Information on WinPCAP and WinDUMP

Home pages: WinPcap WinDump
Release notes: winpcap, windump
Mail: (also used for WinDump) 

Relationship of WPCAP.DLL and PACKET.DLL

From: Guy Harris <>
Subject: Re: [tcpdump-workers] libpcap

On Thu, Nov 23, 2000 at 04:39:45PM -0700, Mark Reimer wrote:
> In the sample programs from netgroup..., I have tried to translate a couple
> of them to VB using Declares. The one that I think would be the easiest to
> use has the following functions: This is from testapp.c
> PacketGetAdapterNames

Perhaps that would be easier to use; it depends on what you're doing.

Some history on libpcap might make the relationship between packet.dll and wpcap.dll a bit clearer.

libpcap was originally the code in tcpdump that hid from the bulk of tcpdump the differences between the mechanisms provided by various flavors of UNIX to allow raw link-layer packets to be transmitted and received; tcpdump merely receives link-layer packets, and doesn't send them, so libpcap doesn't have any routines to transmit packets. (There's no reason why it couldn't have those routines; it just doesn't happen to have them.)

wpcap.dll implements the libpcap API (plus some extensions) for Win32 systems; packet.dll, and the drivers for various Win32 operating systems, provide a Win32-specific raw link-layer packet access mechanism.

I.e., wpcap.dll provides an API that should work on BSD, Linux, Solaris, HP-UX, Irix, AIX, Windows 9x, Windows NT, etc., allowing applications to capture packets on a network without themselves having to do that capture differently on different OSes. (Well, there are some minor glitches that require some slightly different behavior on some OSes, but the latest version of libpcap should handle at least one of those.)

packet.dll provides a Win32-specific API for capturing and sending packets, just as the BPF driver on BSD, PF_PACKET sockets on Linux, DLPI on Solaris and HP-UX and some other flavors of UNIX, etc. provide APIs that are somewhat OS-specific for capturing and sending packets on those OSes.

The routines with names beginning with Packet are the packet.dll routines; that's the packet.dll API.

The routines with names beginning with pcap_ are the wpcap.dll routines; that's the libpcap API.

The libpcap API is a somewhat "higher-level" API, hiding, as it does, various low-level details of BPF or PF_PACKET sockets or DLPI or packet.dll or… That might make it easier to use; however, it also might mean that it wouldn't allow you to do some things you could do by directly using the packet.dll API.

The page at describes that thus:

WinPcap is an architecture for packet capture and network analysis for the Win32 platforms, based on the model of BPF and libpcap for UNIX. It includes a kernel-level packet filter driver, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll).

The packet capture driver is a device driver that adds to Windows 95, Windows 98, Windows NT and Windows 2000 the ability to capture and send raw packets in a way similar to the Berkeley Packet Filter of UNIX kernels.

packet.dll is an API that can be used to access directly the functions of the capture driver.

WinPcap exports a set of functions fully compatible with libpcap 0.5.2. It allows capturing packets in a way independent from the underlying network hardware and operating system.

> Also I would need to come up with proper types (structures) for LPADAPTER
> and LPPACKET. These use packet.dll.
> The other is from pktdump.c and uses the following:
> pcap_open_live
> pcap_loop
> For this one, it uses structure of pcap (which I haven't found defined
> anywhere). I assume because wpcap.dll is loaded as needed, it is defined in
> there, and not anywhere else.

No, it's because the pcap_t structure's layout is relevant only if you're trying to write programs that use libpcap…

…just as LPADAPTER and LPPACKET are relevant only if you're trying to write programs that use packet.dll.

Given that you're planning on writing programs that use libpcap and/or packet.dll, they are relevant.

LPADAPTER is just a pointer to an ADAPTER structure; ADAPTER is defined in PACKET32.H, which comes as part of the WinPcap 2.1 beta developer's pack. LPPACKET is just a pointer to a PACKET structure; PACKET is also defined in PACKET32.H.

pcap_t is a handle returned when you open a capture device with libpcap; it's defined in pcap.h, which also comes as part of the WinPcap 2.1 beta developer's pack.

> I'm trying to write an update to a packet capture program that runs in DOS
> (yes, pre-Windows), so I just need to capture the packets, then I know what
> I'm doing.

I assume the update is to make it run on Win32 operating systems (Windows 95/98 and Windows NT/2000), as WinPcap won't work on plain DOS.

If it's just a packet capture program, the libpcap API, rather than the raw packet.dll API, may be easier. (If you download the WinPcap 2.1 beta source, and look at pcap-win32.c in the WPCAP\LIBPCAP directory, that shows you the stuff that the libpcap library hides; it's not that complicated—take a look, for example, at pcap-dlpi.c in that directory, which shows you the stuff libpcap has to hide from you on a platform using DLPI, although pcap-bpf.c is a bit simpler, which is perhaps not surprising given that BPF was designed by the same folks who designed libpcap and tcpdump…)