Wireshark-dev: Re: [Wireshark-dev] Plan to make NPcap available for Wireshark
From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Tue, 7 Jul 2015 17:40:47 +0200
On Sat, Jul 04, 2015 at 10:26:13AM +0800, Yang Luo wrote:
> Given that current Wireshark can't make use of NPcap because of the DLL
> search path problem mentioned in
> https://www.wireshark.org/lists/wireshark-dev/201506/msg00030.html, I'd
> like to make a patch for Wireshark. As it is a security consideration that
> Wireshark don't want to search the DLLs in the Windows way. My plan is to
> explicitly add the NPcap path to Wireshark's DLL search logic. NPcap uses
> the "C:\Windows\System32\NPcap" and "C:\Windows\SysWow64\NPcap" to store
> its DLLs (WinPcap uses "C:\Windows\System32" and "C:\Windows\SysWow64"
> directly). As it is a sub directory of System32 folder. Its access control
> policy is the same with System32, and there should be no security problem I
> think. The second question is if WinPcap and NPcap are both available in a
> system, which will be loaded first? I'd like to hear your opinions:)

If I remember correctly (and I may easily be mistaken here), Winpcap doesn't
provide a mechanism to determine the library version at runtime. We need to
make sure we know which version of wpcap we are using (wireshark/tshark -v).

Thanks
    Joerg

-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.