Ask Your Question
0

Is It Possible to Lock an Installed Npcap From Being Used, For Data Security Reasons?

asked 2023-04-24 12:33:22 +0000

spaceman gravatar image

updated 2023-04-24 12:41:56 +0000

Hi all

If you install Wireshark on a Windows 10 computer,
you will also have NPcap installed, as a Windows Driver,
in order to do the actual capturing of data, for Wireshark to process and display.

Now as long as you yourself run Wireshark, and use it,
then it's great that Npcap is installed on the computer, and running on it.

The problem is that after you finish using Wireshark (for that day),
Npcap remains installed, and remains enabled as a Driver.
This means that any other software can access it and use it, and very easily capture your data, since you yourself so nicely installed it and enabled it to work on your computer.

Now generally programs don't do that,
but a malicious one can use that to its advantage.

So my question:
Is there a way to have Npcap installed, yet Locked most of the time,
so eventho it's installed, no-one (or no program) can use it to capture data on that computer,
and then, only when you, the person who installed it (and locked it) want to use it,
you will temporarily unlock it (or enable it), which means it will now capture data and Wireshark will get it,
and then once done for that day, Lock it back.

Does such a feature exist?
Or if not, is there anything similar that can be used to achieve the same goal?

Thank you

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by » oldest newest most voted
0

answered 2023-04-24 12:44:34 +0000

grahamb gravatar image

updated 2023-04-24 13:43:37 +0000

Npcap can be installed in "Admin required" mode but unfortunately that is almost unusable with Wireshark as it then requires multiple elevation requests as all the interfaces are enumerated.

Given the above, currently there is no simple solution to your request.

Are you also aware that modern Windows installations (Win 10 or later) have a built-in capture mechanism that I don't think can be disabled. See here for more info.

edit flag offensive delete link more

Comments

Thank you grahamb for your reply.

Regarding the first solution ("Admin required") - you are right, that's not going to help.
Maybe the addition of a password protection, for enabling the use of Npcap, can be considered?

 

Regarding:

Are you also aware that modern Windows installations (Win 10 or later) have a built-in capture mechanism that I don't think can be disabled. (Packet Monitor)

That's horrible :)
No-one thinks that it's such a tool to make hackers' life so much more easier and comfortable, in hacking users?

spaceman gravatar imagespaceman ( 2023-04-24 13:22:09 +0000 )edit

Maybe the addition of a password protection, for enabling the use of Npcap, can be considered?

It could be considered, but the developers of Wireshark wouldn't be the ones to implement it - the developers of Npcap would. You should file an issue on the Npcap issues list for that.

Guy Harris gravatar imageGuy Harris ( 2023-04-24 17:51:28 +0000 )edit

Thank you Guy

I now sumbitted this to Npcap's Issue List:
https://github.com/nmap/npcap/issues/669

Hopefully, it will be considered.

spaceman gravatar imagespaceman ( 2023-04-24 18:35:50 +0000 )edit
add a comment
0

answered 2023-04-24 16:52:21 +0000

spaceman gravatar image

updated 2023-04-24 17:07:33 +0000

I would like to propose here several solutions that I thought about,
that can be effective in solving the security problem raised.

  1. A way to Password Protect any usage of the existing Driver.
    But this is a new feature, that does not exist currently,
    and only if the developers of Wireshark (Npcap) decide that it's good, then it will exist..
  2. Installing Wireshark ona Virtual Machine
    This is actually a great solution, since the VM is running only when you run it,
    and the Npcap Driver is installed there, and not on your actual machine.
     
    It does have one disadvantage tho:
    It means that the program that you want to inspect its traffic, also has to run on the VM.
    Generally, this is not a problem, simply install the program on the VM, and then run it there,
    together with Wireshark.
    But sometimes you may want the program to have real access to the Ethernet or Wi-Fi NICs.
    And in this way, a VM is a disadvantage, because the VM application acts like a Router.
    There is a way to set the VM's NIC in Bridge Mode,
    If it works well, then this might solve the problem I just mentioned..
     
    Will it work 100% identical to the program+Wireshark running on the real host,
    I don't know, but this is a solution to explore.

If anyone has more ideas, please write.

edit flag offensive delete link more

Comments

A way to Password Protect any usage of the existing Driver. But this is a new feature, that does not exist currently, and only if the developers of Wireshark (Npcap) decide that it's good, then it will exist.

Npcap can be installed in a mode that requires that you enter the password for an account with administrator privileges in order to use it; will that work?

Guy Harris gravatar imageGuy Harris ( 2023-04-24 17:48:17 +0000 )edit

You are talking about the "Admin required" mode that grahamb mentioned, I assume.
It can work If the user of the computer usually uses a non-admin User in Windows.
But like many people, I prefer to be on an admin User,
so unfortunately this will not work.

Password protection, that is not dependent on Windows User Accounts,
will work..

spaceman gravatar imagespaceman ( 2023-04-24 18:32:19 +0000 )edit
add a comment
0

answered 2023-04-24 14:10:37 +0000

cmaynard gravatar image

Perhaps wrapping Wireshark in a batch file like the following would help?

@echo off
net start npcap
"C:\Program Files\Wireshark\Wireshark.exe"
net stop npcap

You might have to run the batch file as an Administrator though.

edit flag offensive delete link more

Comments

Thank you very much cmaynard.

This is interesting,
the problem is, that because it's not password protected,
then a malicious program can also, byitself,
do net start npcap (when needed),
so this only added 1 step for the malicious program,
but did not block it in any way..

spaceman gravatar imagespaceman ( 2023-04-24 14:41:24 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-04-24 12:33:22 +0000

Seen: 440 times

Last updated: Apr 24 '23

Related questions

At what stage does Wireshark check which capture library (npf) is installed?

disable interface discovery

Steps to setup radiotap captures with Netgear A6210?

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

when I open WS it does not show any interfaces, why?

After upgrade to 3.0.0 & install Npcap, no traffic seen

Is WinPcap still being developed?

npcap loopback driver Locks up Win 10 [closed]

TCP traffic is not captured over npcap loopback.

Npcap Loopback Adapter Packet Capture

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2