github nmap/npcap v0.05-r11
Npcap 0.05 r11: Added firewall (Block-Rx) support

Now Npcap can BLOCK the traffic instead of just inspecting packets. The Block-Rx adapters will reject all incoming packets except the ones injected by Npcap itself.

Steps for a firewall application:

  1. Set the adapter you want to add the firewall to as both a Block-Rx and send-to-Rx adapter. Npcap driver needs to be restarted.
  2. Use pcap_next_ex to retrieve and parse all traffic on an adapter, make a decision (Pass or Drop) based on your own way.
  3. If the decision on a packet is Pass, call pcap_sendpacket to reinject the packet to the same adapter.
  4. If the decision on a packet is Drop, do nothing. This packet will be dropped.

A firewall example is provided here:
https://github.com/hsluoyz/UserBridge

How to specify a Block-Rx adapter:

Npcap driver service's registry key is usually in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npf

In this key, you need to manually create a REG_SZ value named BlockRx, the value is the name of the adapter you want to be Block-Rx adapter. The name is usually like format of \Device\{F5A00000-E19A-4D17-B6D9-A23FE1852573}. You can query this value using Nmap's nmap --iflist command, you will get a similar value like \Device\NPF_{F5A00000-E19A-4D17-B6D9-A23FE1852573}, but they are NOT THE SAME. You need to remove the NPF_ in this string and copy it to registry's BlockRx value. Then reboot the driver by net stop npf and net start npf.

Block-Rx adapters can be multiple. The string specified in registry's BlockRx value should be semicolon-separated.

How to specify a Send-To-Rx adapter:

See v0.05-r6 and v0.05-r7 for Send-to-Rx's details

latest releases: v1.55, v1.50, v1.40...
5 years ago