Posted on Leave a comment

Wireshark 3.0.0 and Npcap, (Mon, Mar 11th)

Starting with version 3.0.0, the Wireshark for Windows installation programs are distributed with Npcap in stead of WinPcap. Prior Wireshark Windows versions already supported Npcap, but the installer still came bundled with WinPcap.

Npcap is a library for packet capturing and sending on Windows, developed by the Nmap project, and is actively maintained, while WinPcap is no longer actively maintained (unless WinPcap’s community steps in).

If you have a prior version of Wireshark installed on Windows (like 2.6.7), and you perform an upgrade to 3.0.0, Npcap will be installed by default:

One feature offered by Npcap and lacking in WinPcap, is capturing traffic on the loopback adapter:

Wireshark with WinPcap:

Wireshark with Npcap:

You can also sniff WiFi if your driver supports it.

If you have WinPcap installed, and Npcap is installed with default options, then WinPcap remains installed:

WinPcap and Npcap can coexist. Unless you choose to have the Npcap installer install a WinPcap API compatible DLL. Then WinPcap will be uninstalled.

This WinPcap API compatible DLL allows other applications, depending on WinPcap and without support for Npcap, to run with Npcap only installed.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

What are your thoughts?