Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2019-03-11 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wireshark 3.0.0 and Npcap

Published: 2019-03-11
Last Updated: 2019-03-11 08:22:02 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Starting with version 3.0.0, the Wireshark for Windows installation programs are distributed with Npcap in stead of WinPcap. Prior Wireshark Windows versions already supported Npcap, but the installer still came bundled with WinPcap.

Npcap is a library for packet capturing and sending on Windows, developed by the Nmap project, and is actively maintained, while WinPcap is no longer actively maintained (unless WinPcap's community steps in).

If you have a prior version of Wireshark installed on Windows (like 2.6.7), and you perform an upgrade to 3.0.0, Npcap will be installed by default:

One feature offered by Npcap and lacking in WinPcap, is capturing traffic on the loopback adapter:

Wireshark with WinPcap:

Wireshark with Npcap:

You can also sniff WiFi if your driver supports it.

If you have WinPcap installed, and Npcap is installed with default options, then WinPcap remains installed:

WinPcap and Npcap can coexist. Unless you choose to have the Npcap installer install a WinPcap API compatible DLL. Then WinPcap will be uninstalled.

This WinPcap API compatible DLL allows other applications, depending on WinPcap and without support for Npcap, to run with Npcap only installed.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: Npcap Wireshark
0 comment(s)
Diary Archives