      总的来说,winpcap主要有3个文件需要关注,wpcap.dll, parket.dll, npf.sys。其中wpcap和packet属于应用层的程序,npf属于内核层的程序,即npf就是一个Ndis的协议驱动。在本文中主要分析这几个文件和他们之间是怎么通信的,对于驱动的基础知识和Ndis驱动程序不在进行重点讲解,如果对本文的内容看不明白,大家可以在回过头学习驱动的知识,也可以和我交流。



1) 查找设备,也就是说查找网卡设备,调用的函数是pcap_findalldevs

2) 打开对应的网卡设备,调用的函数为pcap_open_live

3) 过滤数据包,在解析之前过滤数据包,可以减少解析的数据包数,增强数据包解析的能力,主要调用2个函数,pcap_compile编译过滤器,采用pcap_setfiter;

4) 获取数据包,主要的函数有pcap_loop,pcap_dispatch,pcap_next,pcap_next_ex这4个函数,这四个函数的区别可以参考winpcap的手册。

5) 关闭设备,pcap_freealldevs;











(1)Libcap在BPF中采用2个缓冲区,即store buffer和hold buffer,从网卡拷贝的数据首先放入到store buffer ,然后再复制到hold buffer,就是一个乒乓操作经过hold buffer拷贝到应用程序的user buffer 中,这两个缓冲区的大小一般为32k。而winpcap采用的是一个循环缓冲区,即内核缓冲区,kernel buffer,内核缓冲区的默认大小为1M,可以采用pcap_setbuff对内核缓冲区进行修改。




(5) winpcap提供了直接从内核缓冲区将数据写入文件的方法,这样减少了数据包的拷贝次数,提高了收包的速度。







(1)      pcap_findalldevs

intpcap_findalldevs(pcap_if_t **alldevsp,char *errbuf)


    pcap_if_t *devlist =NULL;

    int ret = 0;

    const char *desc;

    char *AdaptersName;

    ULONG NameLength;

    char *name;

    if (!PacketGetAdapterNames(NULL, &NameLength))


        DWORD last_error =GetLastError();

        if (last_error !=ERROR_INSUFFICIENT_BUFFER)



                  "PacketGetAdapterNames: %s",


             return (-1);



    if (NameLength > 0)

        AdaptersName = (char*)malloc(NameLength);



        *alldevsp = NULL;

        return 0;


    if (AdaptersName ==NULL)


        snprintf(errbuf,PCAP_ERRBUF_SIZE"Cannot allocate enough memory to list the adapters.");

        return (-1);


    if (!PacketGetAdapterNames(AdaptersName, &NameLength)) {


             "PacketGetAdapterNames: %s",



        return (-1);



     * "PacketGetAdapterNames()" returned a list of

     * null-terminated ASCII interface name strings,

     * terminated by a null string, followed by a list

     * of null-terminated ASCII interface description

     * strings, terminated by a null string.

     * This means there are two ASCII nulls at the end

     * of the first list.


     * Find the end of the first list; that's the

     * beginning of the second list.


    desc = &AdaptersName[0];

    while (*desc !='/0' || *(desc + 1) !='/0')



     * Found it - "desc" points to the first of the two

     * nulls at the end of the list of names, so the

     * first byte of the list of descriptions is two bytes

     * after it.


    desc += 2;



     * Loop over the elements in the first list.


    name = &AdaptersName[0];

    while (*name !='/0') {


         * Add an entry for this interface.


        if (pcap_add_if_win32(&devlist,namedescerrbuf) == -1) {


              * Failure.


             ret = -1;



        name += strlen(name) + 1;

        desc += strlen(desc) + 1;


    if (ret != -1) {


         * We haven't had any errors yet; do any platform-specific

         * operations to add devices.


        if (pcap_platform_finddevs(&devlist,errbuf) < 0)

             ret = -1;


    if (ret == -1) {


         * We had an error; free the list we've been constructing.


