On Jul 22, 2015, at 8:39 PM, Yang Luo <hslu...@gmail.com> wrote: > If I am understanding right, what you asked is exactly what Npcap has > implemented for "Admin-only Mode". If you install Npcap in "Admin-only Mode", > the driver npf.sys will be protected with Admin rights. Softwares (like > Wireshark) loading Npcap's packet.dll will start a daemon named > "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to > decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and > will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles > will be copied using DuplicateHandle and sent back to Wireshark using Named > Pipes.
Yes, that's exactly what I'm referring to. Great! Presumably you mean "NPcapHelper.exe communicates with the NPcap library", as... > Currently this mechanism is all transparent to user softwares, and I have > tested on Nmap and Wireshark. ...it sounds as if it works with *any* program using NPcap, not just Wireshark. > One issue about this "Admin-only Mode" to Wireshark is, when opening > Wireshark UI, UAC window will be prompted multiple times. As > "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, > I guess this is because Wireshark has loaded and unloaded packet.dll multiple > times. My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits. If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have Wireshark and TShark *directly* call pcap, that should fix the problem. Currently, NPcap is the only platform where that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them). ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe