Packetbeat npac version and Defender for Identity

Hi all,

we are using Packetbeat for capturing DNS traffic from some of our Windows servers. Defender for Identity is also installed on these servers.


Defender for Identity uses npcap OEM 1.00. Packetbeat somehow updates npcap version to latest 1.71 and that's why the message occurs.

Is it somehow possible to disable the autoupdate or force Packetbeat to use the already installed npacp OEM 1.00 version?

Thanks for your help.


I'm using same configuration, and packetbeat works perfectly with the OEM version included with the MDI Sensor.
I'm not aware that Packetbeat includes as well a PCAP library ... I'm using however the ZIP archive, not the MSI... I never used the MSI, so I can't figure if the pcap lib is included with the MSI package.

Edit : I experienced as well the same error you mentioned when updating manually the npcap to an another version. It appears every time you update/downgrade the npcap lib. Check your package of Packetbeat to see if the MSI is providing the npcap - or have a try with the ZIP.

Thanks for your reply.

According to the docs npcap is always included in Packetbeat for Windows:

You probably do not need to install libpcap. The default distribution of Packetbeat for Windows comes bundled with the Npcap library.

According to this Github post the installation should be optional. But I couldn't figure out how to set this.

I think this is the cause of the mentioned behaviour: packetbeat/beater: don't attempt to install npcap when already installed by efd6 · Pull Request #30509 · elastic/beats · GitHub

Also I saw that the optional setting to prevent npcap installation has been removed.

Can somebody confirm that?

Hi @jaegerschnitzel,

When we initially started bundling npcap with Packetbeat we didn't include an option to prevent npcap installation. This is actually the first time we're seeing an issue with another product bundling npcap too, so thanks for raising it.

We can certainly look at adding an option to Packetbeat, but I'm curious if our version of npcap is actually causing issues with Defender for Identity, or is it just throwing a warning message? I noticed the MS docs state "The recommended and officially supported version of Npcap is version 1.0. You can install a newer version of Npcap, but note that for troubleshooting, support will ask you to downgrade the Npcap version to validate that the issue is not related to the newer version installed."

Npcap 1.0 is over 2 years old, whereas we stay inline with npcap versions.

cc @kortschak for visibility.

Hi @jamie.hynds ,

thanks for your reply :grinning:

As far as we can see there is no problem with Defender for Identity and the latest npcap version. But the monitoring and health services shows that Defender for Identity is not working properly due to that version mismatch. This behaviour is really annoying and affects our daily business. So it would be great if you could include an option to disable the automatic update process.

Of course I know that version 1.0 is really old and will raise also a feature request to Microsoft. But we both know that this could take forever...

Got it. Thanks for the additional insight @jaegerschnitzel

I've created an issue here where we'll discuss some options: [Packetbeat] Disable install/auto-update of npcap · Issue #34420 · elastic/beats · GitHub

@jaegerschnitzel The change allowing users to block installation of the bundled Npcap library is merged in main and will be available in 8.7 when that is released.

Caveats around the use of this option obviously exist since we may make use of functionality that does not exist in the already installed version of Npcap; as far as I know this is not currently the case. If issues arise in packetbeat with the install block turned on, it will be necessary to demonstrate that the issue is also present with the bundled version of the library installed.

1 Like

@efd6 @jamie.hynds
Thank you very much for your fast implementation of this feature! Really great work :smiley:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.