Npcap provides support for NDIS 6.0, which is a major version enhancement. Having this support overcomes the limitations of WinPcap and will most likely improve capture on Windows 7 and later machines.
A standard Wi-Fi card on a Windows machine can only be put into promiscuous mode, not monitor mode. As a result, you won't see raw 802.11 traffic or the radiotap headers, as they are wrapped so they look like an Ethernet packet, and are sometimes called fake Ethernet packets. With Npcap, users can capture raw 802.11 packets when using an unsupported wireless adapter.
This is easily achieved by selecting the following option during installation of Npcap:
Support raw 802.11 traffic (and monitor mode) for wireless adapters
Npcap will then have two modes:
- Managed mode: Captures Ethernet packets only
- Monitor mode: Uses wlanhelper.exe, which will allow you to switch into monitor mode and gather all 802.11 traffic, including data and control, along with the management packets that have radiotap headers
Radiotap headers can be used when troubleshooting Wi-Fi, as they can provide a lot of information such as antennae noise and channel frequency. To see an example of a radiotap header, go to https://www.cloudshark.org/captures/ca7828d13464?filter=frame%20and%20radiotap%20and%20wlan%20and%20wlan_aggregate.
Once you're on Cloudshark, select Export | Download File from the menu. This is found on the right-hand side of the screen, as shown here:
When the Download window opens, select Download the original file and open it in Wireshark.
Select Frame 1 and expand the radiotap header to see the details, as shown in the following screenshot:
Other Npcap features include loopback packet capture, which can be helpful during troubleshooting, along with support for the libpcap API. Npcap can also ensure enhanced security in that it can be set to restrict access to admin only on a Windows machine. If this option is set, then the user will have to authorize using the driver in the Windows User Account Control (UAC) dialog box.
Npcap is compatible with WinPcap and can run alongside WinPcap, or you can uninstall WinPcap and use the Npcap driver exclusively. However, Wireshark documentation suggests using Npcap if you are using Windows 10. Users can compare the features of WinPcap or Npcap by going to https://nmap.org/npcap/vs-winpcap.html.
Now that we have learned about the different capture engines, let's explore the various options to choose from while installing Wireshark on a Windows OS.