Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Sun, 26 Jul 2015 08:08:37 +0800
Hi Guy,

On Sun, Jul 26, 2015 at 7:48 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Jul 22, 2015, at 8:39 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> If I am understanding right, what you asked is exactly what Npcap has implemented for "Admin-only Mode". If you install Npcap in "Admin-only Mode", the driver npf.sys will be protected with Admin rights. Softwares (like Wireshark) loading Npcap's packet.dll will start a daemon named "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles will be copied using DuplicateHandle and sent back to Wireshark using Named Pipes.

Yes, that's exactly what I'm referring to.  Great!

Presumably you mean "NPcapHelper.exe communicates with the NPcap library", as...

Yes, as Wireshark and Npcap DLLs resides in the same process, there's no too many differences to say the user software or Npcap library.
 

> Currently this mechanism is all transparent to user softwares, and I have tested on Nmap and Wireshark.

...it sounds as if it works with *any* program using NPcap, not just Wireshark.

Yes.
 

> One issue about this "Admin-only Mode" to Wireshark is, when opening Wireshark UI, UAC window will be prompted multiple times. As "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, I guess this is because Wireshark has loaded and unloaded packet.dll multiple times.

My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits.

When I opened Wireshark GUI and before I do anything (like clicking a button), the UAC has been prompted multiple times. is dumpcap running multiple times in this short period of time? I don't know.
 

If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have Wireshark and TShark *directly* call pcap, that should fix the problem.  Currently, NPcap is the only platform where that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them).

Great. IMO "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded is a reasonable design. Maybe Wireshark can improve this part to reduce Npcap library load times. And it will be a great work if this security feature can be implemented in other platforms like Unix and Linux and supported by various user softwares.


Cheers,
Yang