I'm using same configuration, and packetbeat works perfectly with the OEM version included with the MDI Sensor.
I'm not aware that Packetbeat includes as well a PCAP library ... I'm using however the ZIP archive, not the MSI... I never used the MSI, so I can't figure if the pcap lib is included with the MSI package.
Edit : I experienced as well the same error you mentioned when updating manually the npcap to an another version. It appears every time you update/downgrade the npcap lib. Check your package of Packetbeat to see if the MSI is providing the npcap - or have a try with the ZIP.
When we initially started bundling npcap with Packetbeat we didn't include an option to prevent npcap installation. This is actually the first time we're seeing an issue with another product bundling npcap too, so thanks for raising it.
We can certainly look at adding an option to Packetbeat, but I'm curious if our version of npcap is actually causing issues with Defender for Identity, or is it just throwing a warning message? I noticed the MS docs state "The recommended and officially supported version of Npcap is version 1.0. You can install a newer version of Npcap, but note that for troubleshooting, support will ask you to downgrade the Npcap version to validate that the issue is not related to the newer version installed."
Npcap 1.0 is over 2 years old, whereas we stay inline with npcap versions.
As far as we can see there is no problem with Defender for Identity and the latest npcap version. But the monitoring and health services shows that Defender for Identity is not working properly due to that version mismatch. This behaviour is really annoying and affects our daily business. So it would be great if you could include an option to disable the automatic update process.
Of course I know that version 1.0 is really old and will raise also a feature request to Microsoft. But we both know that this could take forever...
@jaegerschnitzel The change allowing users to block installation of the bundled Npcap library is merged in main and will be available in 8.7 when that is released.
Caveats around the use of this option obviously exist since we may make use of functionality that does not exist in the already installed version of Npcap; as far as I know this is not currently the case. If issues arise in packetbeat with the install block turned on, it will be necessary to demonstrate that the issue is also present with the bundled version of the library installed.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.