On Jul 22, 2015, at 8:39 PM, Yang Luo <hslu...@gmail.com> wrote:
> If I am understanding right, what you asked is exactly what Npcap has
> implemented for "Admin-only Mode". If you install Npcap in "Admin-only Mode",
> the driver npf.sys will be protected with Admin rights. Softwares (like
> Wireshark) loading Npcap's packet.dll will start a daemon named
> "NPcapHelper.exe" in Admin privilege (here a UAC prompt shows for user to
> decide). NPcapHelper.exe communicate with Wireshark using Named Pipes and
> will open adapter devices (\Device\NPF_{XXX}) for Wireshark. Opened handles
> will be copied using DuplicateHandle and sent back to Wireshark using Named
> Pipes.
Yes, that's exactly what I'm referring to. Great!
Presumably you mean "NPcapHelper.exe communicates with the NPcap library", as...
> Currently this mechanism is all transparent to user softwares, and I have
> tested on Nmap and Wireshark.
...it sounds as if it works with *any* program using NPcap, not just Wireshark.
> One issue about this "Admin-only Mode" to Wireshark is, when opening
> Wireshark UI, UAC window will be prompted multiple times. As
> "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded,
> I guess this is because Wireshark has loaded and unloaded packet.dll multiple
> times.
My *guess* is that the problem is that Wireshark *itself* rarely uses
libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when
dumpcap is finished doing what it was asked to do, it exits.
If, on all platforms that support the "pcap has a helper to do the stuff that
requires privileges" model, we have Wireshark and TShark *directly* call pcap,
that should fix the problem. Currently, NPcap is the only platform where that
happens, but I'd like to make libpcap use it on every UN*X it can (which I
think should be all of them).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
