WinPcap: the Free Packet Capture Architecture for Windows


Last modified: Monday, March 26, 2001 10.48

Latest News
Change Log
Description
Downloads
FAQ
Docs
Credits
Mirrors
Links
Make a Gift
Other Tools
Compilation Instructions and Examples

1. How to compile an application that uses directly PACKET.DLL

The creation of an application that uses the capture driver through PACKET.DLL requires the following operations:

  • Include the file packet32.h at the beginning of every source file that uses the functions exported by the DLL. Packet32.h is distributed both with the PACKET.DLL source code and the developer's pack and it is platform-independent.
  • Set the options of the linker to include the packet.lib file. Packet.lib is generated compiling the packet driver and can be found in the developer's pack.

The application, doing so, will be able to use the functions exported by the DLL and to use the driver to capture packets.

 

2. How to compile an application that uses wpcap.dll

The following things must be done to compile an application that uses wpcap.dll:

  • Include the file pcap.h at the beginning of every source file that uses the functions exported by library.
  • Set the options of the linker to include the wpcap.lib library file. wpcap.lib is generated compiling the wpcap source code and can be found in the developer's pack.
  • Set the options of the linker to include the winsock library file (for example wsock32.lib). This file is distributed with the C compiler and contains the socket functions for Windows. It is needed by some libpcap functions.

The application, doing so, will be able to use the functions exported by libpcap and use the NDIS packet capture driver to capture packets.

Remember that:

  • To add a new library to the project with Microsoft Visual C++ 6.0, you must select Settings from the Project menu, then select Link from the tab control, and then add the name of the new library in the Objcet/library modules editbox.
  • To add a new path where Microsoft Visual C++ 6.0 will look for the libraries, you must select Options from the Tools menu, then Link from the tab control, library files from the show directories for combobox, and the add the path in the directories box.
  • To add a new path where Microsoft Visual C++ 6.0 will look for the include files, you must select Options from the Tools menu, then Link from the tab control, include files from the show directories for combobox, and the add the path in the directories box.

Note:

  • It is not necessary to include the packet32.h and packet.lib files when compiling a program using wpcap: wpcap.lib includes also the code present in packet.lib. The wpcap library, in fact, uses the PACKET.DLL API, but hides it to the programmer giving a higher level of abstraction and a more powerful interface.
  • Problems can be encountered when compiling applications with Borland C++ compiler. We do not have the Borland compilers, therefore we cannot do anything about that.

 

2.a How to port a UNIX application that uses libpcap to Windows

Assuming that you are able to compile the application in Windows (this operation can be very difficult and is cannot be explained here), the only thing you have to do is to link it with libpcap for Windows, following the steps of the previous Section.

Simple examples for programmers

The following are examples that show how to write programs that capture packets from the network using the NDIS packet capture driver. All the examples, once compiled, can run both on Windows 95 and on Windows NT. The source code of the examples, along with all the files needed to compile and run them, can be found in the Developer's Pack.

 

1. TestApp

This is a very simple capture program that shows the use of the packet capture driver through the PACKET.DLL API. It is a console application that once complied can be executed under Windows 95, 98, ME, NT and 2000. Testapp.exe, when executed, gives to the user the possibility to choose one of the adapters installed on the machine, then it captures packets from the specified network adapter until a key is pressed, dumping the content of each packet on the screen. 

 

2. PktDump

This example shows how to write and compile under the Win32 environment an application that uses libpcap. It reads the packets from a file or a network adapter, printing the timestamp, the length and the data of the packets. It was originally written for UNIX (the UNIX makefile is provided), and was compiled in Windows without being modified. PktDump can run, once compiled, in Windows 95, 98, ME, NT and 2000. Notice that this program is very similar to the previous in the behavior and the output is not too different, but the code is noticeably shorter and simpler, because libpcap offers an higher level programming interface.

 

3. Pcap_Filter

This is another example of the use of libpcap. It is more complex than PktDump, and shows, among other things, how to create and set filters and how to save a capture to disk. It can be compiled under Win32 or under UNIX (makefile is provided). Pcap_filter (pf.exe) is a general-purpose packet filter: it receives as input parameters a source of packets (it can be a physical interface or a file), a filter and an output file. It takes packets from the source until CTRL+C is pressed, applies the filter to the incoming packets, and saves them in the output file if they satisfy the filter. Pcap_filter can be used to capture packets from network according to a particular filter, but also to extract a set of packets from a previously saved file. The format of input and output files is the same of WinDump and tcpdump.

 

4. NetMeter

NetMeter draws in a window the scrolling diagram of the network's load in bytes per second and in packets per second using the statistics mode of the packet driver. The application is written in C++ with MFC and uses libpcap to interact with the network. Since the statistics mode is used, the application is quite simple and very fast. It can run in Windows 95, 98, ME, NT and 2000.

 

5. Traffic Generator

This example shows how to use the packet capture driver through PACKET.DLL to send packets to the network. It takes as input parameters the interface that will be used, the number of packets to send and their size. The generated packets will have 1:1:1:1:1:1 as source MAC address, and 2:2:2:2:2:2 as destination address. The 'multiple write' feature of the driver is used to obtain a higher transmit rate, therefore the write performance is better if traffic generator is used in Windows NT or Windows 2000.