Is it possible to install OneAgent without installing the WinPcap component? Alternatively, is there a way to silently remove WinPcap after OneAgent installation?
I understand the impact of not having WinPcap installed, so not looking to debate that 😉
Solved! Go to Solution.
I don't think that impacting any dependency of OneAgent is actually good idea. OneAgent possibly will crash and not start at all.
OneAgent runs fine without WinPcap, however, you lose out on network quality and connectivity metrics, which will impact the AI's ability to detect the network as the root cause of problems.
No there is not. But you can turn off the functionality by disabling network monitoring for the agent. You , however, lose some metrics and functionality.
Unfortunately, turning off network monitoring for the agent doesn't remove the npf.sys driver, which is the real cause of concern. Hence the questions about removing it completely.
We've had BSOD at two clients in SA, both due to WinPcap. Once the agent is installed, they experienced blue screens. Support was involved and it was pinned down to WinPcap driver causing the issue.
The other reason is security: WinPcap has not been maintained since 2013 and doesn't have the functionality to prevent non-administrative users to gain access to the npf.sys driver used by WinPcap. Npcap is a safer option and I've been informed that Dynatrace is looking at replacing WinPcap with Npcap, but this is not 100% confirmed, nor do I have a 'cast in stone' release version or date yet. Dave also mentions this in his reply 🙂
Have any security tools been running on the host when BSOD happened?
The typical McAfee, but it is also running on hosts where they didn't experience BSOD. We ruled it out anyway, by turning McAfee off: issue persisted. Logs and crash dumps indicated npf.sys as the culprit, so we got support involved and turning off network monitoring plus removing WinPcap resolved the BSOD issue.
I found these internal notes that might help:
"first disable network traffic monitoring (Settings->Monitoring->Monitored technologies->Network traffic switch off), disable autoupdates (because winpcap will be installed again) and then uninstall winpcap (Control Panel -> uninstall section -> OneAgent Winpcap 4.1.3 entry)"
"Smartscape connections should be still visible. they will lost network metrics - traffic per process, responsiveness, connectivity"
Also, we are actively working to replace winpcap with a better solution and it appears that npcap is the most likely: https://nmap.org/npcap/. But there is no ETA or anything for this AFAIK.
@Dave M. thanks for the info and steps; I've actually tested that about a week or two ago already and that is what we've advised our client to do too. One thing: you'd have to stop the OneAgent service prior to uninstalling WinPcap, since it locks a dll. Removal takes about 5 seconds, after which the agent starts up just fine and works as expected.
The reason for my question today, was to see if anyone knows of a way to remove only the OneAgent WinPcap component, via script or another non-GUI way, but I couldn't find any - it seems WinPcap never supported silent installations, which means no way to silently remove it either...and I've been trying everything the past few days to figure that out, until I found this earlier today: https://www.winpcap.org/pipermail/winpcap-bugs/2011-January/001344.html
You're correct, the only things affected by the removal of WinPcap is network quality and network connectivity metrics, both of which unfortunately drives the AI's ability to detect the network as a possible root cause. It is the client's decision whether they can live without this, until such time WinPcap is replaced. Smartscape is not affected so far I can tell, although I always thought the network agent was the main driving force for that.
I've been given a non-commital ETA, so hoping it will be firmed up in the not too distant future.
almost two years later, have we made any progress with OneAgent running solely on npcap instead of relying on Winpcap?
we have performance issues at the moment with latest OneAgent using version 0.999 of npcap creating too many network handles and making our server performances poor.
Any update on a new version of OneAgent fully supporting npcap with no such issues is very much appreciated.
I see this https://community.dynatrace.com/t5/Dynatrace-Open-Q-A/Replacing-Winpcap-with-npcap/td-p/117827
We have recently been questioned by the auditing unit because of the issue of "winpcap". Is there any progress?
According to the documentation, Npcap installation of OneAgent is already available:
Uninstall WinPcap driver to allow Npcap installation
If you're experiencing BSOD, there is a known workaround to this issue. Contact support. This can happen when swap file is disabled (one case).
As mentioned we will be replacing WinPCap.
I couldn't find any solid work about replacing winPcap with npcap yet. So, I will have another question about it.
Is there any chance to use this application as someone else except Dynatrace agent? If I can proove that no one can use it except Dynatrace, it will be enough. Otherwise, it's a security issue to keep winPcap installed on servers anyway.