Wireshark-dev: Re: [Wireshark-dev] Favoring Npcap over WinPcap at runtime?

From: Graham Bloice <graham.bloice@xxxxxxxxxxxxx>
Date: Wed, 18 Oct 2017 11:18:17 +0100


On 18 October 2017 at 11:08, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:


2017-10-18 11:54 GMT+02:00 Graham Bloice <graham.bloice@xxxxxxxxxxxxx>:


On 18 October 2017 at 09:45, Pascal Quantin <pascal.quantin@xxxxxxxxx> wrote:
Hi list,

when we introduced Npcap support back in 2015/2016, we decided that WinPcap driver should have higher precedence due to its known stability (and despite issues with newer Windows versions).  By that time, you could get a BSoD with Npcap.

Time has elapsed since, and Npcap is now bundled with Nmap. The number of commits in Npcap repository (https://github.com/nmap/npcap/) have also decreased, which hopefully means that the product is more mature (the list of opened issues can be found here: https://github.com/nmap/nmap/issues?q=is%3Aissue+is%3Aopen+label%3ANpcap).

Nmap team filled bug 14134 regarding a library loading issue they spotted. We are gonna fix it, but it raises the question of which capture driver (between WinPcap and Npcap) should be attempted to be loaded first.
Note that for now I do not want to change the driver bundled with our Windows installers (the Npcap license restriction must be solved before even thinking about it). So this only concerns people having installed both WinPcap and Npap. Moreover, if we agree on the change, I would suggest to apply it only in development branch.

Thoughts?

Regards,
Pascal.


I'm generally in agreement with all the above, but I'm torn on hard-coding a preference for one capture library over another.  If a system has both, who are we to say which one will be used to the exclusion of the other.

I guess I'm implying we should expose a preference to allow the user to choose which is definitely more work but does give control back.

Unfortunately a Wireshark preference is not doable, as wpcap.dll is also loaded by dumpcap that does not use our preferences module. A registry key might do the trick. Presumably tshark should also have a command flag allowing you to configure it.
I guess the underlying question is: what kind of power users would have both Npcap and WinPcap installed? Either it's a personal choice because Npcap features are required (and in that case it would make sense to favor it), or you have Nmap installed (or any other software that migth rely on it). And if it works for Nmap, any reason it would fail for Wireshark?


Presumably dumpcap could also have a command flag to select which to use.
 
Note also that when both are installed but you are uwing WinPcap, you can see Npcap loopback interface in the list but if you select it no packets are capture at all. A bit confusing.

Thinking about my own workflow, when capturing "oddities" occur, and Npcap is installed, a remedial option is to uninstall it.  Having a switch in Wireshark would make life easier.

--
Graham Bloice