What is WinPcap
WinPcap is an open source library for packet capture and network analysis for the Win32 platforms.
Most networking applications access the network through widely used operating system primitives such as sockets. It is easy to access data on the network with this approach since the operating system copes with the low level details (protocol handling, packet reassembly, etc.) and provides a familiar interface that is similar to the one used to read and write files.
Sometimes, however, the 'easy way' is not up to the task, since some applications require direct access to packets on the network. That is, they need access to the "raw" data on the network without the interposition of protocol processing by the operating system.
The purpose of WinPcap is to give this kind of access to Win32 applications; it provides facilities to:
- capture raw packets, both the ones destined to the machine where it's running and the ones exchanged by other hosts (on shared media)
- filter the packets according to user-specified rules before dispatching them to the application
- transmit raw packets to the network
- gather statistical information on the network traffic
This set of capabilities is obtained by means of a device driver, that is installed inside the networking portion of Win32 kernels, plus a couple of DLLs.
All these features are exported through a powerful programming interface, easily exploitable by the applications and available on different OSes. The main goal of this manual is to document this interface, with the help of several examples. If you are interested in starting your exploration right away you can go directly to the WinPcap user's manual.
What kind of programs use WinPcap
The WinPcap programming interface can be used by many types of network tools for analysis, troubleshooting, security and monitoring. In particular, classical tools that rely on WinPcap are:
- network and protocol analyzers
- network monitors
- traffic loggers
- traffic generators
- user-level bridges and routers
- network intrusion detection systems (NIDS)
- network scanners
- security tools
What WinPcap can't do
WinPcap receives and sends the packets independently from the host protocols, like TCP-IP. This means that it isn't able to block, filter or manipulate the traffic generated by other programs on the same machine: it simply "sniffs" the packets that transit on the wire. Therefore, it does not provide the appropriate support for applications like traffic shapers, QoS schedulers and personal firewalls.