CBFS Connect
CBFS Filter
CBFS Encrypt
PCAP Filter
CBFS Sync
CBFS Vault
CBFS Shell
SFTP Drive
AES Drive
DAV Drive
S3 Drive
NFS Drive
Azure Drive
Replacing Npcap with PCAP Filter in Wireshark
Introduction
PCAP Filter is a cross-platform packet-capture library that lets developers monitor and filter network traffic in real time without writing low-level driver code.
One of PCAP Filter's core components is NetFilter, which provides the kernel-level driver responsible for intercepting packets on Windows systems. This driver, packaged as netfilter.cab, handles all low-level capture operations that traditional tools such as Npcap typically manage.
In this article, we'll use the NetFilter driver and the accompanying wpcap.dll and packet.dll from PCAP Filter to replace Npcap as the capture backend for Wireshark. This allows Wireshark to operate entirely through PCAP Filter's driver and libraries rather than relying on Npcap.
Install the NetFilter Driver (Windows)
Before Wireshark can use PCAP Filter, the NetFilter driver must be installed on the system.
To do this, assuming PCAP Filter 2024 is installed, you can call the Install method from the NetFilter component in your application:
// Example: Installing the NetFilter driver
private const int ALTITUDE_FAKE_VALUE_FOR_DEMO = 777;
filter.Install("C:\path\to\netfilter.cab", // cab file path
"{01F21D1E-6E39-4205-BC76-E9748FFA78B2}", // driver guid
ALTITUDE_FAKE_VALUE_FOR_DEMO, // driver altitude
0x10, // installation options
null
);
Once installed successfully, the NetFilter driver will be nearly ready for use by Wireshark.
Please note that, for use with the provided packet.dll and wpcap.dll libraries (more on this below), the driver must be installed with the GUID {01F21D1E-6E39-4205-BC76-E9748FFA78B2}. The provided DLLs expect the NetFilter driver to have this GUID.
Replacing Npcap DLLs
After installing the driver, please navigate to the PCAP Filter 2024 installation directory (e.g., %USERPROFILE%\Documents\PCAP Filter 2024 .NET Edition). Here, the PcapLibs directory will contain the DLLs packet.dll and wpcap.dll. These DLLs are utilized by Wireshark to communicate with an underlying capture filter driver.
Typically, when installing Wireshark, the Npcap capture filter driver will be installed. The packet.dll and wpcap.dll will then be installed in C:\Windows\System32\Npcap, and these DLLs are then utilized by Wireshark afterwards.
To make Wireshark use PCAP Filter instead of Npcap, you must copy packet.dll and wpcap.dll to the C:\Windows\System32 directory. That said, if Npcap is currently installed, Wireshark will still default to using it. To ensure this works correctly, you may:
- Uninstall Npcap to ensure Wireshark automatically uses the PCAP Filter libraries (recommended).
- Replace the DLLs in C:\Windows\System32\Npcap with the PCAP Filter versions.
Afterwards, please start (or restart) Wireshark, and confirm the local interfaces are visible and packets are being captured.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.