[Npcap] Multiple UAC requests when starting/using Wireshark

[aircrack-ng]

I updated to the latest available release (Npcap 0.07 r17) and checked the option to only allow admin user to use it. When starting Wireshark, I had about 10 requests one after the other from UAC for NPcapHelper. Every time capture is started, it also pops up.

It would be great if there was no more than a single request.

[hsluoyz]

Hi @aircrack-ng ,

Thanks for the report! This is more of an issue of Wireshark, because Npcap will prompt a UAC window for every Npcap's DLL loading. And Wireshark invokes multiple times of dumpcap.exe, which loads Npcap's DLLs (wpcap.dll, Packet.dll). I will discuss with Wireshark community about this issue later.

Cheers, Yang

[hsluoyz]

Wireshark dev list has replied in http://seclists.org/wireshark/2016/Jun/103. The solution proposed in that reply is not ideal, because that group way bypasses UAC and our admin-only restriction will lose most of the meanings if we use this solution.

[guyharris]

sudo, and, I think, at least one of Apple's GUI equivalents (I don't know about other UN*X GUI equivalents), have a timer that's started after you successfully provide a password for a sufficiently-privileged account; if another attempt is made before the timer expires, you aren't prompted again for the password. Could something such as that be implemented (either programmatically or via an existing Windows setting for UAC)?

[ghost]

I don't think that's how UAC works, but you could achieve the same result by elevating once, then using the elevated process to launch other elevated processes.

On Wed, 2 May 2018, 21:39 Guy Harris, [email protected] wrote:

sudo, and, I think, at least one of Apple's GUI equivalents (I don't know about other UN*X GUI equivalents), have a timer that's started after you successfully provide a password for a sufficiently-privileged account; if another attempt is made before the timer expires, you aren't prompted again for the password. Could something such as that be implemented (either programmatically or via an existing Windows setting for UAC)?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nmap/nmap/issues/435#issuecomment-386096150, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJvT8pUdayZNVTQfkU_XOw6ILfs_ip_ks5tuguAgaJpZM4I7U0B .

[hb9tst]

Same issue here, every time I start Wireshark I have 7-8 UAC Windows (because of several adapters, some of which seem useless -- "NdisWan Adapter"). Extremely annoying, especially that UAC (unlike sudo) has no timer. Sometimes I want to quickly capture some traffic (because something is happening) and I have to wait lots of time to pass all these UAC Windows one by one, even with keyboard shortcuts it takes time as Windows takes time to display them... Every elevation request is a prompt. I think the solution is to start a single elevated process that can then spawn many as required. But indeed, this change should probably be done in Wireshark rather than npcap.

[LoZio]

Add my vote for a solution, I have lots of adapters (real and virtual) and launching Wireshark is a PITA. The solution to have a specific group access the driver and no UAC involved would be very fine, no UAC loops and more flexibility in shared environments.

[guyharris]

Same issue here, every time I start Wireshark I have 7-8 UAC Windows (because of several adapters, some of which seem useless -- "NdisWan Adapter").

Useless adapters is a way of life with libpcap:

$ tcpdump -D
1.en0 [Up, Running]
2.p2p0 [Up, Running]
3.awdl0 [Up, Running]
4.llw0 [Up, Running]
5.utun0 [Up, Running]
6.utun1 [Up, Running]
7.vmnet1 [Up, Running]
8.vmnet8 [Up, Running]
9.lo0 [Up, Running, Loopback]
10.bridge0 [Up, Running]
11.en4 [Up, Running]
12.en6 [Up, Running]
13.en7 [Up, Running]
14.en8 [Up, Running]
15.gif0 [none]
16.stf0 [none]
17.ap1 [none]

(macOS).

Extremely annoying, especially that UAC (unlike sudo) has no timer. Sometimes I want to quickly capture some traffic (because something is happening) and I have to wait lots of time to pass all these UAC Windows one by one, even with keyboard shortcuts it takes time as Windows takes time to display them... Every elevation request is a prompt. I think the solution is to start a single elevated process that can then spawn many as required. But indeed, this change should probably be done in Wireshark rather than npcap.

Yes, at least some of this is a Wireshark issue, not an Npcap issue, as per Wireshark issue 15082. I presume that a single process that opens multiple adapters won't get a UAC prompt for every adapter; if so, then, if dumpcap were to have a mode where it opened multiple adapters when running in "sparkline mode" - the mode where it's capturing on an interface and supplying packet counts so that the Wireshark main window can draw sparklines for each adapter - rather than, as per that bug, having multiple dumpcaps, one per interface - that would at least reduce the number of UAC prompts.

[Prasannakumar-kumta]

I just uninstalled Ncap and installed winPcap. Did I do any mistake?

[JonLevin25]

This would be great - better to have it admin-only, but man are the string of UAC prompts annoying.

[clearlinkit]

TBH I'm not entirely sure what the use for the admin-only restriction is for. So, I'm not positive if this resolves the issue or not. But I found if I just launch Wireshark with run as administrator the UAC prompt does not occur. Other than the original one to authorize launching as administrator.

[johnthacker]

I did update Wireshark (but this won't come out until 4.4.0) to reduce the number of UAC pop-ups by getting all the interface capability information at once, along with a few other changes to reduce the pop-ups. There can still be pop-ups for:

1. Retrieving the entire list.
2. Retrieving the capabilities of selected interfaces in the list (this could be folded into the first request, but there's a little bit to workaround for possibly querying twice interfaces that can be put into monitor-mode, which may support different link-layer types with and without monitor mode enabled).
3. And of course actually capturing.

There's also a preference (which can be set at the command like with -o capture.no_interface_load:TRUE) that avoids loading the entire list of interfaces at startup.

[guyharris]

3. And of course actually capturing.

And to make things clearer, that means:

3a. The sparklines on the main screen and the Capture Options dialog. 3b. Actually capturing.

[johnthacker]

And to make things clearer, that means:

3a. The sparklines on the main screen and the Capture Options dialog. 3b. Actually capturing.

Yes. The sparklines don't appear if the list isn't loaded, so right now it's possible to get the number of UAC prompts to two, with

Wireshark -k -o capture_no_interface.load:TRUE and either having previously specified a default device, or passing -i N where N is the number of an interface, or -i <name> where <name> can be the friendly name or UUID based name of a device. That's once for the capabilities of the interface, and once to start capturing.

[guyharris]

(Turning dumpcap into a long-running subprocess of Wireshark, running as a "capture server" process, would, I think, reduce the number of UAC prompts to {capture requested at any point in the session} ? 1 : 0.)

[NastyFlytrap]

Still an issue.

Getting like 15-18 UAC prompts every time i launch it is really annoying, especially i run UAC in password mode, not 'click a button mode'