Can Packetbeat be configured to use Npcap by default?


#1

In this part of Packetbeat's FAQ section, Npcap is mentioned to be an alternative to WinPcap. I tried running Packetbeat after installing Npcap, but still hit the error "The program can't start because wpcap.dll is missing from your computer"

Npcap has a "WinPCap compatibility mode" that should do the trick, but I'm having a little trouble determining how to use that setting during a silent install process.

It'd be much easier if Packetbeat would be able to use Npcap directly. Given Npcap is mentioned as an alternative in the FAQ, is there a way to have Packetbeat use it directly that I'm not aware of?


(Andrew Kroh) #2

I have used npcap with Packetbeat in the past. All I recall needing to do was uninstall winpcap, install npcap, and restart the box.


#3

Hey @andrewkroh, I tried that, it doesn't seem to work for me. It only runs if I check off "Install Ncap in WinPcap API-Compatible mode" in the Npcap GUI installer, or install via the commandline with:
npcap-0.86.exe /S /winpcap_mode=yes


(Andrew Kroh) #4

Good to know about the winpcap_mode=yes. Thanks


(Andrew Kroh) #5

I opened an issue to add this info to the docs. https://github.com/elastic/beats/issues/4364


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.