Time to drop WinPcap supprt and have NPCAP dlls in C:\WINDOWS\system32\

[AndersBroman]

Hi, I recently stumbled across https://github.com/the-tcpdump-group/libpcap/issues/1368
At the very least I think it's time to have NPCAP as the default in the dll path and possibly get rid of all code related to WinPcap, AirPcap and TurboPcap. WinPcap has not been supported for many years, AirPcap HW is no longer manufactured and I'm not sure how useful it would be with modern WiFi standards. I would guess turbopcap is outdated by now as well... So geting rid of all that outdated code would make sense I think.

[guyharris]

The only WinPcap-related code in Npcap is, as far as I know, the installation of Npcap's wpcap.dll and packet.dll in C:\Windows\System32\Npcap, with an on-by-default option to install them in C:\Windows\System32 as well. Presumably the choice not to install them there is offered in case some old program built with WinPcap is installed and might break if run with Npcap's versions.

The old AirPcap support in packet.dll is still in Npcap, in addition to the pcap-airpcap.c file in libpcap (which I did test, ages ago, with an AirPcap NX adapter, on one of my Windows VMs).

It appears that the TurboCap code in libpcap came from WinPcap, and was implemented as a pcap-tc.c module; I pulled that into libpcap back in 2015. So that one's a libpcap issue, not an Npcap issue, unless Npcap needs to offer it. The hardware was EOLed over 10 years ago, and the last software release was over 14 years ago.

[guyharris]

And AirPcap hardware was EOLed almost 7 years ago; the last software release was over 10 years ago.

[ikeriri]

I am one of the big resellers both AirPcap/Turbocap in those days. I miss both but there are many commercial and open source alternatives such as PF_RING and TamoSoft, Ekahau drivers...

[dmiller-nmap]

Npcap defaults to installing its DLLs into %SYSTEMROOT%\System32 (a.k.a. "WinPcap API-compatible mode"), uninstalling WinPcap if it is found already installed. The only situations where this is not done are:

1. If the user chooses to disable this option by deselecting the WinPcap API-compatible mode checkbox or setting /winpcap_mode=no on the command-line.
2. If the user has installed Win10Pcap, since we did not have a reasonable way to uninstall that product which places conflicting DLLs.

Note that since Npcap 0.9986, Nmap will install into System32 even if a previous Npcap install did not, making /winpcap_mode=no the only installation option that is not preserved on reinstall or upgrade.

[dmiller-nmap]

The remaining changes that could be made to address this issue are:

1. Rename or remove the option in the installer. We could hide the selection unless WinPcap is detected, in which case the option would be "Replace existing WinPcap installation."
2. Add uninstall code for Win10Pcap and handle it the same as we do WinPcap currently, since neither of these products are being maintained.

If we renamed the option, we would likely not change the command-line option name, so that existing deployment scripts would not need to be updated.

[AndersBroman]

I'm almost sure I did a default installation of wireshark and ended up with the dlls in SYSTEMROOT%\System32\npcap\

[guyharris]

I'm almost sure I did a default installation of wireshark and ended up with the dlls in SYSTEMROOT%\System32\npcap\

A copy of the DLLs is always installed in %SYSTEMROOT%\System32\npcap. The option controls whether another copy is installed in %SYSTEMROOT%\System32\

[AndersBroman]

C:\Windows\System32>dir wpcap* Volume in drive C is Windows Volume Serial Number is D2D9-B628

Directory of C:\Windows\System32

2024-05-27 17:09 344 064 WpcApi.dll 1 File(s) 344 064 bytes 0 Dir(s) 181 737 840 640 bytes free

C:\Windows\System32>cd Npcap

C:\Windows\System32\Npcap>dir Volume in drive C is Windows Volume Serial Number is D2D9-B628

Directory of C:\Windows\System32\Npcap

2024-09-24 18:23

. 2024-10-14 22:23 .. 2024-01-18 23:15 156 544 NpcapHelper.exe 2024-01-18 23:14 220 032 Packet.dll 2024-01-18 23:15 266 624 WlanHelper.exe 2024-01-18 23:15 491 392 wpcap.dll 4 File(s) 1 134 592 bytes 2 Dir(s) 181 667 393 536 bytes free

[dmiller-nmap]

@AndersBroman Please provide the output of DiagReport and your installation logs as described in the Npcap Guide. This will show what installation options were used and what files are present or missing in your installation.

[AndersBroman]

install.log NPFInstall.log

[AndersBroman]

DiagReport-20241021-203230.txt