[Snort-users] [ANNOUNCE] WinPcap 3.2 alpha1 has been released
gianluca.varenni at ...11827...
Sun Dec 18 13:00:03 EST 2005
WinPcap 3.2 alpha1 is available from today in the download section of the
WinPcap website, http://www.winpcap.org/install/.
The most remarkable feature of this new version is the long-awaited support
for x86-64 platforms. Under 64bit platforms, the NPF driver is 64bit, and
user level DLLs (packet.dll and wpcap.dll) are 32bit. As a consequence, it's
possible to run any 32bit WinPcap-based application without any
recompilation. Thanks to Ramiro Polla doing pre-release testing on x86-64
NOTE: on 32bit platforms, this build does not add any new feature to the
current stable version of WinPcap (3.1), apart for the update to libpcap
0.9.4, and some minor bugfixes in the code and the installer.
A new alpha/beta is expected to be available in a couple of months; it will
probably include support for JITted BPF filters on x86-64 and bugfixes
related to the problems reported by the users of this alpha version.
Therefore, if you test it, please give us feedback.
The complete change log is attached at the end of this message.
- Added support for x86-64 (AMD64) under Windows XP/2003. Under 64bit
platforms, the NPF driver is 64bit, and the user level DLLs (packet.dll
and wpcap.dll) are 32bit. As a consequence, it's possible to run any
32bit WinPcap-based application without any recompilation.
The x86-64 NPF driver has the following limitations
* BPF filters are not JITted to x86-64 instructions (filters are
* The MONITOR_MODE (used mainly by Analyzer) is not supported.
* it's not possible to change the timestamping mode using the registry key
Timestamps are always computed using KeQueryPerformanceCounter.
Moreover, due to the lack of the NetMon COM component on the 64bit version
of Windows, dialup adapters are not supported.
- wpcap.dll has been updated to libpcap 0.9.4 from http://www.tcpdump.org.
- Added a patch file containing the patches for remote capture against the
vanilla libpcap sources.
- Better error handling in the installer.
- Applied some patches to the bpf_filter and verifier (from Guy Harris):
+ BPF programs with no instructions
+ BPF_STX and BPF_LDX|BPF_MEM instructions that have out-of-range offsets
(which could be made to fetch or store into arbitrary memory locations)
+ BPF_DIV instructions with a constant 0 divisor (that's a check also done
at run time)
+ In addition, it makes the "k" field in BPF instructions unsigned, as it
is in other BPF interpreters
- Enabled PREFast (static code analysis tool from the Microsoft DDK) on the
x86 build of the driver.
- Bug fixing:
+ Added a patch in PacketGetAdapterNames to set the last error to
ERROR_INSUFFICIENT_BUFFER if the buffer passed to the function is too
small. Modified pcap_findalldevs() so that it correctly handles this
+ Fixed a bug in PacketGetAdapterNames(): the requested buffer size to
correctly return all the adapter names was wrongly computed
(overestimated of 3-4 bytes)
+ Fixed a problem while listing the adapters under Win9x: if the key
HKLM\System\CurrentControlSet\Services\Class\Net\<number> did not
contain an "NDIS" key, the code was going into an infinite loop.
+ Minor fixes the documentation.
+ Fixed the prototype for the JITted BPF filter function under x86; thanks
to this patch, we no longer need to manually fix the stack pointer after
the JITted function returns.
More information about the Snort-users