Merge branch 'nmap:master' into fix_nonadmin_npcaphelper

Author: conioh

CHANGELOG.md

@@ -1,3 +1,53 @@
+## Npcap 1.84 [2025-10-02]
+
+* Fixed a regression in #742 (previously fixed in Npcap 1.80). The fix changes
+  to libpcap had been overwritten in our local branch, causing the same
+  Application Verifier faults to recur.
+
+* Resolve an issue in the installer/uninstaller where x64-emulated processes on
+  ARM64 (and possibly 32-bit processes on both x64 and ARM64) that were using
+  Npcap were not correctly terminated, leading to failed installations.
+
+* New DriverQuery.exe diagnostic tool. This will be run as part of
+  [DiagReport](https://npcap.com/guide/npcap-users-guide.html#npcap-issues-diagreport)
+  on new installations, but can be run independently on older installations for
+  better diagnosis of connection issues.
+
+* Added performance metrics for time spent processing packets. These can be
+  queried with the DriverQuery diagnostic tool or via `PacketGetInfo()` using
+  the `NPF_GETINFO_STATS` query ID.
+
+* Added additional checks to ensure data structures allocated when injecting
+  packets are freed. No leaks were reported, but it is possible some packets
+  could have been leaked when using the SendToRx feature.
+
+* An experimental feature, adaptive buffer sizing, can be enabled in Packet.dll
+  by setting the `PACKET_EXPERIMENTAL_OPTIMIZATION` environment variable.
+  See ([#622](http://issues.npcap.org/622)).
+
+## Npcap 1.83 [2025-08-01]
+
+* \[SECURITY\] Rebuilt the Windows self-installer with NSIS 3.11, addressing
+  CVE-2025-43715--a race condition in earlier NSIS versions that could allow
+  local attackers to escalate to SYSTEM privileges when a vulnerable installer
+  is run as SYSTEM. The Npcap installer does not run as SYSTEM by default.
+
+* Added a check for malformed OID request objects. This should prevent the BSoD
+  crashes that have been reported when setting up a PPPoE connection ([#296](http://issues.npcap.org/296)).
+
+* Fixed an issue with SendToRx mode that resulted in packet injection calls
+  hanging. Fixes [#785](http://issues.npcap.org/785).
+
+* SendToRx mode, which causes injected packets to be indicated as receives
+  instead of sends, can now be enabled per capture handle using the
+  `pcap_setmode(handle, PACKET_MODE_SENDTORX)`. Since this feature was
+  previously enabled globally via the Registry, user code can now opt out of it
+  with `pcap_setmode(handle, PACKET_MODE_SENDTORX_CLEAR)`.
+
+* The Npcap driver now can deliver packet timestamps using nanosecond
+  precision. This feature will be made available via the portable libpcap API
+  in the next Npcap SDK.
+
 ## Npcap 1.82 [2025-04-21]
 
 * Fixed an issue where Npcap 1.81 would incorrectly reject packets as too large

Common/Packet32.h

@@ -141,7 +141,8 @@ typedef struct _AirpcapHandle* PAirpcapHandle;
 #define PACKET_DEPRECATED_INTERNAL_STRUCT_DEFINITION
 #endif
 
-// Working modes, a bitfield
+// Working modes, a 32-bit integer
+// 0x000000ff: WinPcap legacy modes (least-significant byte)
 // 0b00000000
 //      |  ||_ STAT or CAPT
 //      |  |__ MON (TME extensions, not supported)
@@ -153,6 +154,14 @@ typedef struct _AirpcapHandle* PAirpcapHandle;
 #define PACKET_MODE_MON 0x2 ///< Monitoring mode
 #define PACKET_MODE_DUMP 0x10 ///< Dump mode
 #define PACKET_MODE_STAT_DUMP PACKET_MODE_DUMP | PACKET_MODE_STAT ///< Statistical dump Mode
+// 0x0000ff00: Npcap extensions
+// 0b00000000
+//        |||_ SENDTORX
+//        ||__ SENDTORX_CLEAR
+//        |___ NANO
+#define PACKET_MODE_SENDTORX       (1 << 8)  /// SendToRx mode
+#define PACKET_MODE_SENDTORX_CLEAR (1 << 9)  /// Disable SendToRx, overriding Registry
+#define PACKET_MODE_NANO           (1 << 10) /// Nanosecond precision timestamps
 
