I may be seeing something similar when trying 0.9991 with Suricata. By default it captures nothing. But it works when I specify a BPF. Can you try this as well?

I may be seeing something similar when trying 0.9991 with Suricata. By default it captures nothing. But it works when I specify a BPF. Can you try this as well?

I tried to run https://github.com/nmap/npcap/tree/master/Examples-pcap/basic_dump
Could you point where specify a BPF in it?

Quick glance suggests that you can't. Sorry, first time I looked at the examples.

Can you reproduce your issue with https://github.com/nmap/npcap/blob/master/Examples-pcap/pcap_filter/pcap_filter.c as well? That one does allow you to specify a BPF.

Thanks for this bug report. This is a bug in Npcap 0.9991 due to the amount of free space in the kernel buffer not being updated after a call to PacketSetBuff(). The free space is updated as part of several other functions, so available workarounds are:

• Set a BPF filter with pcap_setfilter() or PacketSetBpf()
• Set the loopback behavior of a capture handle with PacketSetLoopbackBehavior() or the PCAP_OPENFLAG_NOCAPTURE_LOCAL flag via pcap_open() (WinPcap extension).
• Set the timestamp mode with PacketSetTimestampMode() (currently not exposed via libpcap API).

This will be corrected in the next release.