[Snort-users] [ANNOUNCE] WinPcap 3.2 alpha1 has been released

Gianluca Varenni gianluca.varenni at ...11827...
Sun Dec 18 13:00:03 EST 2005


WinPcap 3.2 alpha1 is available from today in the download section of the
WinPcap website, http://www.winpcap.org/install/.

The most remarkable feature of this new version is the long-awaited support
for x86-64 platforms. Under 64bit platforms, the NPF driver is 64bit, and 
the
user level DLLs (packet.dll and wpcap.dll) are 32bit. As a consequence, it's
possible to run any 32bit WinPcap-based application without any
recompilation. Thanks to Ramiro Polla doing pre-release testing on x86-64
platforms.

NOTE: on 32bit platforms, this build does not add any new feature to the
current stable version of WinPcap (3.1), apart for the update to libpcap
0.9.4, and some minor bugfixes in the code and the installer.


A new alpha/beta is expected to be available in a couple of months; it will
probably include support for JITted BPF filters on x86-64 and bugfixes
related to the problems reported by the users of this alpha version.
Therefore, if you test it, please give us feedback.

The complete change log is attached at the end of this message.
Enjoy!

Gianluca Varenni
WinPcap Team



Changelog
=========

- Added support for x86-64 (AMD64) under Windows XP/2003. Under 64bit
  platforms, the NPF driver is 64bit, and the user level DLLs (packet.dll
  and wpcap.dll) are 32bit. As a consequence, it's possible to run any
  32bit WinPcap-based application without any recompilation.
  The x86-64 NPF driver has the following limitations
  * BPF filters are not JITted to x86-64 instructions (filters are
    interpreted).
  * The MONITOR_MODE (used mainly by Analyzer) is not supported.
  * it's not possible to change the timestamping mode using the registry key
      HKLM\System\CurrentControlSet\Services\NPF\TimestampMode
    Timestamps are always computed using KeQueryPerformanceCounter.

  Moreover, due to the lack of the NetMon COM component on the 64bit version
  of Windows, dialup adapters are not supported.

- wpcap.dll has been updated to libpcap 0.9.4 from http://www.tcpdump.org.

- Added a patch file containing the patches for remote capture against the
  vanilla libpcap sources.

- Better error handling in the installer.

- Applied some patches to the bpf_filter and verifier (from Guy Harris):
  + BPF programs with no instructions
  + BPF_STX and BPF_LDX|BPF_MEM instructions that have out-of-range offsets
    (which could be made to fetch or store into arbitrary memory locations)
  + BPF_DIV instructions with a constant 0 divisor (that's a check also done
    at run time)
  + In addition, it makes the "k" field in BPF instructions unsigned, as it
    is in other BPF interpreters

- Enabled PREFast (static code analysis tool from the Microsoft DDK) on the
  x86 build of the driver.

- Bug fixing:
  + Added a patch in PacketGetAdapterNames to set the last error to
    ERROR_INSUFFICIENT_BUFFER if the buffer passed to the function is too
    small. Modified pcap_findalldevs() so that it correctly handles this
    situation.
  + Fixed a bug in PacketGetAdapterNames(): the requested buffer size to
    correctly return all the adapter names was wrongly computed
    (overestimated of 3-4 bytes)
  + Fixed a problem while listing the adapters under Win9x: if the key
    HKLM\System\CurrentControlSet\Services\Class\Net\<number> did not
    contain an "NDIS" key, the code was going into an infinite loop.
  + Minor fixes the documentation.
  + Fixed the prototype for the JITted BPF filter function under x86; thanks
    to this patch, we no longer need to manually fix the stack pointer after
    the JITted function returns.


=========





More information about the Snort-users mailing list