search

the-tcpdump-group / libpcap

the LIBpcap interface to various kernel packet capture mechanism
https://www.tcpdump.org/
Other
2.69k stars 850 forks source link

Clarification of using npcap vs. libpcap when using MinGW/MSYS #1377

Open eabase opened 4 days ago

eabase commented 4 days ago

I'm using Cygwin and MinGW64/MSYS for compiling a ping-like app, which depends on libpcap.

But I am confused whether I have to use this repo, or the Windows specific npcap one from here:

https://github.com/nmap/npcap

Which one should I use? What are the differences?

Would be great if you could update your README with this as well.

guyharris commented 3 days ago

Which one should I use?

You will need Npcap.

This project provides source code to a library that uses various mechanisms to perform packet capture and injection ("injection" because if the app is ping-like, it needs to inject packets, not just capture them.)

It does not provide binary packages.

On various UN*Xes, those mechanisms are provided by the operating system; there are several different mechanisms, and libpcap provides a common API, so that programs can work on multiple UN*X platforms without having to have their own code to use those mechanisms.

The providers of those operating systems usually provide their own binary packages for libpcap, as part of the operating system. In the past, they didn't, and people would have to download the source code and compile it in order to use it.

Windows, however, does not have a packet capture mechanism of the sort that UN*Xes have, so a group at the Politecnico di Torino wrote a driver that hooks into the Windows networking stack, and a library that uses that driver, and then added code to libpcap that uses that library. They released that as WinPcap.

However, WinPcap development and support largely stopped; @hsluoyz took the code, wrote a new driver for newer versions of Windows, updated the libpcap code to the current version of libpcap, and that became Npcap.

Npcap is now actively being developed and supported, primarily by @dmiller-nmap. The libpcap code they use is kept up-to-date with the released version of libpcap.

It is possible to take Npcap's driver and library, install its SDK, and compile libpcap from this repository. The only reason to do so would be if either 1) you wanted to use code that hasn't been released yet, to get a bug fix or feature (note that features that are in the main branch but not in any release are subject to changes, including incompatible changes), or 2) you want to make your own modifications to libpcap.

What you need to do is:

  1. install Npcap using its installer - that's at https://npcap.com, not in the Npcap repository (install it with WinPcap API compatibility checked in the installer check box);
  2. install the Npcap SDK, which is also at https://npcap.com;
  3. build the app using the headers and import library from the Npcap SDK.

See the Npcap Developer's Guide for more information.

infrastation commented 3 days ago

In case it helps, at least some implementations of ping do the job using two layer 3 sockets, which may be possible on Windows, in which case you would not have to capture packets:

ssend = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
srecv = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);