pcap_handler 回调仅在使用 npcap v0.9991 时包含空包

Question

I have some code that is supposed to capture data from an ethernet adapter. I am using the following steps to get the data (after determining the name of the device in the format: "rpcap://\Device\NPF_{0C5[...]C89}"):

deviceHandle = pcap_open(device_name, 65536, 1 /* promiscous */, 100, NULL, errbuf)

Then running a loop (until capture is supposed to be stopped) over:

pcap_dispatch(deviceHandle, -1, pcap_handler, userHandle /* unsigned char* to user handle */)

When running this with the npcap dll "wpcap.dll" loaded from Windows\System32\Npcap folder I get calls to the pcap_handler callback but all parameters in the callback are always zero:

header->caplen == 0
header->len == 0
header->ts.tv_sec == 0
header->ts.tv_usec == 0

The unsigned char* data is not NULL but the memory it points to is zeros only.

When I run the exact same code with just using Win10Pcap v10.2.5002 wpcap.dll from "Program Files (x86)\Win10Pcap\x64" (currently latest version) everything works fine and I get the captured data properly. The code was working about a year ago, so there might have been changes to npcap that cause a difference in the behavior, but I couldn't find why there is no data provided in the callback.

The npcap installation and dll is part of a Wireshark v3.2.4 64bit installation and when running Wireshark and capturing data on the same ethernet adapter the data is properly shown in Wireshark, so the npcap library is working properly in that scenario.

Can anyone give me a hint where the problem might be? I am running the code on 64bit Windows 10. As it was working before there probably has been a change in npcap v0.9991 that was changing the behavior or requirements to get the captured data that I'm not aware of which is causing the issue.

Best regards, Gunnar

Answer 1

This is probably Npcap issue #178 , which is fixed in Npcap 0.9992, so it should also be fixed in the current release (0.9994 as of the time I'm writing this). Upgrade your Npcap installation.