npcap.exeとは?npcapとは?nmapとは? win10pcapとどちらが推奨なのか?に回答します
Wirsharkのインストール時に求められるnpcap.exeそして、その関連プロジェクトである nmapについて解説します。
先ずはnpcap.exeを説明する前に、nmapとは?を説明します。nmap.orgのこちらのURIに以下の説明があります。
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
https://nmap.org/
つまり、「Nmap(Network Mapperの略)は、フリーでOSSなネットワーク探索、セキュリティ認証に特化したユーティリティです。ネットワークのインベントリ、ホストやシステムの起動、各種サービスの最適化に利用できます!」といったところです。
トラフィックの解析を職業としない方は、「広い世の中にはそんな便利なユーティリティがフリーであるんだ~」くらいの理解で良いかと思います。
そして、npcap.exeですがこちらも引用すると以下の説明となります。
Npcap is the Nmap Project’s packet sniffing (and sending) library for Windows. It is based on the discontinued WinPcap library, but with improved speed, portability, security, and efficiency. In particular, Npcap offers:
WinPcap for Windows 10: Npcap works on Windows 7 and later by making use of the new NDIS 6 Light-Weight Filter (LWF) API. It’s faster than the deprecated NDIS 5 API, which Microsoft could remove at any time. Also, the driver is signed with our EV certificate and countersigned by Microsoft, so it works even with the stricter driver signing requirements in Windows 10 1607.
https://nmap.org/npcap/
Extra Security: Npcap can (optionally) be restricted so that only Administrators can sniff packets. If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets. We’ve also enabled the Windows ASLR and DEP security features and signed the driver, DLLs, and executables to prevent tampering.
Loopback Packet Capture: Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP). After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like “ping 127.0.0.1” (IPv4) or “ping ::1” (IPv6).
Loopback Packet Injection: Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet’s Ethernet header and injecting the payload into the Windows TCP/IP stack.
Libpcap API: Npcap uses the excellent Libpcap library, enabling Windows applications to use a portable packet capturing API that is also supported on Linux and Mac OS X. While WinPcap was based on LibPcap 1.0.0 from 2009, Npcap includes the latest Libpcap release along with improvements that we also contribute back upstream to Libpcap.
WinPcap compatibility: For applications that don’t yet make use of Npcap’s advanced features, Npcap can be installed in “WinPcap Compatible Mode.” This will replace any existing WinPcap installation. If compatibility mode is not selected, Npcap can coexist alongside WinPcap; applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.
Unsure whether to use WinPcap or Npcap? Check out our feature comparison and decide for yourself.
長いですが、重要な点だけご紹介します。
npcapの特徴
- Windowsシステム向けのパケットスニファー、送信ライブラリである
- 開発が停止されているWinpcapベースで開発されているが、スピード、ポータビリティ、セキュリティ、効果的なライブラリとなるように強化されている
- セキュリティ強化されたWindows10 1607以降でも動作する
- administrator権限でしか実行できない
- loopbackパケットのキャプチャも可能
- Libpcapライブラリを活用している
- WinPcapと互換性がある
つまり、開発が停止しているWinpcapの代わりのライブラリで、機能やセキュリティを強化したパケットスニファーライブラリがnpcap.exeです。
本ブログにWin10pcapどちらを選択すれば良いの?
と記載しましたが、npcap.exeの選択が正しいです。
最新記事 by 伊集院 (全て見る)
- 【暗号化通信(TLS)を復元できる】WIRESHARK達人への道 第二十五歩 暗号化通信(TLS)を復号する方法 - 1月 1, 2023
- 【詳細版】NSM(ネットワークセキュリティモニタ)、Zeekとは? - 9月 1, 2022
- 【簡易版】OSSネットワークセキュリティモニタZeekとは? - 8月 26, 2022