0

For security reasons I was using Wireshark (it was v2.4.x) as following: 1) Run WinPcap manually: from admin console it is command: net start npf 2) Run Wireshark GUI app from dedicated restricted account. It's a normal user account, not an admin account, and this account is allowed to write only to Wireshark's profile in filesystem via NTFS permissions. So, if protocol dissector would be affected by malicious packets, the Wireshark never change/infect the filesystem (or, at least it becomes much more hard). The command is: start runas /user:Wireshark "Wireshark.exe" Alternatively, Shift + Context menu -> Run as different user with subsecuent account data entering does the same. 3) After working session close Wireshark GUI app. 4) Close WinPcap manually: from admin console it is command: net stop npf

This scenario worked fine. But now with Wireshark v3.0.x in the same scenario Wireshark sees no network interfaces both with Npcap and WinPcap, like a case when the capture driver is not started at all.

Notably, that if login (at Windows logon screen) with that dedicated account, all works fine. So, the problem with "runas" command (Shift + Context menu -> Run as different user has the same wrong behaviour).

Does someone know more about it?

Thanks in advance.

Matt Davis
  • 45,297
  • 16
  • 93
  • 124
Akon
  • 335
  • 1
  • 11
  • When you say, *"with Wireshark v3.0.x", which exact version do you mean? Note that Wireshark 3.0.1 was just recently released with an updated npcap installer. If you're not running the very latest, then you might want to try upgrading first. – Christopher Maynard Apr 10 '19 at 15:59
  • I tried both. They acted with no difference. – Akon Apr 10 '19 at 17:30
  • I found that Wireshark invoked with runas command is not load wpcap.dll (Packet.dll is loaded successfully), so sees no network interfaces. – Akon Apr 14 '19 at 11:04
  • And it's not a reason. It was wrong DLL search path. Now wpcap.dll loads successfully, but the issue still presents. – Akon Apr 14 '19 at 11:08

0 Answers0