Npcap 0.9986

Installer and debug symbols available at https://npcap.org/#download

• Fix a driver signing issue that made Npcap 0.9985 uninstallable on Windows
  versions other than Windows 10. Fixes #1856.

Npcap 0.9985

NOTE: An issue was found with the Npcap 0.9985 installer that prevents it from installing on Windows 8.1 or earlier. Npcap 0.9986 resolves this issue.

Installer and debug symbols available from https://npcap.org/#download

• The Nmap Project's (Insecure.Com LLC) code signing certificate has been
  renewed, and no longer exists as a SHA-1 certificate. Windows Vista and
  Server 2008 may therefore not recognize the digital signatures on the
  filter driver so a warning may be presented upon install. Please note
  that Microsoft is ending support for these operating systems in January 2020.

• WinPcap API-compatible mode no longer installs a separate filter driver.
  Packet.DLL will translate NPF device names so that they are all serviced by
  the npcap.sys driver. The npf.sys driver has been removed. See
  #1812.

• Improve the speed of pcap_findalldevs by reducing the number of calls to
  GetAdaptersAddresses, removing a redundant function call, and improving
  buffer reallocation. Patch by Tomasz Moń
  (#20).

• Temporary DLLs unpacked during installation are now signed with our code
  signing certificate.

• Fixed a bug in the uninstaller preventing downgrades to prior versions of
  Npcap. On 64-bit Windows, the driver file npcap.sys was not properly
  removed, and Windows would not replace it with any older version. Fixes
  #1686.

Npcap 0.9984

Installer and debug symbols available at https://npcap.org/#download

• Update libpcap to 1.9.1. See the libpcap CHANGES file for this release. This update addresses several CVE-identified vulnerabilities.

• Address several code quality issues identified by Charles E. Smith of Tangible Security using Coverity source code analysis.

• Fixed processing of the "enforced" value for several command-line installer options. Fixes #1719.

• The DisplayName value in the Uninstall registry key for Npcap no longer includes the version number, which has always been available in the DisplayVersion value. Instead, it will include the product name and edition, e.g. "Npcap" or "Npcap OEM". This value will also be recorded in the Edition value under the npcap service's Parameters registry key.

• Fixed a couple of issues with the DiagReport tool used for bug report diagnostics: remove extraneous partial output lines (#1760), and avoid relying on the Server service to determine privilege level (#1757).

Npcap 0.9983

Installer and debug symbols available from https://npcap.org/#download

• Npcap can now detect newly-added network adapters without restarting the
  driver. Fixes #664.

• Loopback capture and injection no longer requires the Npcap Loopback Adapter
  to be installed. This is a minor API change, so Nmap 7.80 and earlier will
  still require the adapter to do localhost scans, but Wireshark and most other
  software will not require changes. Loopback capture uses the device name
  NPF_Loopback instead of NPF_{GUID}, where GUID has to be looked up in
  the Registry. The Npcap Loopback Adapter can still be installed by selecting
  "Legacy loopback support" in the installer or using the
  /loopback_support=yes command-line option. TheLoopbackSupport Registry
  value will always be 0x00000001.

• The DltNull Registry setting and the /dlt_null installer option are no
  longer supported. Loopback capture will use the DLT_NULL link type as
  described in the tcpdump
  documentation. Loopback packet
  injection will also use this link type instead of requiring a dummy Ethernet
  header to be constructed. The DltNull Registry value will still be present
  and set to 1 for software that consults this value.

• Some operations like pcap_stats() can now be completed even after the
  adapter that was in use is removed. See #1650.

• Fixed a crash that could happen when stopping the driver during a loopback
  traffic capture. Fixes #1678.

Npcap 0.9982

Installer, SDK, and debug symbols available at https://npcap.org/#download

• Fix the packet statistics functionality used by pcap_stats(), which was
  broken in 0.9981. Fixes #1668.

• Rework the flow of packets through the WFP callout driver that implements
  loopback traffic capture. This should prevent clobbering of redirect context
  data reported in #1529.

• Restore the /dlt_null installer option to default to "yes" since it has
  been defaulting to "no" since Npcap 0.992. Using DLT_NULL for loopback
  capture is slightly more efficient than creating a dummy Ethernet header,
  which was the default before.

