Hi Guy, On Sun, Jul 26, 2015 at 7:48 AM, Guy Harris <[email protected]> wrote:
> > On Jul 22, 2015, at 8:39 PM, Yang Luo <[email protected]> wrote: > > > If I am understanding right, what you asked is exactly what Npcap has > implemented for "Admin-only Mode". If you install Npcap in "Admin-only > Mode", the driver npf.sys will be protected with Admin rights. Softwares > (like Wireshark) loading Npcap's packet.dll will start a daemon named > "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to > decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and > will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles > will be copied using DuplicateHandle and sent back to Wireshark using Named > Pipes. > > Yes, that's exactly what I'm referring to. Great! > > Presumably you mean "NPcapHelper.exe communicates with the NPcap library", > as... > Yes, as Wireshark and Npcap DLLs resides in the same process, there's no too many differences to say the user software or Npcap library. > > > Currently this mechanism is all transparent to user softwares, and I > have tested on Nmap and Wireshark. > > ...it sounds as if it works with *any* program using NPcap, not just > Wireshark. > Yes. > > > One issue about this "Admin-only Mode" to Wireshark is, when opening > Wireshark UI, UAC window will be prompted multiple times. As > "NPcapHelper.exe" daemon only terminates itself when packet.dll is > unloaded, I guess this is because Wireshark has loaded and unloaded > packet.dll multiple times. > > My *guess* is that the problem is that Wireshark *itself* rarely uses > libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when > dumpcap is finished doing what it was asked to do, it exits. > When I opened Wireshark GUI and before I do anything (like clicking a button), the UAC has been prompted multiple times. is dumpcap running multiple times in this short period of time? I don't know. > > If, on all platforms that support the "pcap has a helper to do the stuff > that requires privileges" model, we have Wireshark and TShark *directly* > call pcap, that should fix the problem. Currently, NPcap is the only > platform where that happens, but I'd like to make libpcap use it on every > UN*X it can (which I think should be all of them). > Great. IMO "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded is a reasonable design. Maybe Wireshark can improve this part to reduce Npcap library load times. And it will be a great work if this security feature can be implemented in other platforms like Unix and Linux and supported by various user softwares. Cheers, Yang
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
