Wireshark-dev: Re: [Wireshark-dev] Npcap 0.01 call for test (2nd)
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 25 Jul 2015 18:47:06 -0700
On Jul 25, 2015, at 5:08 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:

> Hi Guy,
> 
> On Sun, Jul 26, 2015 at 7:48 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> 
>> On Jul 22, 2015, at 8:39 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:
>>  
>>> One issue about this "Admin-only Mode" to Wireshark is, when opening Wireshark UI, UAC window will be prompted multiple times. As "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded, I guess this is because Wireshark has loaded and unloaded packet.dll multiple times.
>> 
>> My *guess* is that the problem is that Wireshark *itself* rarely uses libpcap/WinPcap/NPcap; it mostly runs dumpcap to do pcap stuff, and when dumpcap is finished doing what it was asked to do, it exits.
> 
> When I opened Wireshark GUI and before I do anything (like clicking a button), the UAC has been prompted multiple times. is dumpcap running multiple times in this short period of time?

Probably.  It's run to get a list of interfaces (which may happen more than once) and it's also run to get the incoming packet statistics (that runs continuously until the capture is started).
>  
>> If, on all platforms that support the "pcap has a helper to do the stuff that requires privileges" model, we have Wireshark and TShark *directly* call pcap, that should fix the problem.  Currently, NPcap is the only platform where that happens, but I'd like to make libpcap use it on every UN*X it can (which I think should be all of them).
> 
> Great. IMO "NPcapHelper.exe" daemon only terminates itself when packet.dll is unloaded is a reasonable design. Maybe Wireshark can improve this part to reduce Npcap library load times.

Getting dumpcap out of the way could also allow some TShark stuff to be cleaned up - if it's just capturing, dissecting, and printing, there wouldn't need to be a capture file, nor would there need to be some scheme where dumpcap pipes the packets to TShark.

> And it will be a great work if this security feature can be implemented in other platforms like Unix and Linux

"Unix" isn't a platform, it's a family of platforms; I prefer the name "UN*X", myself, as it includes everybody (Solaris, AIX, HP-UX, OS X, Linux, *BSD, etc.).

As far as I know, this can be done in *all* of the UN*Xes libpcap supports, as they all support passing file descriptors over pipes.

(Think of the Windows scheme as sneaking into somebody's house in the middle of the night, putting a package in a closet, and then sending them a notice in the mail saying where the package was put, and the UN*X scheme as just mailing the package to them. :-))

> and supported by various user softwares.

As long as the user software can provide to libpcap, if necessary, some way of launching the helper with sufficient privileges (this had better not require a GUI, as you might not have a GUI available if you're trying to capture with, for example, tcpdump or TShark; it might involve running it through sudo), it should be supported by any software (and might default to something like sudo, so that only GUI-based applications would need to specify a mechanism - and they might just be able to specify "use the default GUI mechanism").