Re: Limit WinPcap use by unprivileged users

["DePriest, Jason R." <jrdepriest () gmail com>]

Wouldn't stopping npf would also prevent regular users from using
anything else that uses winpcap like Wireshark / tshark / windump.

On Fri, Sep 24, 2010 at 6:22 PM, David Fifield <> wrote:
> I looked at this TODO item:
>
> o Investigate ways to limit Winpcap privileges so that only
>  administrative users or a certain accounts can sniff.  Maybe there
>  is a solution people use for Wireshark or does it always cause this
>  issue (allowing any user to sniff the network) when it is installed?
>
> There's a page about it:
>
> http://wiki.wireshark.org/CaptureSetup/CapturePrivileges
>
>        "It might not be desirable that any local user can also capture
>        from the network while the driver is loaded, but this can't be
>        currently circumvented. Please note that this is not a
>        limitation of the Wireshark implementation, but of the
>        underlying WinPcap driver; see this note in the WinPcap FAQ
>        (http://www.winpcap.org/misc/faq.htm#Q-7)."
>
> The best solution I can currently think of is to completely stop the NPF
> driver when Nmap finishes. We already run "net start npf" if necessary
> at startup; we could add a "net stop npf" at the end. But there are
> problems with that idea. If you're running two Nmaps at once, you don't
> want to stop the driver when then first of them finishes. The same goes
> for any other program using WinPcap concurrently.
>
> I guess that there's no way in WinPcap to limit it to only certain
> users, but I haven't found in the source what makes that so.
>
> Does someone have another idea? Does anyone regularly use a batch file
> or something to "net stop npf" when the driver is no longer needed?
>
> David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/