search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
2.97k stars 514 forks source link

Npcap 1.70 - "Restrict Npcap driver's access to Administrators only --> no interfaces visible on Wireshark #606

Closed RonnyTNL closed 2 years ago

RonnyTNL commented 2 years ago

After upgrading from 1.60 to 1.70 I can no longer see network interfaces on Wireshark.

Reverting back to 1.60 and having all 3 boxes ticked on the installer (restrict/support raw/API compatible) works as expected. Installing 1.70 with Restrict Npcap driver's access disabled also works and shows interfaces in Wireshark

Seem there is a permission issue introduced between 1.60 and 1.70

RonnyTNL commented 2 years ago

Just reproduced on a different machine, also Win10 21H2/Wireshark 3.6.6 x64

decopaper commented 2 years ago

I'm having the same issue with this combination:

Reverting to 1.60 also resolves the issue

fyodor commented 2 years ago

Thanks for the reports. We've been able to reproduce this issue as well and are planning to resolve it in an Npcap 1.71 release that we hope to make soon.

dmiller-nmap commented 2 years ago

The issue only affects high-integrity processes (e.g. right-click and "Run as Administrator"). Ordinary processes (like running Nmap from an ordinary cmd.exe shell) will launch the NpcapHelper.exe process with UAC elevation, which then shares the Npcap device handle with the lower-integrity parent process. A workaround until the next release, therefore, is to avoid starting Npcap-using processes via the "Run as Administrator" dialog, but rather to let Npcap manage the elevation. This is also preferable generally, since it uses the least privilege necessary.

RonnyTNL commented 2 years ago

The issue only affects high-integrity processes (e.g. right-click and "Run as Administrator"). Ordinary processes (like running Nmap from an ordinary cmd.exe shell) will launch the NpcapHelper.exe process with UAC elevation, which then shares the Npcap device handle with the lower-integrity parent process. A workaround until the next release, therefore, is to avoid starting Npcap-using processes via the "Run as Administrator" dialog, but rather to let Npcap manage the elevation. This is also preferable generally, since it uses the least privilege necessary.

That doesn't seem to work when using Wireshark, at least not on my setup, when I start Wireshark as normal user, then I get 3 prompts for the UAC admin credentials when trying to start/use the helper, and then Wireshark still doesn't show interfaces.