 
 /// Alignment macro. Defines the alignment size.
@@ -314,7 +323,7 @@ extern "C"
 	LPPACKET PacketAllocatePacket(void);
 	VOID PacketInitPacket(_Out_ LPPACKET lpPacket, _In_reads_bytes_(Length) PVOID  Buffer, _In_ UINT  Length);
 	VOID PacketFreePacket(_In_ _Post_invalid_ LPPACKET lpPacket);
-	_Success_(return) BOOLEAN PacketReceivePacket(_In_ LPADAPTER AdapterObject, _Out_ LPPACKET lpPacket, _In_ BOOLEAN Sync);
+	_Success_(return) BOOLEAN PacketReceivePacket(_In_ LPADAPTER AdapterObject, _Inout_updates_bytes_(lpPacket->Length) LPPACKET lpPacket, _In_ BOOLEAN Sync);
 	_Success_(return) BOOLEAN PacketSetHwFilter(_In_ LPADAPTER AdapterObject, _In_ ULONG Filter);
 	_Success_(return) BOOLEAN PacketGetAdapterNames(_Out_writes_opt_(_Old_(*BufferSize)) PCHAR pStr, _Inout_ PULONG  BufferSize);
 	_Success_(return) BOOLEAN PacketGetNetInfoEx(_In_ PCCH AdapterName, _Out_writes_to_(_Old_(*NEntries),*NEntries) npf_if_addr* buffer, _Inout_ PLONG NEntries);

Common/npcap-defs.h

@@ -148,5 +148,24 @@ C_ASSERT(sizeof(PACKET_OID_DATA) == 12);
 #define NPF_CONFIG_TESTMODE  0x40 /* TestMode */
 // BPF Extensions supported. Output is ULONG, max extension supported.
 #define NPF_GETINFO_BPFEXT 0x00000003
+// Supported mode bits for BIOCSMODE (PacketSetMode, pcap_setmode). Output is ULONG.
+#define NPF_GETINFO_MODES 0x00000004
+// Performance statistics for the filter module
+#define NPF_GETINFO_STATS 0x00000005
+// All of these are 2 USHORTs: average for last 10 and last 10K calls
+#define NPF_STATSINFO_RECVTIMES 0x00000001 /* ticks per recieve indication */
+#define NPF_STATSINFO_SENDTIMES 0x00000002 /* ticks per send indication */
+#define NPF_STATSINFO_DPCTIMES  0x00000003 /* ticks at DPC level, both dirs */
+// Internal debugging info unique to a filter module
+#define NPF_GETINFO_MODDBG 0x00000006
+// Subrequests of NPF_GETINFO_MODDBG
+#define NPF_MODDBG_PF_SUPPORTED 0x00000001
+#define NPF_MODDBG_PF_MY        0x00000002
+#define NPF_MODDBG_PF_HIGHER    0x00000003
+#define NPF_MODDBG_LA_MY        0x00000004
+#define NPF_MODDBG_LA_HIGHER    0x00000005
+#define NPF_MODDBG_BITS         0x00000006
+#define NPF_MODDBG_MAXFRAME     0x00000007
+#define NPF_MODDBG_NUMOPENS     0x00000008
 
 #endif /* NPCAP_DEFS_H */

docs/npcap-api.xml

@@ -18,8 +18,17 @@
   <para>The Npcap API is exported by <filename>wpcap.dll</filename> and is the
 	  Windows port of <ulink url="https://www.tcpdump.org/">libpcap</ulink>.
 	  The API and functions are described in
-	  <ulink url="wpcap/pcap.html">the pcap(1) man page</ulink>.
+          <ulink url="wpcap/pcap.html">the pcap(1) man page</ulink>.
+          This port varies from the standard Unix libpcap API in just a few ways.
+          First, the <literal>pcap_get_selectable_fd()</literal> and
+          <literal>pcap_get_required_select_timeout()</literal>
+          functions are not defined or exported. Second, as described in
+          <xref linkend="npcap-api-extensions"/>, Npcap extends the libpcap API with
+          a set of non-portable functions. Lastly, Npcap includes functions from the
+          remote capture API of libpcap, which is described in
+          <xref linkend="npcap-api-remote"/>.
   </para>
+
   <sect2 id="npcap-api-extensions">
     <title>Extensions to libpcap for Windows</title>
     <para>
@@ -278,4 +287,200 @@
 
