Wireshark mailing list archives

Re: Npcap 0.01 call for test (2nd)

From: Guy Harris <guy () alum mit edu>
Date: Sat, 25 Jul 2015 16:48:46 -0700


On Jul 22, 2015, at 8:39 PM, Yang Luo <hsluoyb () gmail com> wrote:

If I am understanding right, what you asked is exactly what Npcap has implemented for "Admin-only Mode". If you 
install Npcap in "Admin-only Mode", the driver npf.sys will be protected with Admin rights. Softwares (like 
Wireshark) loading Npcap's packet.dll will start a daemon named "NPcapHelper.exe" in Admin privilege (here a UAC 
prompt shows for user to decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and will open adapter 
devices (\Device\NPF_{XXX}) for Wireshark. Opened handles will be copied using DuplicateHandle and sent back to 
Wireshark using Named Pipes.


Yes, that's exactly what I'm referring to.  Great!

Presumably you mean "NPcapHelper.exe communicates with the NPcap library", as...

Currently this mechanism is all transparent to user softwares, and I have tested on Nmap and Wireshark.


...it sounds as if it works with *any* program using NPcap, not just Wireshark.

One issue about this "Admin-only Mode" to Wireshark is, when opening Wireshark UI, UAC window will be prompted 
multiple times. As "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, I guess this is 
because Wireshark has loaded and unloaded packet.dll multiple times.


My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap to 
do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits.

If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have 
Wireshark and TShark *directly* call pcap, that should fix the problem.  Currently, NPcap is the only platform where 
that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: Npcap 0.01 call for test (2nd), (continued)
- - - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 20)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 21)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Guy Harris (Jul 25)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 26)
    - Re: Npcap 0.01 call for test (2nd) Graham Bloice (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Jim Young (Jul 22)
    - Re: Npcap 0.01 call for test (2nd) Yang Luo (Jul 24)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)
    - Re: Npcap 0.01 call for test (2nd) Pascal Quantin (Jul 23)

(Thread continues...)