Re: Favoring Npcap over WinPcap at runtime?

[Pascal Quantin <pascal.quantin () gmail com>]

2017-10-18 11:54 GMT+02:00 Graham Bloice <graham.bloice () trihedral com>:

> On 18 October 2017 at 09:45, Pascal Quantin <pascal.quantin () gmail com>
> wrote:
>
> > Hi list,
> >
> > when we introduced Npcap support back in 2015/2016, we decided that
> > WinPcap driver should have higher precedence due to its known stability
> > (and despite issues with newer Windows versions).  By that time, you could
> > get a BSoD with Npcap.
> >
> > Time has elapsed since, and Npcap is now bundled with Nmap. The number of
> > commits in Npcap repository (https://github.com/nmap/npcap/) have also
> > decreased, which hopefully means that the product is more mature (the list
> > of opened issues can be found here: https://github.com/nmap/nmap/i
> > ssues?q=is%3Aissue+is%3Aopen+label%3ANpcap).
> >
> > Nmap team filled bug 14134 regarding a library loading issue they
> > spotted. We are gonna fix it, but it raises the question of which capture
> > driver (between WinPcap and Npcap) should be attempted to be loaded first.
> > Note that for now I do not want to change the driver bundled with our
> > Windows installers (the Npcap license restriction must be solved before
> > even thinking about it). So this only concerns people having installed both
> > WinPcap and Npap. Moreover, if we agree on the change, I would suggest to
> > apply it only in development branch.
> >
> > Thoughts?
> >
> > Regards,
> > Pascal.
> I'm generally in agreement with all the above, but I'm torn on hard-coding
> a preference for one capture library over another.  If a system has both,
> who are we to say which one will be used to the exclusion of the other.
>
> I guess I'm implying we should expose a preference to allow the user to
> choose which is definitely more work but does give control back.

Unfortunately a Wireshark preference is not doable, as wpcap.dll is also
loaded by dumpcap that does not use our preferences module. A registry key
might do the trick. Presumably tshark should also have a command flag
allowing you to configure it.
I guess the underlying question is: what kind of power users would have
both Npcap and WinPcap installed? Either it's a personal choice because
Npcap features are required (and in that case it would make sense to favor
it), or you have Nmap installed (or any other software that migth rely on
it). And if it works for Nmap, any reason it would fail for Wireshark?

Note also that when both are installed but you are uwing WinPcap, you can
see Npcap loopback interface in the list but if you select it no packets
are capture at all. A bit confusing.



> --
> Graham Bloice
>
> ____________________________________________________________
> _______________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org?subject=
> unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe