We've had BSOD at two clients in SA, both due to WinPcap. Once the agent is installed, they experienced blue screens. Support was involved and it was pinned down to WinPcap driver causing the issue.
The other reason is security: WinPcap has not been maintained since 2013 and doesn't have the functionality to prevent non-administrative users to gain access to the npf.sys driver used by WinPcap. Npcap is a safer option and I've been informed that Dynatrace is looking at replacing WinPcap with Npcap, but this is not 100% confirmed, nor do I have a 'cast in stone' release version or date yet. Dave also mentions this in his reply 🙂
The typical McAfee, but it is also running on hosts where they didn't experience BSOD. We ruled it out anyway, by turning McAfee off: issue persisted. Logs and crash dumps indicated npf.sys as the culprit, so we got support involved and turning off network monitoring plus removing WinPcap resolved the BSOD issue.
I found these internal notes that might help:
"first disable network traffic monitoring (Settings->Monitoring->Monitored technologies->Network traffic switch off), disable autoupdates (because winpcap will be installed again) and then uninstall winpcap (Control Panel -> uninstall section -> OneAgent Winpcap 4.1.3 entry)"
"Smartscape connections should be still visible. they will lost network metrics - traffic per process, responsiveness, connectivity"
Also, we are actively working to replace winpcap with a better solution and it appears that npcap is the most likely: https://nmap.org/npcap/. But there is no ETA or anything for this AFAIK.
@Dave M. thanks for the info and steps; I've actually tested that about a week or two ago already and that is what we've advised our client to do too. One thing: you'd have to stop the OneAgent service prior to uninstalling WinPcap, since it locks a dll. Removal takes about 5 seconds, after which the agent starts up just fine and works as expected.
The reason for my question today, was to see if anyone knows of a way to remove only the OneAgent WinPcap component, via script or another non-GUI way, but I couldn't find any - it seems WinPcap never supported silent installations, which means no way to silently remove it either...and I've been trying everything the past few days to figure that out, until I found this earlier today: https://www.winpcap.org/pipermail/winpcap-bugs/2011-January/001344.html
You're correct, the only things affected by the removal of WinPcap is network quality and network connectivity metrics, both of which unfortunately drives the AI's ability to detect the network as a possible root cause. It is the client's decision whether they can live without this, until such time WinPcap is replaced. Smartscape is not affected so far I can tell, although I always thought the network agent was the main driving force for that.
I've been given a non-commital ETA, so hoping it will be firmed up in the not too distant future.
almost two years later, have we made any progress with OneAgent running solely on npcap instead of relying on Winpcap?
we have performance issues at the moment with latest OneAgent using version 0.999 of npcap creating too many network handles and making our server performances poor.
Any update on a new version of OneAgent fully supporting npcap with no such issues is very much appreciated.