Skip to content

Add WinDivert support #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
seladb merged 2 commits into from
Jan 22, 2026
Merged

Add WinDivert support #211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a356504
Add WinDivert support
seladb Jan 22, 2026
58b423a
Fx formatting
seladb Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

[PcapPlusPlus](https://pcapplusplus.github.io) is a multi-platform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.

PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html) and [PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/).
PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [WinDivert](https://reqrypt.org/windivert.html), [DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html) and [PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/).

This repo contains the content for [PcapPlusPlus web-site](https://pcapplusplus.github.io).

Expand Down
20 changes: 19 additions & 1 deletion docs/features.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ import APIDocsLink from '@site/src/components/APIDocsLink';

Packet capture (A.K.A packet sniffing or network tapping) is the process of intercepting and logging traffic that passes over a digital network or part of a network (taken from [Wikipedia](https://en.wikipedia.org/wiki/Packet_analyzer)). It is one of the most important and popular features of PcapPlusPlus and it is what PcapPlusPlus is basically all about.

There are multiple packet capture engines out there, the most popular are [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/) (which is libpcap for Windows), [Npcap](https://nmap.org/npcap/) (WinPcap's successor), [Intel DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html), [ntop's PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/) and [raw sockets](https://en.wikipedia.org/wiki/Network_socket#Raw_socket). Each engine has different strengths, purposes and features, works on different platforms and obviously has different APIs and setup process. Most of them are written in C (to achieve the best performance) and don't expose a C++ interface.
There are multiple packet capture engines out there, the most popular are [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/) (which is libpcap for Windows), [Npcap](https://nmap.org/npcap/) (WinPcap's successor), [WinDivert](https://reqrypt.org/windivert.html), [Intel DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html), [ntop's PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/) and [raw sockets](https://en.wikipedia.org/wiki/Network_socket#Raw_socket). Each engine has different strengths, purposes and features, works on different platforms and obviously has different APIs and setup process. Most of them are written in C (to achieve the best performance) and don't expose a C++ interface.

PcapPlusPlus aims to create a consolidated and easy-to-use C++ API for all of these engines which simplifies their complexity and provides a common infrastructure for capturing, processing, analyzing and forging of network packets.

Here is a list of of the packet capture engines currently supported:

