Re: Npcap 0.01 call for test (2nd)

[Guy Harris <guy () alum mit edu>]

On Jul 25, 2015, at 5:08 PM, Yang Luo <hsluoyb () gmail com> wrote:

> Hi Guy,
>
> On Sun, Jul 26, 2015 at 7:48 AM, Guy Harris <guy () alum mit edu> wrote:
>
> > On Jul 22, 2015, at 8:39 PM, Yang Luo <hsluoyb () gmail com> wrote:
> >  
> > > One issue about this "Admin-only Mode" to Wireshark is, when opening Wireshark UI, UAC window will be prompted 
> > > multiple times. As "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, I guess this is 
> > > because Wireshark has loaded and unloaded packet.dll multiple times.
> >
> > My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap 
> > to do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits.
>
> When I opened Wireshark GUI and before I do anything (like clicking a button), the UAC has been prompted multiple 
> times. is dumpcap running multiple times in this short period of time?

Probably.  It's run to get a list of interfaces (which may happen more than once) and it's also run to get the incoming 
packet statistics (that runs continuously until the capture is started).
>  
> > If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have 
> > Wireshark and TShark *directly* call pcap, that should fix the problem.  Currently, NPcap is the only platform where 
> > that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them).
>
> Great. IMO "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded is a reasonable design. Maybe 
> Wireshark can improve this part to reduce Npcap library load times.

Getting dumpcap out of the way could also allow some TShark stuff to be cleaned up - if it's just capturing, 
dissecting, and printing, there wouldn't need to be a capture file, nor would there need to be some scheme where 
dumpcap pipes the packets to TShark.

> And it will be a great work if this security feature can be implemented in other platforms like Unix and Linux

"Unix" isn't a platform, it's a family of platforms; I prefer the name "UN*X", myself, as it includes everybody 
(Solaris, AIX, HP-UX, OS X, Linux, *BSD, etc.).

As far as I know, this can be done in *all* of the UN*Xes libpcap supports, as they all support passing file 
descriptors over pipes.

(Think of the Windows scheme as sneaking into somebody's house in the middle of the night, putting a package in a 
closet, and then sending them a notice in the mail saying where the package was put, and the UN*X scheme as just 
mailing the package to them. :-))

> and supported by various user softwares.

As long as the user software can provide to libpcap, if necessary, some way of launching the helper with sufficient 
privileges (this had better not require a GUI, as you might not have a GUI available if you're trying to capture with, 
for example, tcpdump or TShark; it might involve running it through sudo), it should be supported by any software (and 
might default to something like sudo, so that only GUI-based applications would need to specify a mechanism - and they 
might just be able to specify "use the default GUI mechanism").

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe