forked from nmap/npcap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
internals.htm
56 lines (51 loc) · 2.98 KB
/
internals.htm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title></title>
</head>
<body>
This portion of the manual describes the internal structure and interfaces of Npcap,
starting from the lowest-level module. It is targeted at people that must extend
or modify this software, or to the ones interested in how it works. Therefore,
developers who just want to use Npcap in their software don't need to read it.
<h2>Npcap structure</h2>
<p>Npcap is an architecture for packet capture and network analysis for the
Win32 platforms. It includes a kernel-level packet filter, a
low-level dynamic link library (packet.dll), and a high-level and
system-independent library (wpcap.dll).</p>
<p>Why do we use the term "architecture" rather than "library"? Because packet capture is a low level mechanism
that requires a strict interaction with the network adapter and with the
operating system, in particular with its networking implementation, so a simple
library is not sufficient.</p>
<p>The following figure shows the various components of Npcap:</p>
<p align="center">
<img src="internals-arch.gif" width="280" height="355">
<p align="center">
<b>Main components of Npcap.</b>
<p>First, a capture system needs to bypass the operating systems's protocol stack in order to access
the raw data transiting on the network. This requires a portion
running inside the kernel of OS, interacting directly with the network interface
drivers. This portion is very system dependent, and in
our solution it is realized as a device driver, called Netgroup Packet Filter (NPF);
This driver offers basic features like packet capture
and injection, as well as more advanced ones like a programmable filtering system and a
monitoring engine. The filtering system can be used to restrict a capture session to a
subset of the network traffic (e.g. it is possible to capture only the ftp
traffic generated by a particular host); the monitoring engine provides a powerful but
simple to use mechanism to obtain statistics on the traffic (e.g. it is possible
to obtain the network load or the amount of data exchanged between two hosts).</p>
<p>Second, the capture system must export an interface that user-level
applications will use to take advantage of the features provided by the kernel
driver. Npcap provides two different libraries: <i>packet.dll</i> and <i>wpcap.dll</i>.</p>
<p>
Packet.dll offers a low-level API that can be used to directly access the
functions of the driver, with a programming interface independent from the
Microsoft OS.</p>
<!-- TODO: Should we acknowledge libpcap more significantly here? Wpcap.dll *IS* libpcap, not just compatible. -->
<p>Wpcap.dll exports a more powerful set of high level capture
primitives that are compatible with libpcap, the well known Unix capture
library. These functions enable packet capture in a manner that is independent
of the
underlying network hardware and operating system.</p>
</body>
</html>