npcap是一个网络数据包抓包工具，是winpcap的改进版；它支持ndis 6技术、“只允许管理员administrator”访问npcap、与winpcap兼容或并存两种模式；支持windows平台的回环数据包采集和发送。
本教程操作环境：windows10系统、dell g3电脑、npcap 0.9994。
npcap是什么软件
npcap是一款著名网络数据包抓包工具winpcap的改进版。本软件致力于采用microsoft light-weight filter (ndis 6 lwf)技术和windows filtering platform (ndis 6 wfp)技术对当前最流行的winpcap工具包进行改进。比之前代拥有更好的抓包性能，并且稳定性优异。
软件特点：
1、支持ndis 6技术；
2、支持“只允许管理员administrator”访问npcap；
3、支持与winpcap兼容或并存两种模式；
4、支持windows平台的回环(loopback)数据包采集；
5、支持windows平台的回环(loopback)数据包发送；
npcap 原理
npcap 实现了 win10 驱动程序，叫做 npf（netgroup packet filter），该驱动从 win10 miniport 驱动获取网卡数据实现监控网络数据包的功能（win10 使用 miniport 驱动控制网卡）。
npcap 使用
npcap sdk 使用起来很简单，一共分为三步。
1、安装 visual studio
我使用的是 visual studio 2019。
2、安装 npcap 到 win10
安装 npcap 1.71 installer 到 win10 系统中，主要是安装了 npf 驱动和 dll 文件（packet.dll 和 wpcap.dll）。
下载地址：https://npcap.com/#download
3、下载 npcap sdk
npcap sdk 中提供了 lib 和头文件，我们编写抓包程序时需要用到这些。
4、例程
这里，我以 npcap sdk 中的 npcap-sdk-1.13\examples-pcap\udpdump 为例进行说明，udpdump 用于监控收到的 udp 数据包。
udpdump.c
在原有文件的基础上我添加了 #pragma comment(lib,ws2_32.lib) 语句，否则 ntohs() 会导致编译失败。
/* * copyright (c) 1999 - 2005 netgroup, politecnico di torino (italy) * copyright (c) 2005 - 2006 cace technologies, davis (california) * all rights reserved. * * redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. neither the name of the politecnico di torino, cace technologies * nor the names of its contributors may be used to endorse or promote * products derived from this software without specific prior written * permission. * * this software is provided by the copyright holders and contributors * "as is" and any express or implied warranties, including, but not * limited to, the implied warranties of merchantability and fitness for * a particular purpose are disclaimed. in no event shall the copyright * owner or contributors be liable for any direct, indirect, incidental, * special, exemplary, or consequential damages (including, but not * limited to, procurement of substitute goods or services; loss of use, * data, or profits; or business interruption) however caused and on any * theory of liability, whether in contract, strict liability, or tort * (including negligence or otherwise) arising in any way out of the use * of this software, even if advised of the possibility of such damage. * */#ifdef _msc_ver /* * we do not want the warnings about the old deprecated and unsecure crt functions * since these examples can be compiled under *nix as well */#define _crt_secure_no_warnings#endif#include <pcap.h>#include <time.h>#include <winsock.h>#pragma comment(lib,"ws2_32.lib")#ifdef _win32#include <tchar.h>bool loadnpcapdlls(){ _tchar npcap_dir[512]; uint len; len = getsystemdirectory(npcap_dir, 480); if (!len) { fprintf(stderr, "error in getsystemdirectory: %x", getlasterror()); return false; } _tcscat_s(npcap_dir, 512, _t("\\npcap")); if (setdlldirectory(npcap_dir) == 0) { fprintf(stderr, "error in setdlldirectory: %x", getlasterror()); return false; } return true;}#endif/* 4 bytes ip address */typedef struct ip_address{ u_char byte1; u_char byte2; u_char byte3; u_char byte4;}ip_address;/* ipv4 header */typedef struct ip_header{ u_char ver_ihl; // version (4 bits) + internet header length (4 bits) u_char tos; // type of service u_short tlen; // total length u_short identification; // identification u_short flags_fo; // flags (3 bits) + fragment offset (13 bits) u_char ttl; // time to live u_char proto; // protocol u_short crc; // header checksum ip_address saddr; // source address ip_address daddr; // destination address u_int op_pad; // option + padding}ip_header;/* udp header*/typedef struct udp_header{ u_short sport; // source port u_short dport; // destination port u_short len; // datagram length u_short crc; // checksum}udp_header;/* prototype of the packet handler */void packet_handler(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data);int main(){ pcap_if_t* alldevs; pcap_if_t* d; int