How to interpret pcap_stats() returned values in case of npcap

[pstavirs]

The libpcap pcap_stats man page says the values returned are platform dependent.

I was hoping the npcap pcap_stats man page will specify what the values mean in case of npcap - but this looks to be the same as the libpcap page.

Is there any information available on how to interpret these values? Also the extra values returned by pcap_stats_ex().

[pstavirs]

From my testing, it seems pcap_stats_ex() returns -

• ps_recv counts all packets received irrespective of whether it passes the capture filter or not
• ps_capt counts packets passing the capture filter

Will update this comment as and when I get more info

[dmiller-nmap]

Thanks for this suggestion. We will look into ways to improve our documentation. In the meantime, here is the definitive answer:

• pcap_stats() returns a struct pcap_stat with the following members set:
  • ps_recv is a count of all packets on the interface that the Npcap driver has seen while this handle was open.
  • ps_drop is a count of all packets that passed the capture filter but could not be delivered because the kernel buffer was full. Additionally, this count may show packets that could not be delivered because a memory allocation failed, which may happen before the capture filter is applied. This is a rare situation, and the system would be generally unstable if resources dropped that low.
• pcap_stats_ex() returns a struct pcap_stat with the same info as pcap_stats(), plus the following members:
  • ps_ifdrop is set if the driver returns it. Npcap and WinPcap before it set this to 0. The difference here is that pcap_stats() sets this to 0 in wpcap.dll, but pcap_stats_ex() passes through the value from the driver.
  • ps_capt is a count of packets passing the capture filter and not dropped.