purpose. If Npcap is installed with the option “ Restrict Npcap driver's access to Administrators only ” checked, only Built-in Administrators may access its features via user software (Nmap, Wireshark, etc). This provides a level of restriction similar to requiring root access for packet capture on Linux/UNIX.

Purpose of this manual

The purpose of this manual is to provide a comprehensive and easy way to browse the documentation of the Npcap architecture. You will find three main sections:

the section called “Npcap Users' Guide” is for end users of Npcap, and primarily concerns installation options, hardware compatibility, and bug reporting procedures.

the section called “Developing software with Npcap” is for programmers who need to use Npcap from an application: it contains information about functions and data structures exported by the Npcap API, a manual for writing packet filters, and information on how to include it in an application. A tutorial with several code samples is provided as well; it can be used to learn the basics of the Npcap API using a step-by-step approach, but it also offers code snippets that demonstrate advanced features.

the section called “Npcap internals” is intended for Npcap developers and maintainers, or for people who are curious about how this system works: it provides a general description of the Npcap architecture and explains how it works. Additionally, it documents the complete device driver structure, the source code, the Packet.dll interface and the low-level Npcap API. If you want to understand what happens inside Npcap or if you need to extend it, this is the section you will want to read.

Terminology

We call Npcap an architecture rather than library because packet capture is a low level mechanism that requires a strict interaction with the network adapter and with the operating system, in particular with its networking implementation, so a simple library is not sufficient.

For consistency with the literature, we will use the term packet even though frame is more accurate since the capture process is done at the data-link layer and the data-link header is included in the captured data.

Npcap License

Even though Npcap source code is publicly available for review, it is not open source software and may not be redistributed without special permission from the Nmap Project. The Npcap Free License allows end users to download, install, and use up to 5 copies of Npcap from our site for free. Copies which are only used with Nmap, Wireshark, and/or Microsoft Defender for Identity don't count toward this 5-install limit.

We fund the Npcap project by selling the Npcap OEM Edition. This special version of Npcap includes enterprise features such as the silent installer and commercial support as well as special license rights allowing customers to redistribute Npcap with their products or to install it on more systems within their organization with easy enterprise deployment. We offer two commercial license types:

The Npcap OEM Redistribution License is for companies that wish to distribute Npcap OEM within their products (the free Npcap edition does not allow this). Licensees generally use the Npcap OEM silent installer, ensuring a seamless experience for end users. Licensees may choose between a perpetual unlimited license or an annual term license, along with options for commercial support and updates.

The Npcap OEM Internal-Use License is for organizations that wish to use Npcap OEM internally without redistribution outside their organization. This allows them to bypass the 5-system usage cap of the Npcap free edition. It includes commercial support and update options, and provides the extra Npcap OEM features such as the silent installer for enterprise-wide deployment.

Obtaining Npcap

The latest Npcap release can always be found on the Npcap website as an executable installer and as a source code archive.

When I uninstalled npcap, the loopback adapter remained installed. I had to manually remove the adapter from 'Computer Management -> Device Manager'. After that, my wifi network connection was gone, and I had to uninstall and reinstall my wifi device driver to get it back.

Running Windows 10 Home 'Anniversary Update' (version 1607 [build 14393.447]). Npcap version 0.10-r18, installed in winpcap compatibility mode.

The text was updated successfully, but these errors were encountered:

I have also the same issue.

lbalbalba commented Jan 16, 2017

dmiller-nmap commented Jan 18, 2017

@binbjz Please try the latest Npcap release which should resolve this issue.

Would you mind adding an uninstaller for the adapter to the installer? It's a bit much to have to reinstall npcap just to uninstall the adapter.

EDIT: nevermind, 0.82 uninstaller doesn't remove the adapter either. Please reopen issue.

Kyefer commented Feb 27, 2017

Just installed 0.82 and uninstalled it. It did not remove the adapter

ghost commented Feb 28, 2017

Please reopen this issue. I believe the orphaned loopback interface is causing networking problems on my machine.

PaulBags commented Feb 28, 2017

I went in to adapter properties > driver and uninstalled the driver from there, I can't be sure it's clean but it's cleaner than the npcaps uninstallers failure to uninstall.

dmiller-nmap commented Feb 28, 2017

@PaulBags @sphaugh @Kyefer Thanks for the reports. I'm working through some mixups in the installer code right now, but I'm not sure they're directly related. Can you tell me whether running (in an Administrator cmd.exe) "\Program Files\Npcap\NPFInstall.exe" -ul correctly removes the interface? This is how the uninstaller is supposed to do it, but I'd like to see if anything is going wrong. It still seems to work for me here.

dmiller-nmap commented Mar 1, 2017

Ok, it looks like I can produce loopback interfaces that NPFInstall -ul will not remove, if I run NPFInstall -il multiple times. This could have happened naturally if previous versions of Npcap were installed and upgraded so that some instance of Npcap Loopback Adapter already existed at the time that the fixed (>0.78r4) Npcap was installed. So the changelog is correct: the uninstaller now successfully removes one loopback adapter: namely, the last one installed. But something is wrong causing the older ones to be unremovable with NPFInstall . I'll look into this and see if we can fix it. Not exactly sure the best mechanism: always pop the most recent one off, or remove the oldest one first, or prevent installing more than one at all? Ideas welcome.

dmiller-nmap commented Mar 5, 2017

It appears that NPFInstall has no problem removing the extra loopback adapters if it can find them. We keep the index number of the latest one installed in Npcap's installation directory in the loopback.ini file. So here's the procedure to manually clean them up:

Open the Npcap installation directory (usually C:\Program Files\Npcap\ )
Run DiagReport.bat , which produces DiagReport-<some numbers>.txt
In the resulting text file, find the section "Network Adapter(s) Info:"
Note the PNPDeviceID for each of the problem adapters, which looks like "ROOT\NET\0001"
For each of the device IDs, extract the number from the end ("1" in the example case) and edit loopback.ini to contain just that number.
Run NPFInstall -ul to remove the selected adapter.
Repeat steps 5 and 6 until all the adapters are removed.

I hope to have a better solution in the future, but at least this will clean up your system. And the issue is not likely to happen again unless you manually run NPFInstall -il repeatedly.

I have this same problem. I uninstalled npcap to discover that the adapter was still there. Upon reading your instructions, I reinstalled npcap but unchecked the loopback option so it would not install another adapter. However, I have found the index to be 0 but my installation directory does not have a loopback.ini file. What should I do?

Thanks for your help.

Edit: I misread the instructions. I did not realize you meant create a loopback.ini file with just the index in it. I did this and ran NPFInstall -ul in an admin command prompt and it uninstalled successfully!

Hey, I did all the instructions that dmiller put, but the loopback adapter keeps showing in my Network Connections. Anything to do to erase it completely? BTW, don't know if there is a problem, but my adapter showed "ROOT\NET\0000" as its ID

Press the Windows/Start key and press x at the same time. Alternatively right click on the start button in the task bar.

Click on Device Manager.

Expand Network Adapters by clicking on the ">" (without quotes) arrow.

Find the Network Adapter which you wish to uninstall. In this case it is called "Npcap Loopback Adapter" (without the quotes).

Right click and select "Uninstall" (without the quotes).

Click "OK" (without the quotes) in the alert box to start the uninstall process.

This should fix your issue.

fyodor commented Jun 13, 2017

For months I've seen an "unidentified network" everywhere in my Win10 GUI. I found
https://github.com/nmap/nmap/issues/653
https://github.com/nmap/npcap/commit/a9b7f9e
Which seemed to say the new Npcap version should not appear in my Wi-Fi selector or Network Settings as an unidentified network (where it says "npcap loopback adapter doesn't have a valid ip configuration").

--> With default install of new npcap-0.93.exe version - it still appears.
--> Install with support loopback unchecked - it still appears. Even after a restart.
With "Npcap Loopback Adapter" disabled in Network Connections, it doesn't appear all over, just there.

Trying the uninstall procedure shown above here, there is one "Npcap Loopback Adapter", but inside that it is all Microsoft, version 10.0.14393.0 (rs1_release.160715-1616), \raspptp.sys - is that Npcap?

