WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.
Thanks to its set of features, WinPcap is the packet capture and filtering engine ofÂ many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these tools, like Wireshark, Nmap, Snort, ntop are known and used throughout the networking community.
Winpcap.org is also the home ofÂ WinDump, the Windows version of the popular tcpdump tool. WinDump can be used to watch, diagnose and save to disk network traffic according to various complex rules.
Free. WinPcap is released under theÂ BSD open source licence.Â This means that you have total freedom to modify and use it with your application, even if it’s commercial. The binary and source code are availableÂ here.
High performance. WinPcap implements all of the classic optimizations described in the packet capture literature (e.g., kernel-level filtering and buffering, context switch mitigation, partial packet copy), plus some original ones, like JIT filter compilation and kernel-level statistic processing. For these reasons, WinPcap outperforms other comparable approaches.
Popular. WinPcap is used as the network interface byÂ many tools — both free and commercial including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators, network testers, etc. Some of these tools, likeÂ Wireshark,Â Nmap,Â Snort,Â WinDump,Â ntopare very well known in the networking community. WinPcap is downloaded thousands of times every day.
Tested and Reliable. Many users have contributed over the years in testing WinPcap on a wide range of platforms, and in finding the most subtle bugs. WinPcap developers are experienced Windows driver writers, and their approach to software development emphasizes rock-solid stability. Remember: a buggy driver means blue screens.
Easy to use for the final user. WinPcap is distributed as a single small executable that runs on every supported operating system. You launch the executable, and from that moment Windows is able to capture and send raw network traffic. It couldn’t be easier.
Easy to use for the programmer. Every version of WinPcap comes with aÂ developer’s pack that includes documentation, libraries and include files needed to immediately start with your own new application. The developer’s pack contains a set of sample programs ready to be compiled both with Visual Studio and Cygnus, and are available as excellent starting points.
Multi-platform. WinPcap is actively maintained on Windows NT, Windows 2000, Windows XP and Windows Server 2003. WinPcap can also work on Windows 95, Windows 98 and Windows ME, but these OSes are not maintained any longer. Windows Vista has a preliminary support, with some features disabled.
Portable. WinPcap is completely compatible with libpcap. This means that you can use it to port your existing Unix or Linux tools to Windows. This also means that your Windows applications will be easily portable to Unix.
Well documented. TheÂ WinPcap manual documents the API and the internals in an easy-to-follow hyperlinked manner. The documentation includes a tutorial that takes you step-by-step through all of the features of WinPcap.