use netsh trace / pktmon instead of npcap on windows

[agowa]

Describe the enhancement: Because of the license issues with npcap (that this project just choose to ignore so far https://github.com/elastic/beats/issues/21801), it would be nice if this project would move to just using the native commands from windows instead. I.e., "netsh trace" and "pktmon" instead of npcap. With "pktmon etl2pcap, it also provides the same data format as npcap generated.

Describe a specific use case for the enhancement or feature:

Companies that want to deploy packagebeat widely on a large number of devices that would otherwise exceed the npcap license limit of 5 computers. As well as highly regulated environments where every additional software and causes a bunch of bureaucracy and compliance overhead, as npcap will fall out of the risk assessment. Also, many security-aware people consider the presence of the npcap driver already as a sign of compromise, so using the native tools here would allow keeping that "indicator" alive.

[botelastic[bot]]

This issue doesn't have a Team:<team> label.

[jamiehynds]

@agowa338 we have recently procured an NPCAP redistributable license to address the 5 node limit you mentioned above. We plan on bundling this license with the new Network Packet Capture agent integration (which leverages Packetbeat under the hood) - relevant issue here. Closing this issue as we don't plan on using netsh or pktmon, now that we have an NPCAP license.