The only "events" are from 8/8/2016 10:22:33 AM (the Anniversary Update), device configured (netrasa.inf), device started (Pptp Miniport). No sign of all the installs and supposed uninstalls of Npcap since then! Cycling through all the "Details", the only hints of Npcap are the "Display Name" and "Friendly Name".

I'm a bit afraid to uninstall this - it doesn't look to me like Npcap. But how can it have your name? Clues would be very welcome!

LorenAmelang commented Aug 20, 2017

This gets weirder. In Device Manager there are now "Microsoft KM-TEST Loopback Adapter" which is Disabled, and "Npcap Loopback Adapter" which is Enabled. The KM_TEST driver shows Events from today and from old installs of Nmap 7.40 and 7.31. Its Details, like the other version all look to be from Microsoft.

In Control Panel - Network Connections, there is only one entry:
Npcap Loopback Adapter
Disabled
Microsoft KM-TEST Loopback Adapter

Does this make any sense?

MaxFun commented Sep 13, 2017

I have tried all the above but can not get rid of the Loopback Adapter.
Also Npcap 0.91 will not uninstall from windows App & feature remove program.
Can you provide a list of register changes to kill this beast?
I am running windows 10

FollowSteph commented Oct 10, 2018

Just to report I had the same issue as well on Windows 10.

dmiller-nmap commented Oct 12, 2018

This should leave you with a correctly-installed Npcap with no extra Loopback Adapters. When Npcap is upgraded or uninstalled, the Loopback Adapter will be removed as well.

EmpireFall commented May 24, 2019

if attempting to disable or uninstall 'npcap loopback adapter' or if installing any other network related driver onto the system is causing it to bluescreen with the error code 'RQTL_NOT_LESS_OR_EQUAL' on Windows 10, I cannot guarantee this will work but you might want to try the following:-

put the computer into safe mode > right-click the start button (the Windows icon) in the bottom left-hand corner of the screen > click run in the pop-up menu that appears > type in 'msconfig' and hit enter > in the system configuration window, click the 'boot' tap > on the boot tab, in the 'boot options' section, tick 'Safe boot' and select 'minimal' (do NOT select safe mode with 'network' because attempting to remove npcap loopback adapter with that enabled will cause bluescreen) > click 'apply' in the lower right-hand side of the window and the system will then prompt to restart the computer so that the selected settings can take effect (there are many other ways to boot into safe mode, such as holding the power button and forcing the computer to turn off as it is booting up, doing that 3 times in succession will lead into the 'automatic repair' screen where safe mode can be accessed, for further details on how to do that, please look it up via a search engine)

once you have booted into safe mode > right-click the start button (Windows icon) in the lower left-hand corner of the screen > click 'device manager' > in device manager expand 'Network adapters' > right-click 'npcap loopback adapter' and click uninstall driver (if all goes well, it should remove the driver from 'Device Manager' without causing bluescreen) > now, right-click the start button (Windows icon) in the lower left-hand corner of the screen > click 'Settings' in the pop-up menu > click 'Network & Internet' > this should take you directly to the 'Status' menu where at the very bottom you should find 'Network Reset', in the menu that appears click 'reset', a notification window should show up and inform that in 5 minutes the computer will be restarted, the network adapters will then be removed and network settings reset

after booting back into safe mode > right-click the start button (Windows icon) in the lower left-hand side > click 'run' > type in 'msconfig' > when the System Configuration window appears click 'boot' tab > in the 'Boot options' section, untick 'Safe boot' then click apply in the bottom right-hand corner of the window, the computer will prompt the system to restart and this will boot Windows back into the normal operating environment

if you were unable to install any network related drivers before, try doing so again now, to see if bluescreen still occures, again, I cannot guarantee that this will work, it seem to have helped me get rid of that pesky npcap loopback adapter and allowed me to install network drivers without getting that annoying bluescreen with RQTL_NOT_LESS_OR_EQUAL error code, knowing all to well of the frustration that this causes, I hope that this works

have a nice day

LorenAmelang commented May 24, 2019

Yesterday I added an additional USB Wi-Fi adapter, and re-installed the latest Npcap to work with it. Pretty sure PerfMon was still working after that. But today it shows no net activity and "0 interfaces". In Settings it shows tons of interfaces - all of them virtual miniport or loopback adapters.

After about 40 of them repeating in the dropdown, it gets to:
Software Loopback Interface 1
Software Loopback Interface
Software Loopback Interface
Software Loopback Interfac
Software Loopback Interfa
Software Loopback Interf
Software Loopback Inter
Software Loopback Inte
and so on until the line has only the first 'S'. Never finds my actual Wi-Fi, though I'm obviously using it to type this.

I've uninstalled PerfMon, deleted its registry keys, reinstalled the latest Performance Monitor 4.1.3, and it just keeps doing this. The order of interfaces in the list changed, but the content didn't.

Windows finds a few of the listed interfaces, but not nearly all of them.

Today when I checked in Windows there were 3 Npcap Loopback Adpters, 3, 4, 5, the ones that fill the system log with "no DHCP" errors, and clutter the PerfMon4 adapter list. I eventually deleted them from devmgr.

PS C:\Program Files\Npcap> ./CheckStatus.bat
Npcap Loopback Adapter Ethernet 3
Npcap Loopback Adapter Ethernet 5
Npcap Loopback Adapter Ethernet 4

PS C:\Program Files\Npcap> ./FixInstall.bat
Dot11Support = 0x1
LoopbackSupport = 0x1
WinPcapCompatible = 0x0
NPCAP_DIR = "C:\Program Files\Npcap"

The Npcap Packet Driver (NPCAP) service was stopped successfully.

[SC] ChangeServiceConfig SUCCESS
The Npcap Packet Driver (NPCAP) (Wi-Fi) service is not started.

More help is available by typing NET HELPMSG 3521.

[SC] ChangeServiceConfig SUCCESS
ROOT\NET\0002 : Removed
Npcap Loopback adapter has been successfully uninstalled!
Npcap Loopback adapter has been successfully installed!
[SC] OpenService FAILED 5:

Access is denied.

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

The Npcap Packet Driver (NPCAP) service was started successfully.

The bindings of Npcap driver (with Wi-Fi support) have been successfully restarted!

PS C:\Program Files\Npcap> ./CheckStatus.bat
Npcap Loopback Adapter Ethernet 3
Npcap Loopback Adapter Ethernet 5
Npcap Loopback Adapter Ethernet 4

PS C:\Program Files\Npcap> ncpa.cpl
[Deleted three adapters]

PS C:\Program Files\Npcap> ./CheckStatus.bat
Dot11Support = 0x1
LoopbackSupport = 0x1
WinPcapCompatible = 0x0
NPCAP_DIR = "C:\Program Files\Npcap"

The Npcap Packet Driver (NPCAP) service was stopped successfully.

[SC] ChangeServiceConfig SUCCESS
The Npcap Packet Driver (NPCAP) (Wi-Fi) service is not started.

More help is available by typing NET HELPMSG 3521.

[SC] ChangeServiceConfig SUCCESS
Npcap Loopback adapter has been successfully uninstalled!
Npcap Loopback adapter has been successfully installed!
[SC] OpenService FAILED 5:

Access is denied.

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

The Npcap Packet Driver (NPCAP) service was started successfully.

The bindings of Npcap driver (with Wi-Fi support) have been successfully restarted!
PS C:\Program Files\Npcap>

PerfMon4 is now working! Shows "62 interfaces". The list shows all the previous Npcap Loopback Adapters plus more variations of them, and still shows the final name losing one char from the end until it is just an 'S' - but the display works!

My Surface Book has no ethernet at all, one internal Wi-Fi adapter, and traces of a USB Wi-Fi adapter that has been connected in the past. Why do these "Npcap Loopback Adapter Ethernet 3/4/5/? adapters keep appearing?

If they have some purpose, is there a way to keep them from filling my Windows System log with hundred of DHCP errors per day?

Any idea why deleting them would make PerfMon4 work again?

snmnrlld commented May 25, 2019

THIS DID WORK FOR ME, THANK YOU!

dmiller-nmap commented Jun 11, 2019

This issue is only relevant to Npcap 0.10. We are locking this issue to avoid confusion. Please open a new issue if Npcap 0.996 or newer is affected.

I am running the latest version of Wireshark under Windows 10 64bit Home Edition
I am getting an Error whenever running the Capture Interface:
Adapter for Loopback Traffic Capture.

Error = The capture session could not be initiated on interface '\Device\NPF_Loopback' (Error opening adapter: A device which does not exist was specified. (433)).
I uninstalled NPCAP, Wireshark and re-installed them with the latest versions.

npcap version 0.9987
USBPCAP 1.5.3
Wireshark version Wireshark-win64-3.2.2

However, I am still getting the same above error.
Under Windows PowerShell, prompt I typed: Get-Service npcap.
Status Name DisplayName

Stopped npcap Npcap Packet Driver (NPCAP)

I also ran the following steps:
Step 1: Run the command prompt as administrator (right click -> run as administrator)
Step 2: type the following in the cmd: net start npcap
Error = System error 2 has occurred. The system cannot find the file specified.

What ncap file extension is it looking for and which directory should it be located?

The Users' Guide covers the basics of installing and removing Npcap, interactions with WinPcap, frequently asked questions, and how to report bugs.

Because Npcap is a packet capture architecture, not merely a software library, some aspects of installation and configuration may fall to the end user. This Users' Guide covers the basics of installing, configuring, and removing Npcap, as well as how to report bugs.

Installation

The Npcap installer and uninstaller are easy to use in “ Graphical Mode ” (direct run) and “ Silent Mode ” (run with /S parameter, available only with Npcap OEM).

Installer options

The installer accepts several command-line options that correspond to the options presented in the graphical interface (GUI). The options can be set by command-line flags taking the form / <name> = <value> .

The values for these options must be one of:

yes : select the option

no : unselect the option

enforced : select the option and make it unchangable in the GUI

disabled : unselect the option and make it unchangable in the GUI

Graphical installer options

The following options are presented as checkboxes in the installer, but can be set or locked via command-line flags. Unless otherwise noted, the default for these options is no .

Legacy loopback support for Nmap 7.80 and older. Not needed for Wireshark. Older versions of Npcap required a Microsoft KM-TEST loopback adapter to be installed in order to capture and inject loopback traffic. This is no longer needed, but some software won't be able to do loopback injection unless the adapter is installed. Use this option to install the legacy loopback adapter if needed.

Restrict Npcap driver's access to Administrators only . When this option is chosen, the devices created by the Npcap driver for capture and injection on each network adapter will be created with a restrictive ACL that only allows access to the device by the SYSTEM and built-in Administrators. Because this level of access requires UAC elevation, a helper binary, NpcapHelper.exe , is used to request elevation for each process that opens a capture handle.

Support raw 802.11 traffic (and monitor mode) for wireless adapters . This option installs a second Lightweight Filter Driver that uses the Native WiFi API to capture raw 802.11 WiFi frames on devices that are put into network monitor mode. Captured frames are given a Radiotap header. Not all hardware or network drivers support the Native WiFi API.

Install Npcap in WinPcap API-compatible Mode . The default for this option is yes in Npcap 0.9985 and later. Npcap's DLLs have always been installed into a separate Npcap subdirectory of the system directory to avoid conflicting with existing WinPcap installations. This option also installs the DLLs to the system directory, replacing WinPcap. Any existing WinPcap installation will be removed.

Install older driver . Microsoft continues to tighten their policy on what types of certificates and authorities may sign drivers. In cases where the current driver may not strictly meet these requirements, the /prior_driver option may be used to install the last version of the driver that meets these requirements. In cases where no such driver exists, this option is ignored.

Command-line installation options

Some advanced or deprecated options are only available on the command-line. Options marked (deprecated) are subject to removal in future versions.

Installs Npcap without showing any graphical windows or prompts. Silent install is available only for Npcap OEM.

The default for this option is yes , so the installer will not set a system restore point. Windows may independently create a restore point because of the driver installation independent from this option. To ensure a restore point is made, specify /disable_restore_point=no .

Control termination of processes using Npcap during upgrades or WinPcap when /winpcap_mode=yes is chosen. See the section called “Uninstaller options” for more detailed discussion.

Uninstall and replace an existing Npcap installation even if it is newer than this version of the installer. By default, the Npcap installer will not remove and replace a version of Npcap that is newer than its own. In GUI mode, this hides the message box asking the user how to proceed.