        if (devlist !=NULL) {


             devlist = NULL;



    *alldevsp = devlist;


    return (ret);




BOOLEANPacketGetAdapterNames(PTSTRpStr,PULONG  BufferSize)



    ULONG    SizeNeeded = 0;

    ULONG    SizeNames = 0;

    ULONG    SizeDesc;

    ULONG    OffDescriptions;



    TRACE_PRINT2("Packet DLL version %s, Driver version %s",PacketLibraryVersionPacketDriverVersion);

    TRACE_PRINT1("PacketGetAdapterNames: BufferSize=%u", *BufferSize);


    // Check the presence on some libraries we rely on, and load them if we found them




    // Create the adapter information list


    TRACE_PRINT("Populating the adapter list...");






        *BufferSize = 0;

        TRACE_PRINT("No adapters found in the system. Failing.");



        return FALSE;     // No adapters to return



    // First scan of the list to calculate the offsets and check the sizes


    for(TAdInfo =g_AdaptersInfoListTAdInfo !=NULLTAdInfo =TAdInfo->Next)


        if(TAdInfo->Flags !=INFO_FLAG_DONT_EXPORT)


             // Update the size variables

             SizeNeeded += (ULONG)strlen(TAdInfo->Name) + (ULONG)strlen(TAdInfo->Description) + 2;

             SizeNames += (ULONG)strlen(TAdInfo->Name) + 1;




    // Check that we don't overflow the buffer.

    // Note: 2 is the number of additional separators needed inside the list

    if(SizeNeeded + 2 > *BufferSize ||pStr == NULL)



        TRACE_PRINT1("PacketGetAdapterNames: input buffer too small, we need %u bytes", *BufferSize);

        *BufferSize = SizeNeeded + 2; // Report the required size



        return FALSE;


    OffDescriptions = SizeNames + 1;



    // Second scan of the list to copy the information


    for(TAdInfo =g_AdaptersInfoListSizeNames = 0,SizeDesc = 0; TAdInfo !=NULLTAdInfo =TAdInfo->Next)


        if(TAdInfo->Flags !=INFO_FLAG_DONT_EXPORT)


             // Copy the data


                  ((PCHAR)pStr) +SizeNames,

                  *BufferSize - SizeNames,



                  ((PCHAR)pStr) +OffDescriptions + SizeDesc,

                  *BufferSize - OffDescriptions -SizeDesc,



             // Update the size variables

             SizeNames += (ULONG)strlen(TAdInfo->Name) + 1;

             SizeDesc += (ULONG)strlen(TAdInfo->Description) + 1;



    // Separate the two lists

    ((PCHAR)pStr)[SizeNames] = 0;

    // End the list with a further /0

    ((PCHAR)pStr)[SizeNeeded + 1] = 0;



    return TRUE;





    Result=(BOOLEAN)DeviceIoControl(AdapterObject->hFile,(DWORD)Set ? (DWORD)BIOCSETOID : (DWORD)BIOCQUERYOID,OidData,sizeof(PACKET_OID_DATA)-1+OidData->Length,OidData,





(2)      pcap_open_live

pcap_t *

pcap_open_live(constchar *sourceint snaplenintpromiscint to_mschar *errbuf)


    pcap_t *p;

    int status;

    p = pcap_create(source,errbuf);

    if (p == NULL)

        return (NULL);

    status = pcap_set_snaplen(p,snaplen);         //设置最大包长

    if (status < 0)

        goto fail;

    status = pcap_set_promisc(p,promisc);         //是否混杂模式

    if (status < 0)

        goto fail;

    status = pcap_set_timeout(p,to_ms);           //设置超时

    if (status < 0)

        goto fail;


