<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"><title>WinPcap: WinPcap internals</title><link href="style.css" rel="stylesheet" type="text/css"><link href="tabs.css" rel="stylesheet" type="text/css"></head><body><!-- Generated by Doxygen 1.5.6 --><div class="navigation" id="top">  <div class="tabs">    <ul>      <li><a href="main.html"><span>Main&nbsp;Page</span></a></li>      <li><a href="pages.html"><span>Related&nbsp;Pages</span></a></li>      <li><a href="modules.html"><span>Modules</span></a></li>      <li><a href="annotated.html"><span>Data&nbsp;Structures</span></a></li>      <li><a href="files.html"><span>Files</span></a></li>    </ul>  </div></div><div class="contents"><h1>WinPcap internals</h1><table border="0" cellpadding="0" cellspacing="0"><tr><td></td></tr><tr><td colspan="2"><br><h2>Modules</h2></td></tr><tr><td class="memItemLeft" nowrap align="right" valign="top">&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__NPF.html">NPF driver internals manual</a></td></tr><tr><td class="memItemLeft" nowrap align="right" valign="top">&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__compilation.html">How to compile WinPcap</a></td></tr><tr><td class="memItemLeft" nowrap align="right" valign="top">&nbsp;</td><td class="memItemRight" valign="bottom"><a class="el" href="group__packetapi.html">Packet.dll -- Packet Driver API</a></td></tr></table><hr><a name="_details"></a><h2>Detailed Description</h2><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><meta name="GENERATOR" content="Microsoft FrontPage 6.0"><meta name="ProgId" content="FrontPage.Editor.Document"><title></title></head><body>This portion of the manual describes the internal structure and interfaces of WinPcap, starting from the lowest-level module. It is targeted at people that must extend or modify this software, or to the ones interested in how it works. Therefore, developers who just want to use WinPcap in their software don't need to read it.<h2>WinPcap structure</h2><p>Quoted from the home page of winpcap:</p><p><i>WinPcap is an architecture for packet capture and network analysis for theWin32 platforms. It includes a kernel-level packet filter, alow-level dynamic link library (packet.dll), and a high-level andsystem-independent library (wpcap.dll).</i></p><p>Why we use the term &quot;architecture&quot; rather than &quot;library&quot;? Because packet capture is a low level mechanismthat requires a strict interaction with the network adapter and with theoperating system, in particular with its networking implementation, so a simplelibrary is not sufficient.</p><p>The following figure shows the various components of WinPcap:</p><p align="center"><img src="internals-arch.gif" width="280" height="355"><p align="center"><b>Main components of WinPcap.</b><p>First, a capture system needs to bypass the operating systems's protocol stack in order to accessthe raw data transiting on the network. This requires a portionrunning inside the kernel of OS, interacting directly with the network interfacedrivers. This portion is very system dependent, and inour solution it is realized as a device driver, called Netgroup Packet Filter (NPF); we provide different versions of the driver for Windows 95, Windows 98, Windows ME,Windows NT 4,Windows 2000 and Windows XP. These drivers offer both basic features like packet captureand injection, as well as more advanced ones like a programmable filtering system and amonitoring engine. The first one can be used to restrict a capture session to asubset of the network traffic (e.g. it is possible to capture only the ftptraffic generated by a particular host), the second one provides a powerful butsimple to use mechanism to obtain statistics on the traffic (e.g. it is possibleto obtain the network load or the amount of data exchanged between two hosts).</p><p>Second, the capture system must export an interface that user-levelapplications will use to take advantage of the features provided by the kerneldriver. WinPcap provides two different libraries: <i>packet.dll</i> and <i>wpcap.dll</i>.&nbsp;</p><p>The first one offers a low-level API that can be used to directly access thefunctions of the driver, with a programming interface independent from theMicrosoft OS.&nbsp;</p><p> The second one exports a more powerful set of high level captureprimitives that are compatible with libpcap, the well known Unix capture library. These functions enable packet capture in a manner that is independent of theunderlying network hardware and operating system.</p><p>Throughout this documentation we will refer to the <b>Packet Driver API </b>or<b>packet.dll</b> as the first set of functions, whereas <b>wpcap</b>, <b>wpcap.dll</b> or <b>libpcap</b> will refer to the to the second one.</p></body></html> </div><hr><p align="right"><img border="0" src="winpcap_small.gif" align="absbottom" width="91" height="27">documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005-2008CACE Technologies. All rights reserved.</p>