Npcap support in TCadmin (updated Winpcap, with better performance and security)

[gijs007]

As some of you might know, TCadmin relies on the Winpcap library for bandwidth monitoring.

 

Unfortunately Winpcap hasn't been in active development for a while, however there is an opensource alternative called Npcap.

 

Npcap is the Nmap Project's packet sniffing library for Windows. It is based on the wonderful WinPcap / Libpcap libraries, but with improved improved speed, portability, security, and efficiency. In particular, Npcap offers:

 

WinPcap for Windows 10: Npcap works on Windows 7 and later by making use of the new NDIS 6 Light-Weight Filter (LWF) API. It's faster than the deprecated NDIS 5 API, which Microsoft could remove at any time. Also, the driver is signed with our EV certificate and countersigned by Microsoft, so it works even with the stricter driver signing requirements in Windows 10 1607.

Extra Security: Npcap can be restricted so that only Administrators can sniff packets. If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets. We've also enabled the Windows ASLR and DEP security features and signed the driver, DLLs, and executables to prevent tampering.

Loopback Packet Capture: Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP). After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ?ping 127.0.0.1? (IPv4) or ?ping ::1? (IPv6).

Loopback Packet Injection: Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack.

WinPcap compatibility: For applications that don't yet make use of Npcap's advanced features, Npcap can be installed in ?WinPcap Compatible Mode.? This will replace any existing WinPcap installation. If compatibility mode is not selected, Npcap can coexist alongside WinPcap; applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.

 

I haven't tested the "Winpcap compatible mode" with TCadmin, and it's unclear to me if there are any advantages to natively supporting Npcap instead of relying on this compatibility mode.

I can imagine there would be issues with the security features, such as the restrictions to make Npcap require administrator credentials or that the performance isn't as good as in native mode.

 

Either way I think it's important to update TCadmin to support the Npcap library, since it's opensource, but most importantly offers better security and performance than Winpcap and is still actively developed and compatible with Windows 10.

 

Npcap binaries and source code can be downloaded for free at:

https://nmap.org/npcap/