Re: Npcap 0.01 call for test (2nd)

[Yang Luo <hsluoyb () gmail com>]

Hi Guy,

On Sun, Jul 26, 2015 at 7:48 AM, Guy Harris <guy () alum mit edu> wrote:

> On Jul 22, 2015, at 8:39 PM, Yang Luo <hsluoyb () gmail com> wrote:
>
> > If I am understanding right, what you asked is exactly what Npcap has
> implemented for "Admin-only Mode". If you install Npcap in "Admin-only
> Mode", the driver npf.sys will be protected with Admin rights. Softwares
> (like Wireshark) loading Npcap's packet.dll will start a daemon named
> "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to
> decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and
> will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles
> will be copied using DuplicateHandle and sent back to Wireshark using Named
> Pipes.
>
> Yes, that's exactly what I'm referring to.  Great!
>
> Presumably you mean "NPcapHelper.exe communicates with the NPcap library",
> as...

Yes, as Wireshark and Npcap DLLs resides in the same process, there's no
too many differences to say the user software or Npcap library.


> > Currently this mechanism is all transparent to user softwares, and I
> have tested on Nmap and Wireshark.
>
> ...it sounds as if it works with *any* program using NPcap, not just
> Wireshark.

Yes.


> > One issue about this "Admin-only Mode" to Wireshark is, when opening
> Wireshark UI, UAC window will be prompted multiple times. As
> "NPcapHelper.exe" daemon only terminates itself when packet.dll is
> unloaded, I guess this is because Wireshark has loaded and unloaded
> packet.dll multiple times.
>
> My *guess* is that the problem is that Wireshark *itself* rarely uses
> libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when
> dumpcap is finished doing what it was asked to do, it exits.

When I opened Wireshark GUI and before I do anything (like clicking a
button), the UAC has been prompted multiple times. is dumpcap running
multiple times in this short period of time? I don't know.


> If, on all platforms that support the "pcap has a helper to do the stuff
> that requires privileges" model, we have Wireshark and TShark *directly*
> call pcap, that should fix the problem.  Currently, NPcap is the only
> platform where that happens, but I'd like to make libpcap use it on every
> UN*X it can (which I think should be all of them).

Great. IMO "NPcapHelper.exe" daemon only terminates itself when packet.dll
is unloaded is a reasonable design. Maybe Wireshark can improve this part
to reduce Npcap library load times. And it will be a great work if this
security feature can be implemented in other platforms like Unix and Linux
and supported by various user softwares.


Cheers,
Yang

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe