Winpcap, THE open-source library for packet capture and network analysis

Written by Joseph MICACCIA, certified network expert - -

Libpcap allows the capture of network packets under linux, in particular. Winpcap is the equivalent for the Windows system. Winpcap was developed by programmers from the Polytechnic University of Turin.

WinPcap is an open source library for packet capture and network analysis for Win32 platforms.


Most network applications access the network through the operating system, such as sockets. This approach facilitates access to data over the network because the operating system handles low-level details (protocol processing, packet reassembly, etc.) and provides a familiar interface similar to that used for reading and writing. writing files.

However, sometimes the "easy-to-use" solution is not adequate because some applications require direct access to the packets on the network, in order to have access to "raw" data, without interposition of protocol processing by the system. exploitation.

WinPcap allows to provide this type of access to Win32 applications and it allows, in particular:

    the capture of all packages, raw, those intended for the machine on which it runs and as well as those exchanged by other hosts connected to it by computer;
    filtering packets based on rules specified by the user before sending them to the application;
    the transmission of raw packets to the network:
    collection of statistical information on network traffic;



This is made possible by a device driver, installed in the network part of Win32 kernels, as well as two DLLs (Dynamic Link Library).

To develop an application that relies on Winpcap, one must and simply use the functions that are in the WinpCap DLLs.

That's how I developed NetworkAnalyser, a small tool that displays network frames with intuitive views. It is configurable and one of the options allows to listen without being detected, even more discreetly than a submarine of the Navy ;-)

It was developed in Delphi and exploits the functions of WinpCap, like Wireshark. Portability to C language is possible, easily.



At launch, we have the possibility to choose the network card ...



... The "passive analyzes" mode allows you to listen without being detected by the other machines on the network ...


... The views are intuitive enough to see at a glance who communicates with whom, and how. In particular, this tool makes it possible to identify the MAC addresses, the IP addresses of the different machines, the name of the manufacturer of each of the network cards, etc.

There is a host of other WinpCap-based software, network tools for analysis, troubleshooting, security, or monitoring, including:

    network and protocol analyzers;
    network monitors;
    traffic recorders;
    traffic generators;
    bridges and routers at the user level;
    network intrusion detection systems (NIDS);
    network scanners;
    security tools;

The best-known networking tool that relies on WinpCap is WireShark, the world's most widely used network protocol analyzer. It allows you to see what is happening on a network at a microscopic level and is the norm in many business, commercial or non-profit organizations, government agencies or educational institutions. The development of Wireshark is based on the voluntary contributions of network experts from around the world, a continuation of the project launched by Gerald Combs in 1998.



It seems that WinpCap is no longer maintained, but there are several forks including NpCap, the best known of all forks and it is currently maintained by members of Nmap.


Sources :




Comments are closed.