     * Mark this as opened with pcap_open_live(), so that, for

     * example, we show the full list of DLT_ values, rather

     * than just the ones that are compatible with capturing

     * when not in monitor mode.  That allows existing applications

     * to work the way they used to work, but allows new applications

     * that know about the new open API to, for example, find out the

     * DLT_ values that they can select without changing whether

     * the adapter is in monitor mode or not.


    p->oldstyle = 1;

    status = pcap_activate(p);                            

    if (status < 0)

        goto fail;

    return (p);


    if (status ==PCAP_ERROR || status ==PCAP_ERROR_NO_SUCH_DEVICE ||

        status == PCAP_ERROR_PERM_DENIED)



        snprintf(errbuf,PCAP_ERRBUF_SIZE"%s: %s",source,



    return (NULL);



Intpcap_activate(pcap_t *p)


    int status;

    status = p->activate_op(p);

    if (status >= 0)

        p->activated = 1;

    return (status);


Pcap_activate调用activate_op,该函数是回调函数, p->activate_op = pcap_activate_win32;即pcap_activate调用pcap_activate_win32函数,pcap_activate_win32函数调用PacketOpenAdapter,同时函数设置PacketSetBuff和if(PacketSetMinToCopy(p->adapter,16000)==FALSE),设置设置最小copysize=16k。PacketOpenAdapter中调用使用NPF device driver打开网卡(adapter),同样调用PacketRequest,调用DeviceIoControl,即对应驱动中的NPF_IoControl。



(3) pcap_setfilter

Intpcap_setfilter(pcap_t *p,struct bpf_program *fp)


    return p->setfilter_op(p,fp);


p->setfilter_op =pcap_setfilter_win32_npf;




pcap_setfilter_win32_npf(pcap_t *pstruct bpf_program *fp)




         * Kernel filter not installed.

         * XXX - fall back on userland filtering, as is done

         * on other platforms?


        snprintf(p->errbuf,PCAP_ERRBUF_SIZE"Driver error: cannot set bpf filter: %s",pcap_win32strerror());

        return (-1);




     * Discard any previously-received packets, as they might have

     * passed whatever filter was formerly in effect, but might

     * not pass this filter (BIOCSETF discards packets buffered

     * in the kernel, so you can lose packets in any case).


    p->cc = 0;

    return (0);



BOOLEANPacketSetBpf(LPADAPTERAdapterObjectstructbpf_program *fp)


    DWORD BytesReturned;

    BOOLEAN Result;



    if (AdapterObject->Flags ==INFO_FLAG_NDISWAN_ADAPTER)


        Result = WanPacketSetBpfFilter(AdapterObject->pWanAdapter, (PUCHAR)fp->bf_insns,fp->bf_len * sizeof(structbpf_insn));


        return Result;




    if(AdapterObject->Flags ==INFO_FLAG_AIRPCAP_CARD)


        Result = (BOOLEAN)g_PAirpcapSetFilter(AdapterObject->AirpcapAd,


             fp->bf_len *sizeof(struct bpf_insn));


        return Result;




    if(AdapterObject->Flags == INFO_FLAG_NPFIM_DEVICE)


        Result = (BOOLEAN)g_NpfImHandlers.NpfImSetBpfFilter(AdapterObject->NpfImHandle,


             fp->bf_len * sizeof(struct bpf_insn));


        return TRUE;





    if(AdapterObject->Flags & INFO_FLAG_DAG_CARD)


        // Delegate the filtering to higher layers since it's too expensive here


        return TRUE;


#endif// HAVE_DAG_API


    if (AdapterObject->Flags ==INFO_FLAG_NDIS_ADAPTER)



        Result = (BOOLEAN)DeviceIoControl(AdapterObject->hFile,BIOCSETF,(char*)fp->bf_insns,fp->bf_len*sizeof(structbpf_insn),NULL,0,&BytesReturned,NULL);




        TRACE_PRINT1("Request to set BPF filter on an unknown device type (%u)",AdapterObject->Flags);

        Result = FALSE;



    return Result;