Npcap 0.9981

Installer and debug symbols available from https://npcap.org/#download . Npcap 0.997 was never publicly released; these are the changes since Npcap 0.996:

• When upgrading Npcap, do not uninstall the existing Npcap until the user
  clicks the Install button. Previously, the existing Npcap was uninstalled
  prior to the first options screen, so that canceling the upgrade left no
  working Npcap on the system.

• Redefine the I/O control codes used by Npcap using the CTL_CODE macro to
  ensure proper access control and consistent parameter passing. This is not a
  published API, but the change will require that Packet.DLL and the npcap
  driver are the same version.

• Fix a 1-byte overrun in NPFInstall.exe when killing processes with Npcap DLLs
  in use.

• In cases where PacketOpenAdapter is given an adapter name in UTF-16LE,
  translate it to ASCII before doing string operations on it. See
  #1575.

• Significant reorganization of internal data structures to reduce memory use
  and initialization overhead.

Npcap 0.996

Installer and debug symbols may be downloaded from https://npcap.org/#download

• Fix a crash when stopping the npcap driver service, such as when upgrading
  Npcap, DRIVER_IRQL_NOT_LESS_OR_EQUAL in NPF_DetachAdapter. Since Npcap
  0.994 and 0.995 may crash when upgrading, the installer will offer to disable
  the npcap driver service if it is running, allowing the user to reboot and
  attempt the install again, avoiding a crash. Fixes #1626.

• Ensure the uninstaller for the previous version of Nmap is called when
  upgrading. Npcap 0.95 through 0.995 erroneously skipped this step in simple
  non-silent upgrades, which could cause multiple Npcap Loopback Adapters to be
  installed.

Npcap 0.995

Installer and debug symbols may be downloaded from https://npcap.org/#download

• Fix a crash reported via Microsoft crash telemetry, DRIVER_IRQL_NOT_LESS_OR_EQUAL in NPF_NetworkClassify introduced in Npcap 0.994. Fixes #1591.

Npcap 0.994

Executable installer and debug symbols available at https://npcap.org/#download .

• Fix the installer options screen, which would immediately proceed to
  installation when you clicked on the "Support loopback traffic" option. Fixes
  #1577.

• Use the /F option to SCHTASKS.EXE in the installer so that the
  npcapwatchdog task can be successfully overwritten if it is present, though
  newer uninstallers also remove the task. Fixes #1580.

• Fix the CheckStatus.bat script run by the npcapwatchdog scheduled task to
  correctly match output of reg.exe on non-English systems. Fixes
  #1582.

• Improve synchronization between WFP (Loopback) and NDIS (control) functions
  within the driver, which ought to improve stability during system
  sleep/suspend events, particularly an access violation in
  NPF_NetworkClassify observed via Microsoft crash telemetry.

Npcap 0.993

Installer, SDK, and debug symbols available from https://npcap.org/#download

• Complete the fix for #1398 that was only
  partially applied in Npcap 0.992. Due to this partial fix, the user-provided
  buffer was double-freed, resulting in a BAD_POOL_CALLER BSoD. This issue
  was separately reported as #1568, and has been
  issued the identifier CVE-2019-11490.

• Fix output of pcap_lib_version to again report "Npcap version 0.993, based
  on libpcap version 1.9.0" instead of "libpcap version 1.9.0 (packet.dll
  version 0.992)". Npcap 0.992 was the only version affected. Fixes
  #1566.

• Fix a regression in loopback capture that was causing the loopback adapter to
  be missing from pcap_findalldevs until the driver was manually stopped and
  restarted. Fixes #1570.

• Remove installer interface option "Automatically start the Npcap driver at
  boot time." Command-line and registry settings are still respected, but
  automatic start will be the default for all new installations, since manual
  start results in delays in network connectivity at boot. See
  #1502.

• Avoid interpreting null or uninitialized memory as out-of-band media-specific
  information for purposes of constructing the Radiotap header when capturing
  in raw 802.11 monitor mode. Fixes #1528.

• Ensure the uninstaller removes the npcapwatchdog scheduled task.

• Avoid an uninstaller failure if DLLs and executables are in use during
  uninstall by causing them to be deleted at reboot. See
  #1555.