@Sven: you need something called - Inverted Call Model
The Inverted Call Model in KMDF - OSR
| |
| | | | | | | |
| The Inverted Call Model in KMDF - OSROne of the most common questions we see
from students, clients, and new Windows driver Read more |
| |
| View on www.osr.com | Preview by Yahoo |
| |
| |
On Thursday, February 4, 2016 12:49 PM, Sven Kerschbaum <[email protected]>
wrote:
@Yang: It is not possible to get notifications of media state changes by the
API which you proposed in your previous post. It provides only notifications
about IP table changes.Am 04.02.2016 16:31 schrieb "Sven Kerschbaum"
<[email protected]>:
Hi Yang,
thanks for providing me the detailed information about Npcap. I will
definitively have a look at it and try it.
Cheers,SK
2016-02-04 13:04 GMT+01:00 食肉大灰兔V5 <[email protected]>:
Hi Sven,
Npcap (https://github.com/nmap/npcap) has better performance because of NDIS 6.
It also has several new features:
- NDIS 6 Support: Npcap makes use of new LWF driver in Windows Vista and
later (the legacy driver is used on XP). It's faster than the legacy NDIS 5
Intermediate technique. One reason is that packet data stucture has changed
(fromNDIS_PACKET to NET_BUFFER_LIST) since Vista and NDIS 5 needs to handle
extra packet structure conversion.
- "Admin-only Mode" Support: Npcap supports to restrict its use to
Administrators for safety purpose. If Npcap is installed with the option
Restrict Npcap driver's access to Administrators only checked, when a non-Admin
user tries to start a user software (Nmap, Wireshark, etc), the User Account
Control (UAC) dialog will prompt asking for Administrator privilege. Only when
the end user chooses Yes, the driver can be accessed. This is similar to UNIX
where you need root access to capture packets.
- "WinPcap Compatible Mode" Support: "WinPcap Compatible Mode" is used to
decide whether Npcap should coexist With WinPcap or be compatible with WinPcap.
With "WinPcap Compatible Mode" OFF, Npcap can coexist with WinPcap and share
the DLL binary interface with WinPcap. So the applications unaware of Npcap
SHOULD be able to use Npcap automatically if WinPcap is unavailable. The
applications who knows Npcap's existence can choose to use Npcap or WinPcap
first. The key about which is loaded first is DLL Search Path. With "WinPcap
Compatible Mode" OFF, Npcap installs its DLLs into C:\Windows\System32\Npcap\
instead of WinPcap's C:\Windows\System32\. So applications who want to load
Npcap first must make C:\Windows\System32\Npcap\ precedent to other paths in
ways such as callingSetDllDirectory, etc. Another point is Npcap uses service
name npcap instead of WinPcap's npf with "WinPcap Compatible Mode" OFF. So
applications using net start npf for starting service must use net start npcap
instead. If you want 100% compatibility with WinPcap, you should install Npcap
choosing "WinPcap Compatible Mode" (Install Npcap in WinPcap API-compatible
Mode). In this mode, Npcap will install its Dlls in WinPcap's
C:\Windows\System32\and use the npf service name. It's notable that before
installing in this mode, you must uninstall WinPcap first (the installer wizard
will prompt you that).
- Loopback Packets Capture Support: Now Npcap is able to see Windows
loopback packets using Windows Filtering Platform (WFP) technique. After
installation, Npcap will create an adapter named Npcap Loopback Adapter for
you. If you are a Wireshark user, choose this adapter to capture, you will see
all loopback traffic the same way as other non-loopback adapters. Try it by
typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
- Loopback Packets Send Support: Besides loopback packets capturing, Npcap
can also send out loopback packets based on Winsock Kernel (WSK) technique. A
user software (e.g. Nmap) can just send packets out using Npcap Loopback
Adapter like other adapters. Npcap Loopback Adapter will automatically remove
the packet's Ethernet header and inject the payload into Windows TCP/IP stack,
so this kind of loopback packet never go out of the machine.
I actually didn't add a function about making user software getting notified
about media state changes. From my knowledge I don't know there's any support
of such a function in libpcap. libpcap is an interface standard followed by
WinPcap/Npcap. However, I think you can do it using native Windows APIs (like
Receiving Notification of Network Events in
https://msdn.microsoft.com/en-us/library/windows/desktop/aa366334(v=vs.85).aspx).
And if you have any improvement advice about Npcap, I will consider it:)
Cheers,Yang
On Thu, Feb 4, 2016 at 7:18 PM, Sven Kerschbaum <[email protected]> wrote:
Oh, I have to admit that I did not try it on an update to date Windows 10
system... Thanks for the hint that this was only an issue in early Windows 10
versions.
I was also not aware of the Npcap. Thanks for pointing me to this fork! How
does Npcap differ from WinPcap with respect to performance, feature? At least I
am missing the possibility to get notified about media state changes
(connected, disconnected) in WinPcap. Does Npcap offer such a functionality?
Furthermore: Is WinPcap still under active development? Its last release was in
2013. Or I am better advised to rely on Npcap?
Thank you!Best regards,SK
2016-02-04 11:08 GMT+01:00 Gisle Vanem <[email protected]>:
Sven Kerschbaum wrote:
> is there already effort for getting WinPcap ready for Windows 10? As Pascal
> Quantin already pointed out WinPcap does not
> run on Windows 10 due to the fact that the WinPcap driver is not an NDIS 6
> driver. Please find more information here:
> http://www.winpcap.org/pipermail/winpcap-users/2015-March/004936.html
Really? All my WinPcap-based programs works fine here.
>From 'sigcheck c:\WINDOWS\sysnative\drivers\npf.sys':
Verified: Signed
Signing date: 02.49 01.03.2013
Publisher: Riverbed Technology
Company: Riverbed Technology, Inc.
Description: npf.sys (NT5/6 AMD64) Kernel Driver
Product: WinPcap
Prod version: 4.1.0.2980
File version: 4.1.0.2980
MachineType: 64-bit
The version and 'Signing date' is in accordance with what's on winpcap.org.
An also:
F:\> windump -Dv
1. \Device\NPF_{E069AC87-4219-4F7E-9CA5-DE3FBA031CEF} Descr: Microsoft
Addr 0: 10.0.0.11 (mask 255.255.255.0)
MAC-addr: 00:18:4D:00:DE:17, MTU 1514, link-type 802.3 over Native802_11,
DOWN, 54Mb/s (NDIS)
2. \Device\NPF_{990D25A5-6071-4C67-AC14-A5380B0FFDEC} Descr: Microsoft
Addr 0: fe80::8089:b86f:1ef6:347e (mask ::)
Addr 1: fe80::8089:b86f:1ef6:347e (mask ::)
MAC-addr: 00:15:83:12:37:2F, MTU 1514, link-type 802.3 over Bluetooth,
DOWN, 3Mb/s (NDIS)
3. \Device\NPF_{7BA27187-146B-4FB6-B4BA-DC5D218FB607} Descr: Realtek
Ethernet Controller
Addr 0: 10.0.0.10 (mask 255.255.255.0)
MAC-addr: E0:3F:49:81:2E:EA, MTU 1514, link-type 802.3, UP, 100Mb/s (NDIS)
--------------
I'm on Win 10. Version 1511 (OS-Build 10586.71).
Windows 10 build 10041 (as mention in that mail) is pretty old.
--
--gv
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
_______________________________________________
Winpcap-users mailing list
[email protected]
https://www.winpcap.org/mailman/listinfo/winpcap-users