inum; int i = 0; pcap_t* adhandle; char errbuf[pcap_errbuf_size]; u_int netmask; char packet_filter[] = "ip and udp"; struct bpf_program fcode;#ifdef _win32 /* load npcap and its functions. */ if (!loadnpcapdlls()) { fprintf(stderr, "couldn't load npcap\n"); exit(1); }#endif /* retrieve the device list */ if (pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr, "error in pcap_findalldevs: %s\n", errbuf); exit(1); } /* print the list */ for (d = alldevs; d; d = d->next) { printf("%d. %s", ++i, d->name); if (d->description) printf(" (%s)\n", d->description); else printf(" (no description available)\n"); } if (i == 0) { printf("\nno interfaces found! make sure npcap is installed.\n"); return -1; } printf("enter the interface number (1-%d):", i); scanf("%d", &inum); /* check if the user specified a valid adapter */ if (inum < 1 || inum > i) { printf("\nadapter number out of range.\n"); /* free the device list */ pcap_freealldevs(alldevs); return -1; } /* jump to the selected adapter */ for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++); /* open the adapter */ if ((adhandle = pcap_open_live(d->name, // name of the device 65536, // portion of the packet to capture. // 65536 grants that the whole packet will be captured on all the macs. 1, // promiscuous mode (nonzero means promiscuous) 1000, // read timeout errbuf // error buffer )) == null) { fprintf(stderr, "\nunable to open the adapter: %s\n", errbuf); /* free the device list */ pcap_freealldevs(alldevs); return -1; } /* check the link layer. we support only ethernet for simplicity. */ if (pcap_datalink(adhandle) != dlt_en10mb) { fprintf(stderr, "\nthis program works only on ethernet networks.\n"); /* free the device list */ pcap_freealldevs(alldevs); return -1; } if (d->addresses != null) /* retrieve the mask of the first address of the interface */ netmask = ((struct sockaddr_in*)(d->addresses->netmask))->sin_addr.s_un.s_addr; else /* if the interface is without addresses we suppose to be in a c class network */ netmask = 0xffffff; //compile the filter if (pcap_compile(adhandle, &fcode, packet_filter, 1, netmask) < 0) { fprintf(stderr, "\nunable to compile the packet filter. check the syntax.\n"); /* free the device list */ pcap_freealldevs(alldevs); return -1; } //set the filter if (pcap_setfilter(adhandle, &fcode) < 0) { fprintf(stderr, "\nerror setting the filter.\n"); /* free the device list */ pcap_freealldevs(alldevs); return -1; } printf("\nlistening on %s...\n", d->description); /* at this point, we don't need any more the device list. free it */ pcap_freealldevs(alldevs); /* start the capture */ pcap_loop(adhandle, 0, packet_handler, null); return 0;}/* callback function invoked by libpcap for every incoming packet */void packet_handler(u_char* param, const struct pcap_pkthdr* header, const u_char* pkt_data){ struct tm* ltime; char timestr[16]; ip_header* ih; udp_header* uh; u_int ip_len; u_short sport, dport; time_t local_tv_sec; /* * unused parameter */ (void)(param); /* convert the timestamp to readable format */ local_tv_sec = header->ts.tv_sec; ltime = localtime(&local_tv_sec); strftime(timestr, sizeof timestr, "%h:%m:%s", ltime); /* print timestamp and length of the packet */ printf("%s.%.6d len:%d ", timestr, header->ts.tv_usec, header->len); /* retireve the position of the ip header */ ih = (ip_header*)(pkt_data + 14); //length of ethernet header /* retireve the position of the udp header */ ip_len = (ih->ver_ihl & 0xf) * 4; uh = (udp_header*)((u_char*)ih + ip_len); /* convert from network byte order to host byte order */ sport = ntohs(uh->sport); dport = ntohs(uh->dport); /* print ip addresses and udp ports */ printf("%d.%d.%d.%d.%d -> %d.%d.%d.%d.%d\n", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4, sport, ih->daddr.byte1, ih->daddr.byte2, ih->daddr.byte3, ih->daddr.byte4, dport);}
5、执行
比如监控无线网卡收到的数据。
想要查阅更多相关文章，请访问！！
以上就是npcap是什么软件的详细内容。