Closed Peterdoo closed 3 years ago
hsluoyz
commented
6 years ago Npcap uses latest libpcap 1.8.0+. It seems that you were mixing WinPcap's wpcap.dll with Npcap's packet.dll together. I recommend you to uninstall any versions of WinPcap (and its \Windows\System32\wpcap.dll) and try again.
Peterdoo
commented
6 years ago Sorry for the confusion. I have already had deinstalled WinPcap 4.1.3 using its deinstaller. Obviously it has only removed npf.sys from the registry so it was not started anymore. However the files C:\windows\System32\packet.dll, C:\windows\System32\wpcap.dll and C:\windows\System32\drivers\npf.sys were still there. In such a case it seems that Wireshark uses these WinPcap DLLs that obviously can access npcap.sys somehow to capture. The user thinks, that npcap is being used, which is not really true.
After removing the three files, Npcap works correctly as expected, generating an updated version of BPF.
Maybe it would be a good idea if Npcap installer would check whether any of the three WinPcap files is still there and warn or even offer to remove them before the installation of Npcap.
cldrn
commented
6 years ago I agree that this will be a good check for the installer. I've been told by people about issues that I suspect that could have been caused by old remanent files.
dmiller-nmap
commented
6 years ago Npcap installers since 0.97 will detect WinPcap via the System32\wpcap.dll file and default to installing in WinPcap API-compatible mode, which uninstalls and overwrites any old installations. You will still get this problem behavior if you do not install in WinPcap mode, but we don't want to go deleting files that don't belong to us. As a side-effect, installing in WinPcap mode and then reinstalling without it will also clear out any problem files.
I have installed Npcap 0.96 under Windows. Wireshark uses Npcap's packet.dll located in \Windows\System32\Npcap.
When using capture filter icmp6, Wireshark gets an obsolete version of BPF which drops some IPv6 packets. This has been corrected in libpcap about 6 years ago: https://github.com/the-tcpdump-group/libpcap/commit/58275c05a5cf9c3512bcbb1192ff351d32ccccbd
Is Npcap really based on 8 years old version of libpcap without all the patches that have been included in the meantime? Wireshark displays: "(packet.dll version 0.96), based on libpcap version 1.0 branch 1_0_rel0b (20091008)".