- [libpcap](https://www.tcpdump.org/) live capture (on Linux, MacOS, Android, FreeBSD)
- [WinPcap](https://www.winpcap.org/)/[Npcap](https://nmap.org/npcap/) live capture (on Windows)
- [WinDivert](https://reqrypt.org/windivert.html) live capture (on Windows)
- [Intel DPDK](https://www.dpdk.org/) (on Linux)
- [eBPF AF_XDP sockets](https://www.kernel.org/doc/html/next/networking/af_xdp.html) (on Linux)
- [ntop's Vanilla PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/) (on Linux)
Expand Down Expand Up @@ -227,6 +228,23 @@ In order to compile PcapPlusPlus with PF_RING you need to:
sudo insmod <PF_RING_LOCATION>/kernel/pf_ring.ko
```

## WinDivert support

Windows Packet Divert (WinDivert) is a user-mode packet capture-and-divert package for Windows. It allows user-mode applications to capture/modify/drop network packets sent to/from the Windows network stack (taken from [WinDivert documentation](https://reqrypt.org/windivert.html)).

PcapPlusPlus provides support for various features when using WinDivert, including:

- Opening a WinDivert handle with a filter
- Capturing inbound/outbound IPv4/IPv6 packets
- Sending batches of raw packets
- Inspecting and configuring queue parameters (length, time, size)

In order to use PcapPlusPlus with WinDivert support you need to:

- Download WinDivert from [WinDivert's GitHub Repo](https://github.com/basil00/WinDivert/releases)
- Once WinDivert is downloaded and extracted, you need to run PcapPlusPlus build and use the `-DPCAPPP_USE_WINDIVERT=ON` option
- Make sure the WinDivert DLLs are accessible to your application (e.g. in the same directory as your executable or in a directory included in your PATH environment variable)

## Packet reassembly

Network protocols often need to transport large chunks of data which are complete in themselves, e.g. when transferring a file. The underlying protocol might not be able to handle that chunk size (e.g. limitation of the network packet size), or is stream-based like TCP, which doesn’t know data chunks at all.
Expand Down
22 changes: 12 additions & 10 deletions docs/install/mingw.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,18 @@ This process will build the following artifacts:

The following configuration options are available (on top of CMake's built-in options):

| Option | Description |
| :-------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`-DPCAP_ROOT=<DIR>`** | Npcap SDK or WinPcap developer pack directory (mandatory option) |
| **`-DPCAPPP_BUILD_EXAMPLES=<ON/OFF>`** | Build PcapPlusPlus examples (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TESTS=<ON/OFF>`** | Build PcapPlusPlus tests (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TUTORIALS=<ON/OFF>`** | Build PcapPlusPlus tutorials. This option is only available if `DPCAPPP_BUILD_EXAMPLES=ON`. The tutorials binaries will be under `build\tutorials_bin` (default value is `OFF`) |
| **`-DPCAPPP_INSTALL=<ON/OFF>`** | Install PcapPlusPlus (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DBUILD_SHARED_LIBS=<ON/OFF>`** | Build shared libs (default value is `OFF`) |
| **`-DPCAPPP_BUILD_PCAPPP=<ON/OFF>`** | Build the Pcap++ library (default value is `ON`). Turning it off will only build Common++ and Packet++ and avoid third-party dependencies such as libpcap or WinPcap/Npcap |
| **`-DPCAPPP_LOG_LEVEL=<0/1/2/3>`** | Set compile time log level: Off (`0`), Error (`1`), Info (`2`), Debug (`1`) (Default value is `Debug`) |
| Option | Description |
| :-------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`-DPCAP_ROOT=<DIR>`** | Npcap SDK or WinPcap developer pack directory (mandatory option) |
| **`-DPCAPPP_BUILD_EXAMPLES=<ON/OFF>`** | Build PcapPlusPlus examples (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TESTS=<ON/OFF>`** | Build PcapPlusPlus tests (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TUTORIALS=<ON/OFF>`** | Build PcapPlusPlus tutorials. This option is only available if `DPCAPPP_BUILD_EXAMPLES=ON`. The tutorials binaries will be under `build\tutorials_bin` (default value is `OFF`) |
| **`-DPCAPPP_INSTALL=<ON/OFF>`** | Install PcapPlusPlus (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_USE_WINDIVERT=<ON/OFF>`** | Setup PcapPlusPlus with WinDivert (default value is `OFF`). When this option is used CMake will look for an installed version of WinDivert on the build machine (by default under `C:\Program Files\WinDivert` or `C:\WinDivert`). If WinDivert is installed in a different directory please use `-DWinDivert_ROOT` |
| **`-DWinDivert_ROOT=<DIR>`** | When setting up PcapPlusPlus with WinDivert and WinDivert is not installed in the default directory (under `C:\Program Files\WinDivert` or `C:\WinDivert`) use this option to indicate WinDivert installation directory |
