Libpcap API Improvements

Npcap includes the latest libpcap version for even better compatibility and performance. The powerful cross-platform libpcap API makes writing packet-capturing code easy, and the latest versions introduced new features not available in WinPcap.

Enhanced pcap-filter Language

The filter expression language used by libpcap has been enhanced with additional keywords and operators:

• New protocol keyword support: carp, hfisu, hlssu, hmsu, hsio, hopc, hdpc, hsls, geneve, vxlan.
• New EtherType names: ether proto lldp, ether proto slow.
• ICMPv6 type keywords (icmp6-*) for control and error messages.
• New expression operators: modulo (%) and bitwise XOR (^).
• New TCP flag names: tcp-ece and tcp-cwr.

pcap_compile() Improvements

• Compiler internals are now thread-safe, allowing concurrent filter compilation in multithreaded applications.
• pcap_compile() now accepts PCAP_NETMASK_UNKNOWN to indicate that no applicable netmask is available when compiling filters that depend on network prefixes.

New Interface Flags from pcap_findalldevs()

pcap_if_t entries from pcap_findalldevs() now include additional capability and status flags:

• PCAP_IF_UP: The interface is administratively up.
• PCAP_IF_RUNNING: The interface is operational (carrier present or equivalent).
• PCAP_IF_WIRELESS: The interface is known to be wireless.
• PCAP_IF_CONNECTION_STATUS: Encodes finer-grained connectivity state (e.g. connected or disconnected).

Timestamp Types

New functions allow choosing between different timestamp types:

• pcap_list_tstamp_types(): Enumerate timestamp types supported by a capture device.
• pcap_set_tstamp_type(): Select the desired timestamp type before activation.
• pcap_tstamp_type_name_to_val(), pcap_tstamp_type_val_to_name(): Convert between type names and numeric values.
• pcap_tstamp_type_val_to_description(): Retrieve a human-readable description of a timestamp type.

Timestamp Precision

Npcap can provide timestamps with nanosecond precision:

• pcap_get_tstamp_precision(), pcap_set_tstamp_precision(): Query or request timestamp precision.
• pcap_open_dead_with_tstamp_precision(), pcap_open_offline_with_tstamp_precision(), pcap_fopen_offline_with_tstamp_precision(): Precision-aware versions of pcap_open_dead(), pcap_open_offline(), and pcap_fopen_offline().

Additional API Functions

• pcap_init(): Global initialization with optional configuration flags; must be called before most other libpcap functions in some environments.
• pcap_set_immediate_mode(): Request delivery of packets to user space as soon as they are captured, bypassing buffering delays on supported platforms.
• pcap_datalink_val_to_description_or_dlt(): Return a description for a DLT value, falling back to link-layer type names for unknown values.
• pcap_dump_ftell64(): 64-bit version of pcap_dump_ftell() for large output files.
• pcap_dump_open_append(): Open an existing capture file and append new packets to it.