Uninstall and replace an existing Npcap installation of any version if it does not provide the same features as the other command-line options specify. Features are the /winpcap_mode, /dot11_support, /loopback_support, and /admin_only options.

Uninstall and replace an existing Npcap installation regardless of version or whether the installation would be modified. By default, the Npcap installer will not remove and replace a Npcap installation of the same version unless the install options would be modified. In GUI mode, this hides the message box asking the user how to proceed.

/D (destination directory)

The destination directory for installation can be overridden by the /D option, with a few restrictions. First, it will only affect where Npcap keeps its installation logs and helper utilities. The driver and DLLs will always be installed into the appropriate directories below %SYSTEMROOT%\System32\ . Second, the /D must be the last option in the command, and the path must not contain quotes. For example, to change the installation directory to C:\Path With Spaces\ , the invocation would be: npcap- <version> .exe /D=C:\Path With Spaces

Automatically start the Npcap driver at boot time . This option defaults to yes , because Windows expects NDIS filter drivers to be available at boot time. If you choose to disable this, Windows may not start networking for up to 90 seconds after boot.

/vlan_support (deprecated, ignored)

Support 802.1Q VLAN tag when capturing and sending data (currently unsupported) . This feature was disabled in 2016 to prevent a crash and has not been re-enabled.

Uninstaller options

The uninstaller provided with Npcap also accepts some command-line options.

Uninstalls Npcap without showing any graphical windows or prompts. Silent uninstall is available in all editions of Npcap, not just Npcap OEM. If Npcap OEM installer in silent mode needs to uninstall an older Npcap installation, it passes the /S option to the existing uninstaller.

/Q (Quick uninstall)

Skips the confirmation page and finish page in the uninstall wizard. This option does not have any meaning for silent uninstalls.

/no_kill = <yes|no> (do not kill processes)

Controls how the uninstaller handles processes that are still using Npcap at the time of uninstall. The default value is no , which allows the uninstaller to terminate processes that would block Npcap from being uninstalled. If /no_kill=yes is specified, then Npcap uninstaller will fail if there are still applications using Npcap driver or DLLs.

In the default case, /no_kill=no , the graphical uninstaller will give the user the choice to manually close the offending programs, have the uninstaller terminate them, or abort the uninstallation. In silent mode, Npcap uninstaller will immediately terminate any command-line processes that are using Npcap (like a Nmap process that is still scanning), and wait for at most 15 seconds to gracefully terminate any GUI processes that are using Npcap (like Wireshark UI that is still capturing). “ Gracefully ” means that if you are still capturing via Wireshark, Wireshark UI will prompt the user about whether to save the current capture before closing. The user will have 15 seconds to save his session. Note: although Npcap uninstaller won't terminate Wireshark UI processes immediately, the live capture stops immediately. This is because Wireshark UI uses command-line processes named dumpcap.exe to capture, and that command-line process will be terminated immediately.

If this option is provided on the installer command line, it will be passed to the Npcap uninstaller when doing an upgrade or replacement.

Disabled and enforced options for GUI Mode

We may disable or enforce certain options in the installer GUI to make them unselectable. This usually means that those options can easily cause compatibility issues and are considered not suitable for most users, or we think we need to enforce some rules for the Npcap API. Advanced users can still change their states via command-line parameters, which is described in following sections.

Fortunately, if a distributor wants to start the Npcap installer GUI and disable or enforce certain options for reasons like compatibility. It can also use the four value mechanism by setting the command-line parameters to disabled or enforced . For example, the following command will start an installer GUI with the loopback_support option disabled and unselected:

npcap- <version> .exe /loopback_support=disabled

Windows platforms supported

Npcap supports all Windows versions currently supported by Microsoft. Depending on Windows version, the driver may support a different NDIS version, which corresponds to a set of network stack features.

On Windows 10 , Windows Server 2016 , and Windows Server 2019 , Npcap installs a NDIS 6.50 driver.

On Windows 8.1 , Windows 8 , Windows Server 2012 R2 , and Windows Server 2012 , Npcap installs a NDIS 6.30 driver.

On Windows 7 and Windows Server 2008 R2 , Npcap installs a NDIS 6.20 driver.