     </variablelist>
   </sect2>
+
+  <sect2 id="npcap-api-remote">
+    <title>The libpcap remote capture API</title>
+    <para>
+      WinPcap introduced several additional functions to the libpcap API in
+      order to support remote capture. While the upstream libpcap project has
+      absorbed these functions, they have not yet published documentation on
+      them. Here is a brief overview.
+    </para>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <code>pcap_open</code>
+        </term>
+        <listitem>
+          <para>
+            Opens a remote or local capture handle.
+          </para>
+	  <code>pcap_t* pcap_open(const char * source, int snaplen, int flags, int read_timeout, struct pcap_rmtauth *auth, char *errbuf);</code>
+          <para>
+            This routine can open a savefile, a local device, or a device on
+            a remote machine running an RPCAP server.
+          </para>
+          <variablelist>
+            <varlistentry>
+              <term><code>source</code></term>
+              <listitem>
+                <para>
+                  Zero-terminated string containing the source name to open.
+                  The source name must be in one of the following formats:
+                </para>
+                <itemizedlist>
+                  <listitem><para><literal>file://path/to/file.pcap</literal></para></listitem>
+                  <listitem><para>
+                      <literal>rpcap://devicename</literal> (or the equivalent,
+                      <literal>devicename</literal>)
+                  </para></listitem>
+                  <listitem><para><literal>rpcap://host/devicename</literal></para></listitem>
+                  <listitem><para><literal>rpcap://host:port/devicename</literal></para></listitem>
+                </itemizedlist>
+                <para>
+                  Adapter names returned by <literal>pcap_findalldevs_ex()</literal>
+                  are already in this format. For convenience, compatible source
+                  strings can be built with the helper function,
+                  <literal>int pcap_createsrcstr(char *source, int type, const char *host, const char *port, const char *name, char *errbuf)</literal>,
+                  where <literal>type</literal> is one of
+                  <literal>PCAP_SRC_FILE</literal>,
+                  <literal>PCAP_SRC_IFLOCAL</literal>, or
+                  <literal>PCAP_SRC_IFREMOTE</literal>,
+                  and <literal>source</literal> is a user-allocated buffer of
+                  at least <literal>PCAP_BUF_SIZE</literal> bytes.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>snaplen</code></term>
+              <listitem>
+                <para>
+                  See the documentation for
+                  <ulink url="wpcap/pcap_open_live.html">pcap_open_live()</ulink>.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>flags</code></term>
+              <listitem>
+                <para>
+                  Keeps several flags that can be needed for capturing packets.
+                  The allowed flags are defined in the pcap_open() flags .
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>read_timeout></code></term>
+              <listitem>
+                <para>
+                  See the documentation for
+                  <ulink url="wpcap/pcap_open_live.html">pcap_open_live()</ulink>.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>auth</code></term>
+              <listitem>
+                <para>
+                  A pointer to a 'struct pcap_rmtauth' that keeps the
+                  information required to authenticate the user on a remote
+                  machine. In case this is not a remote capture, this pointer
+                  can be set to NULL.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>errbuf</code></term>
+              <listitem>
+                <para>
+                <para>
+                  See the documentation for
+                  <ulink url="wpcap/pcap_open_live.html">pcap_open_live()</ulink>.
+                </para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+ 
+          <para>
+            <emphasis>Portability notes:</emphasis> For opening a savefile, the
+            <ulink url="wpcap/pcap_open_offline.html">pcap_open_offline</ulink>
+            routines can be used, and will work just as well; code using them
+            will work on more platforms than code using <literal>pcap_open()</literal>
+            to open savefiles.
+          </para>
+ 
+          <para>
+            For opening a local device,
+            <ulink url="wpcap/pcap_open_live.html">pcap_open_live()</ulink>
+            can be used; it supports most of the capabilities than
+            <literal>pcap_open()</literal> supports, and code using it will work
+            on more platforms than code using <literal>pcap_open()</literal>.
+            <ulink url="wpcap/pcap_create.html">pcap_create()</ulink> and
+            <ulink url="wpcap/pcap_activate.html">pcap_activate()</literal>
+            can also be used; they support all capabilities that
+            <literal>pcap_open()</literal> supports, except for the Windows-only
+            <literal>PCAP_OPENFLAG_NOCAPTURE_LOCAL</literal>,
+            and they support additional capabilities.
+          </para>
+ 
+          <para>
+            For opening a remote capture, <literal>pcap_open()</literal> is
+            currently the only API available.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <code>pcap_findalldevs_ex</code>
+        </term>
+        <listitem>
+          <para>
+            Lists local and remote capture sources.
+          </para>
+          <code>int pcap_findalldevs_ex(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf);</code>
+          <variablelist>
+            <varlistentry>
+              <term><code>source</code></term>
+              <listitem>
+                <para>
+                  Zero-terminated string containing the source name to list.
+                  The source name must be in one of the following formats:
+                </para>
+                <itemizedlist>
+                  <listitem><para>
+                      <literal>file://path/to/directory</literal>
+                      - lists capture files in a directory
+                  </para></listitem>
+                  <listitem><para>
+                      <literal>rpcap://</literal> - lists local adapters
+                  </para></listitem>
+                  <listitem><para>
+                      <literal>rpcap://host[:port]</literal>
+                        - lists remote adapters
+                  </para></listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>auth</code></term>
+              <listitem>
+                <para>See <literal>pcap_open()</literal>.</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>alldevs</code></term>
+              <listitem>
+                <para>
+                  See <ulink href="wpcap/pcap_findalldevs.html">pcap_findalldevs()</ulink>.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term><code>errbuf</code></term>
+              <listitem>
+                <para>
+                  See <ulink href="wpcap/pcap_findalldevs.html">pcap_findalldevs()</ulink>.
+                </para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <para>
+            As with <literal> pcap_findalldevs()</literal>, the buffer returned in
+            <literal>alldevs</literal> must be freed using
+            <ulink href="wpcap/pcap_freealldevs.html">pcap_freealldevs()</ulink>.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </sect2>
 </sect1>