WinPcap/Npcap isolation?

[Voljka1]

• [x ] Request for enhancement WinLLDPservice require winpcap or some alternative driver library to operate. Unfortunately, this presents security problem, since regular user now able to capture network traffic. Do you have any ideas, how to eliminate such risk, I mean - to allow access to capture driver only to WinLLDPservice? P.S. I tried npcap installed in Admin mode, but failed to see lldp packets going out from my laptop. May be problem with WinLLDPservice, or just me doing something wrong.

[raspi]

It's impossible to send ethernet frames with native .NET framework. There's no API for it. I would need to create custom NDIS driver for network cards with C or C++ using WDK. WinPcap and Npcap are doing just this and are battle-tested and well supported.

The other option would be re-writing WinLLDPService with C/C++ so that low-level network APIs such as winsock can be accessed to allow sending ethernet frames. I'm not a C/C++ programmer.

WinLLDPService opens network cards in promiscuous mode for a less than a second for sending and then closes it immediately after that.

Users can capture traffic with Microsoft's own tools such as Microsoft Message Analyzer and Microsoft Network Monitor. Is the network properly isolated with VLANs already?

For the sending issue open a new issue and fill up the questions that are asked there.

I'll look into this possible service isolation with the capture libraries.

[Voljka1]

So just to be sure: If I'll install npcap in Admin mode (admin rights are needed to use driver), then winlldpservice are able to run and use this driver (under localsystem account)?

[raspi]

Yes.

Installer handles the service installation with Account="[SERVICEACCOUNT]" Password="[SERVICEPASSWORD]" which is SYSTEM. WinLLDPService uses the Packet.Net and SharpPcap libraries to send the actual LLDP packet. All winpcap/npcap related stuff is handled by SharpPcap library.