Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Guy Harris <[email protected]>
Date: Sat, 25 Jul 2015 16:48:46 -0700
On Jul 22, 2015, at 8:39 PM, Yang Luo <[email protected]> wrote:

> If I am understanding right, what you asked is exactly what Npcap has implemented for "Admin-only Mode". If you install Npcap in "Admin-only Mode", the driver npf.sys will be protected with Admin rights. Softwares (like Wireshark) loading Npcap's packet.dll will start a daemon named "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles will be copied using DuplicateHandle and sent back to Wireshark using Named Pipes.

Yes, that's exactly what I'm referring to.  Great!

Presumably you mean "NPcapHelper.exe communicates with the NPcap library", as...

> Currently this mechanism is all transparent to user softwares, and I have tested on Nmap and Wireshark.

...it sounds as if it works with *any* program using NPcap, not just Wireshark.

> One issue about this "Admin-only Mode" to Wireshark is, when opening Wireshark UI, UAC window will be prompted multiple times. As "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, I guess this is because Wireshark has loaded and unloaded packet.dll multiple times.

My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits.

If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have Wireshark and TShark *directly* call pcap, that should fix the problem.  Currently, NPcap is the only platform where that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them).