Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap: Add "read only" option to disable packet sending #1593

fyodor opened this issue May 12, 2019 · 0 comments


None yet
1 participant
Copy link

commented May 12, 2019

We have received several requests from people for an option to disable all packet sending functionality from Npcap, so users can sniff the network but not inject raw frames. At least three companies requesting this are coming from WinPcap, where they had modified that driver to include this read-only functionality.

One important note is that Npcap does offer an "admin-only" security mode which WinPcap lacks. If you enable admin-only mode at install time, packet reading and writing can only be done with Administrator privileges. This prevents normal unprivileged users or malware that gets in on a browser or similar from accessing any of the functionality. If someone does have Admin rights on Windows, it will be very hard to keep them from writing to the network (using Npcap or otherwise). But maybe people who want this feature can lock the systems down sufficiently so that even admins can't install other packet writing drivers, etc.

Or maybe it is important to some companies that normal unprivileged users be allowed to sniff the network (using Wireshark, etc.) but they just don't want those users sending any packets. In this case, the read-only mode would be more easily effective.

We haven't decided whether to add this feature yet, so we're interested in feedback from folks who want it. Is admin-only mode enough? If not, would you be trying to lock down normal users (e.g. not using admin-only mode) or are you interested in having admin-only mode AND preventing those admins from writing packets?

If we added this feature and we wanted it to improve the chances of it actually protecting against admin users, we would probably have to compile special versions of the drivers with #ifdef guards on the ioctl processing part that handles write requests. Because if we just check a registry key or file for whether this options was specified at install time, admin users could usually change those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.