Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Npcap: Add "read only" option to disable packet sending #1593
We have received several requests from people for an option to disable all packet sending functionality from Npcap, so users can sniff the network but not inject raw frames. At least three companies requesting this are coming from WinPcap, where they had modified that driver to include this read-only functionality.
One important note is that Npcap does offer an "admin-only" security mode which WinPcap lacks. If you enable admin-only mode at install time, packet reading and writing can only be done with Administrator privileges. This prevents normal unprivileged users or malware that gets in on a browser or similar from accessing any of the functionality. If someone does have Admin rights on Windows, it will be very hard to keep them from writing to the network (using Npcap or otherwise). But maybe people who want this feature can lock the systems down sufficiently so that even admins can't install other packet writing drivers, etc.
Or maybe it is important to some companies that normal unprivileged users be allowed to sniff the network (using Wireshark, etc.) but they just don't want those users sending any packets. In this case, the read-only mode would be more easily effective.
We haven't decided whether to add this feature yet, so we're interested in feedback from folks who want it. Is admin-only mode enough? If not, would you be trying to lock down normal users (e.g. not using admin-only mode) or are you interested in having admin-only mode AND preventing those admins from writing packets?
If we added this feature and we wanted it to improve the chances of it actually protecting against admin users, we would probably have to compile special versions of the drivers with #ifdef guards on the ioctl processing part that handles write requests. Because if we just check a registry key or file for whether this options was specified at install time, admin users could usually change those.