Microsoft will end Extended support for Windows versions prior to Windows 10 on January 10, 2023. After that time, new Npcap releases may omit support for these operating systems.

Npcap can be installed on x86, x86-64, and ARM64. DLLs for the native architecture will be installed, as well as x86 DLLs for applications running in 32-bit emulation.

How to use Wireshark to capture raw 802.11 traffic in “ Monitor Mode ”

Install latest version Wireshark and latest version Npcap with Support raw 802.11 traffic option checked.

Launch Wireshark QT UI (GTK version is similar), go to “ Capture options ” . Then toggle the checkbox in the “ Monitor Mode ” column of your wireless adapter's row. Click the “ Start ” button. If you see a horizontal line instead of the checkbox, then it probably means that your adapter doesn't support monitor mode. You can use the WlanHelper tool to double-check this fact.

To decrypt encrypted 802.11 data packets, you need to specify the decipher key in Wireshark, otherwise you will only see 802.11 data packets.

Stop the capture in Wireshark UI when you finishes capturing, the monitor mode will be turned off automatically by Npcap.

Installation fails with error code 0x8004a029 : The cause is that you have “ reached the maximum number of network filter drivers ” , see solution here.

Npcap Loopback Adapter is missing (legacy loopback support): The legacy Npcap Loopback Adapter is actually a wrapper of Microsoft Loopback Adapter. Such adapters won't show up in Wireshark if the Basic Filtering Enging (BFE) service was not running. To fix this issue, you should start this service at services.msc manually and restart the Npcap service by running net stop npcap and net start npcap . See details about this issue here.

Reporting Bugs

Please report any bugs or issues about Npcap on the Nmap Project's Issues tracker. In your report, please provide your DiagReport output, user software version (e.g. Nmap, Wireshark), steps to reproduce the problem, and other information you think necessary. If your issue occurs only on a particular OS version (e.g. Win10 1511, 1607), please mention it in the report.

Diagnostic report

Npcap has provided a diagnostic utility called DiagReport . It provides a lot of information including OS metadata, Npcap related files, install options, registry values, services, etc. You can simply click the C:\Program Files\Npcap\DiagReport.bat file to run DiagReport . It will pop up a text report via Notepad (it's stored in: C:\Program Files\Npcap\DiagReport.txt ). Please always submit it to us if you encounter any issues.

General installation log

Npcap keeps track of the installation in a log file: C:\Program Files\Npcap\install.log . Please submit it together in your report if you encounter issues during the installation (e.g. the installer halts).

Driver installation log

Npcap keeps track of the driver installation (aka commands run by NPFInstall.exe ) in a log file: C:\Program Files\Npcap\NPFInstall.log , please submit it together in your report if you encounter issues during the driver installation or problems with the “ Npcap Loopback Adapter ” .

There's another system-provided driver installation log in: C:\Windows\INF\setupapi.dev.log . If you encounter errors during the driver/service installation, please copy the Npcap-related lines out and send them together in your report.

Dynamic link library (DLL) log

For problems with Npcap's regular operation, you may need to obtain a debug log from Packet.dll . To do this, you will need a debug build of Npcap. If you are a Npcap developer, you can build the Packet.sln project with the _DEBUG_TO_FILE macro defined. If you are an end user, you can contact the Npcap development team for the latest Npcap debug build. The debugging process will continue to append to the debug log ( C:\Program Files\Npcap\Packet.log ), so you may want to delete it after an amount of time, or save your output to another place before it gets too large.

Driver log

If there is an issue with the Npcap driver, you can open an Administrator command prompt, enter sc query npcap to query the driver status and net start npcap to start the driver (replace <npcap> with <npf> if you installed Npcap in “ WinPcap Compatible Mode ” ). The command output will inform you whether there's an error. If the driver is running well, but the issue still exists, then you may need to check the driver's log. Normal Npcap releases don't switch on the driver log function for performance. Contact the Npcap development team to obtain a driver-debug version of the Npcap installer. When you have got an appropriate driver-debug version Npcap, you need to use DbgView to read the Windows kernel log (which contains our driver log). You may need to turn on DbgView before installing Npcap, if the error occurs when the driver loads. When done, save the DbgView output to a file and submit it in your report.

Читайте также: