I have been playing around with v3.1 beta on a dialup line. Using Win2K Pro.
The new FAQ #25 just posted says that you need "Power User" or "Admin" rights to use it. But I want to be able to capture with just User rights. I found two partial workarounds for that, in order to allow someone with just "User" rights to capture with WinPCap on my machine. 1) I first logged on one time and started the capture program from an account with Admin rights. Then switched to account with just User rights, and it worked. 2) That is not a great option in many situations; so I looked further. The PPP capture uses the netmon driver. So I went into the registry and changed the Start setting for netmon. I changed it so that it starts at system startup, that is, at every bootup, before any user logs on. To do that, using regedit32 go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NM\Start, and change it from 0x3 (SERVICE_DEMAND_START), to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START). I used 0x2. This solved the problem. With netmon set to start at bootup, anyone with User privileges can capture on PPP with WinPCap. I only tested this on Win2K, but imagine that it will work on later operating systems. (But depending on the security settings on the computer that you are capturing on, you may need admin privileges to change that registry setting. And if doing a remote installation, editing the registry could be complicated. Also, keep in mind that changing that registry setting will make Network Monitor run at bootup every time, which probably poses some security risks theoretically.) So, though it is workable, I'm still not totally satisfied with this setup. I was thinking that some security settings related to netmon could be changed to allow PPP capture without starting netmon at startup. On WinPCap itself, in order to capture with it, I remember that previously you had to either 1) have admin rights, or 2) first logon with an account that has admin rights and start WinPCap, and then you could switch to an account with lower rights, or 3)start WinPCap at startup. But now WinPCap can be used just fine, with the only change being, "The driver is now started by the SCM with GENERIC_READ privileges rather than ALL_ACCESS. This allows not-administrator users to start and run WinPcap," according to the change log for 3.1 beta. I wonder if something similar could be done regarding the netmon driver as well, thereby allowing someone with just User rights to be able to access it. I don't know if that is something that could just be done on the security settings of a file or files, or if something else would need to be done. I did try this. I right-clicked on nmnt.sys and changed security settings for all of the groups to Read-only access. Then rebooted and tried to capture on PPP. But it did not work. So it seems that some other security setting is blocking it - something that I don't understand or know about. Maybe someone who knows more about analyzing security logs could figure out what security settings need to be changed. Also, the FAQ says than 3.1 beta will not do PPP capture on NT4. Do you have advice about capturing PPP on NT4, with any version of WinPcap? Stan ================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[EMAIL PROTECTED]/ To unsubscribe use mailto: [EMAIL PROTECTED] ==================================================================
