Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying npcap with Network Packet Capture integration #2132

Closed
jamiehynds opened this issue Nov 4, 2021 · 4 comments
Closed

Deploying npcap with Network Packet Capture integration #2132

jamiehynds opened this issue Nov 4, 2021 · 4 comments
Assignees
@efd6
Labels
8.1 candidate enhancement New feature or request Theme: just_ingest_it v8.1.0

Comments

@jamiehynds
Copy link

jamiehynds commented Nov 4, 2021
edited
Loading

Our Network Packet Capture integration (based on Packetbeat) requires a packet sniffing library on most platforms. This is a non-issue on most platforms as you can install libpcap, however Windows requires a library such as npcap, which implements the libpcap interfaces.

NPCAP licensing only allows installation on 5 nodes, after which a license is required. This was often a surprise to our users, who ended up having to pay a significant sum for a license, plus annual maintenance cost. NCPAP also has to be installed independently.

We now have an OEM NPCAP license which allows us to distribute npcap and deploy silently. This ensures our users no longer have to incur additional npcap licensing costs and can easily deploy npcap.

Requirements

  1. NPCAP will be be included with both Packetbeat + Network Packet Capture integration.
  2. NPCAP will be included in our Basic license.
  3. NPCAP will only be installed when the Network Packet Capture integration is enabled, and limited to Windows machines. Installation should be silent (command line arguments here). NPCAP installation should be optional via a setting within the integration - defaulting to true.
  4. We currently require WinPcap compatible mode. Is it worth changing to native mode, to avoid having to enable WinPcap mode? Any benefits to native mode?
  5. The NCP integration (i.e., for Windows hosts) will need to be governed by a more restrictive license that disallows modification or distribution by the end user, i.e. Elastic License v1.0. These terms should be presented in at least two ways: (1) shown in the integration description and (2) in a LICENSE.TXT (or similar) file accompanying the binary that is downloaded and run.
  6. Offline environments - how does a user access the installer and deploy the Network Packet Capture integration in an offline environment?
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds mentioned this issue Nov 5, 2021
Closed
@jamiehynds jamiehynds mentioned this issue Nov 15, 2021
Closed
@efd6 efd6 mentioned this issue Nov 18, 2021
Merged
5 tasks
This was referenced Nov 23, 2021
Merged
Merged
@jamiehynds
Copy link
Author

@efd6 are we ok to close this one or any loose ends remaining?

@efd6
Copy link
Contributor

efd6 commented Mar 1, 2022

I think we can close this.

@jamiehynds
Copy link
Author

Closing as all the development effort is now complete to include npcap with both Packetbeat and the Network Packet Capture integration. Targeting 8.1 for release.

@jakommo jakommo mentioned this issue Apr 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
8.1 candidate enhancement New feature or request Theme: just_ingest_it v8.1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@epixa @elasticmachine @MikePaquette @jamiehynds @efd6