| **`-DBUILD_SHARED_LIBS=<ON/OFF>`** | Build shared libs (default value is `OFF`) |
| **`-DPCAPPP_BUILD_PCAPPP=<ON/OFF>`** | Build the Pcap++ library (default value is `ON`). Turning it off will only build Common++ and Packet++ and avoid third-party dependencies such as libpcap or WinPcap/Npcap |
| **`-DPCAPPP_LOG_LEVEL=<0/1/2/3>`** | Set compile time log level: Off (`0`), Error (`1`), Info (`2`), Debug (`1`) (Default value is `Debug`) |

## Installation

Expand Down
22 changes: 12 additions & 10 deletions docs/install/vs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,16 +70,18 @@ After a successful build the following artifacts will be created:

The following configuration options are available (on top of CMake's built-in options):

| Option | Description |
| :-------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`-DPCAP_ROOT=<DIR>`** | Npcap SDK or WinPcap developer pack directory (mandatory option) |
| **`-DPCAPPP_BUILD_EXAMPLES=<ON/OFF>`** | Build PcapPlusPlus examples (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TESTS=<ON/OFF>`** | Build PcapPlusPlus tests (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TUTORIALS=<ON/OFF>`** | Build PcapPlusPlus tutorials. This option is only available if `DPCAPPP_BUILD_EXAMPLES=ON`. The tutorials binaries will be under `build\tutorials_bin` (default value is `OFF`) |
| **`-DPCAPPP_INSTALL=<ON/OFF>`** | Install PcapPlusPlus (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DBUILD_SHARED_LIBS=<ON/OFF>`** | Build shared libs (default value is `OFF`) |
| **`-DPCAPPP_BUILD_PCAPPP=<ON/OFF>`** | Build the Pcap++ library (default value is `ON`). Turning it off will only build Common++ and Packet++ and avoid third-party dependencies such as libpcap or WinPcap/Npcap |
| **`-DPCAPPP_LOG_LEVEL=<0/1/2/3>`** | Set compile time log level: Off (`0`), Error (`1`), Info (`2`), Debug (`1`) (Default value is `Debug`) |
| Option | Description |
| :-------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **`-DPCAP_ROOT=<DIR>`** | Npcap SDK or WinPcap developer pack directory (mandatory option) |
| **`-DPCAPPP_BUILD_EXAMPLES=<ON/OFF>`** | Build PcapPlusPlus examples (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TESTS=<ON/OFF>`** | Build PcapPlusPlus tests (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_BUILD_TUTORIALS=<ON/OFF>`** | Build PcapPlusPlus tutorials. This option is only available if `DPCAPPP_BUILD_EXAMPLES=ON`. The tutorials binaries will be under `build\tutorials_bin` (default value is `OFF`) |
| **`-DPCAPPP_INSTALL=<ON/OFF>`** | Install PcapPlusPlus (default value is `ON` if building the project itself, otherwise `OFF`) |
| **`-DPCAPPP_USE_WINDIVERT=<ON/OFF>`** | Setup PcapPlusPlus with WinDivert (default value is `OFF`). When this option is used CMake will look for an installed version of WinDivert on the build machine (by default under `C:\Program Files\WinDivert` or `C:\WinDivert`). If WinDivert is installed in a different directory please use `-DWinDivert_ROOT` |
| **`-DWinDivert_ROOT=<DIR>`** | When setting up PcapPlusPlus with WinDivert and WinDivert is not installed in the default directory (under `C:\Program Files\WinDivert` or `C:\WinDivert`) use this option to indicate WinDivert installation directory |
| **`-DBUILD_SHARED_LIBS=<ON/OFF>`** | Build shared libs (default value is `OFF`) |
| **`-DPCAPPP_BUILD_PCAPPP=<ON/OFF>`** | Build the Pcap++ library (default value is `ON`). Turning it off will only build Common++ and Packet++ and avoid third-party dependencies such as libpcap or WinPcap/Npcap |
| **`-DPCAPPP_LOG_LEVEL=<0/1/2/3>`** | Set compile time log level: Off (`0`), Error (`1`), Info (`2`), Debug (`1`) (Default value is `Debug`) |

## Installation

Expand Down
2 changes: 1 addition & 1 deletion docs/quickstart.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ hide_table_of_contents: true

**PcapPlusPlus** is a multi-platform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use.

PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [Npcap](https://nmap.org/npcap/) (WinPcap's successor), [DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html) and [PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/).
PcapPlusPlus enables decoding and forging capabilities for a large variety of network protocols. It also provides easy to use C++ wrappers for the most popular packet processing engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [Npcap](https://nmap.org/npcap/) (WinPcap's successor), [WinDivert](https://reqrypt.org/windivert.html), [DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html) and [PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/).

import ReleaseButtonLink from '@site/src/components/ReleaseButtonLink';

Expand Down
Loading