Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Limit WinPcap use by unprivileged users

From: David Fifield <david () bamsoftware com>
Date: Fri, 24 Sep 2010 16:22:27 -0700
I looked at this TODO item:

o Investigate ways to limit Winpcap privileges so that only
  administrative users or a certain accounts can sniff.  Maybe there
  is a solution people use for Wireshark or does it always cause this
  issue (allowing any user to sniff the network) when it is installed?

There's a page about it:

http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

        "It might not be desirable that any local user can also capture
        from the network while the driver is loaded, but this can't be
        currently circumvented. Please note that this is not a
        limitation of the Wireshark implementation, but of the
        underlying WinPcap driver; see this note in the WinPcap FAQ
        (http://www.winpcap.org/misc/faq.htm#Q-7)."

The best solution I can currently think of is to completely stop the NPF
driver when Nmap finishes. We already run "net start npf" if necessary
at startup; we could add a "net stop npf" at the end. But there are
problems with that idea. If you're running two Nmaps at once, you don't
want to stop the driver when then first of them finishes. The same goes
for any other program using WinPcap concurrently.

I guess that there's no way in WinPcap to limit it to only certain
users, but I haven't found in the source what makes that so.

Does someone have another idea? Does anyone regularly use a batch file
or something to "net stop npf" when the driver is no longer needed?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: