diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3302aa55978..ffe8147ca1d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -223,8 +223,9 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - Add option to allow sniffing multiple interface devices. {issue}31905[31905] {pull}32933[32933] - Bump Windows Npcap version to v1.71. {issue}33164[33164] {pull}33172[33172] - Add fragmented IPv4 packet reassembly. {issue}33012[33012] {pull}33296[33296] -- Reduce logging level for ENOENT to WARN when mapping sockets to processes. {issue}33793[33793] {pull}[] +- Reduce logging level for ENOENT to WARN when mapping sockets to processes. {issue}33793[33793] {pull}33854[33854] - Add metrics for TCP and UDP packet processing. {pull}33833[33833] {pull}34353[34353] +- Allow user to prevent Npcap library installation on Windows. {issue}34420[34420] {pull}34428[34428] *Packetbeat* diff --git a/packetbeat/_meta/config/beat.reference.yml.tmpl b/packetbeat/_meta/config/beat.reference.yml.tmpl index 55b64de36c5..06ca6a8f047 100644 --- a/packetbeat/_meta/config/beat.reference.yml.tmpl +++ b/packetbeat/_meta/config/beat.reference.yml.tmpl @@ -59,6 +59,8 @@ packetbeat.interfaces.internal_networks: # can stay enabled even after beat is shut down. #packetbeat.interfaces.auto_promisc_mode: true +{{- template "windows_npcap.yml.tmpl" .}} + {{header "Flows"}} packetbeat.flows: diff --git a/packetbeat/_meta/config/beat.yml.tmpl b/packetbeat/_meta/config/beat.yml.tmpl index 12a31129944..2708738e86c 100644 --- a/packetbeat/_meta/config/beat.yml.tmpl +++ b/packetbeat/_meta/config/beat.yml.tmpl @@ -42,6 +42,8 @@ packetbeat.interfaces.poll_default_route: 1m packetbeat.interfaces.internal_networks: - private +{{- template "windows_npcap.yml.tmpl" .}} + {{header "Flows"}} # Set `enabled: false` or comment out all options to disable flows reporting. diff --git a/packetbeat/_meta/config/windows_npcap.yml.tmpl b/packetbeat/_meta/config/windows_npcap.yml.tmpl new file mode 100644 index 00000000000..62605c20250 --- /dev/null +++ b/packetbeat/_meta/config/windows_npcap.yml.tmpl @@ -0,0 +1,13 @@ +{{if and (eq .BeatLicense "Elastic License") (eq .GOOS "windows")}} + +{{header "Windows Npcap installation settings"}} + +# Windows Npcap installation options. These options specify how the Npcap packet +# capture library for Windows should be obtained and installed. +# +#packetbeat.npcap: +# # If a specific local version of Npcap is required, installation by packetbeat +# # can be blocked by setting never_install to true. No action is taken if this +# # option is set to true. +# never_install: false +{{- end -}} diff --git a/packetbeat/beater/install_npcap.go b/packetbeat/beater/install_npcap.go index 78865085b80..e89e173239b 100644 --- a/packetbeat/beater/install_npcap.go +++ b/packetbeat/beater/install_npcap.go @@ -54,11 +54,23 @@ func installNpcap(b *beat.Beat) error { return nil } + log := logp.NewLogger("npcap_install") + + var cfg struct { + NeverInstall bool `config:"npcap.never_install"` + } + err := b.BeatConfig.Unpack(&cfg) + if err != nil { + return fmt.Errorf("failed to unpack npcap config: %w", err) + } + if cfg.NeverInstall { + log.Warn("npcap installation/upgrade disabled by user") + return nil + } + ctx, cancel := context.WithTimeout(context.Background(), installTimeout) defer cancel() - log := logp.NewLogger("npcap_install") - if npcap.Installer == nil { return nil } diff --git a/packetbeat/docs/packetbeat-options.asciidoc b/packetbeat/docs/packetbeat-options.asciidoc index e12706a545f..29441e4b029 100644 --- a/packetbeat/docs/packetbeat-options.asciidoc +++ b/packetbeat/docs/packetbeat-options.asciidoc @@ -54,6 +54,19 @@ packetbeat.interfaces.type: af_packet packetbeat.interfaces.buffer_size_mb: 100 ------------------------------------------------------------------------------ +[float] +=== Windows Npcap installation options + +On Windows {beatname} requires an Npcap DLL installation. This is provided by {beatname} +for users of the Elastic Licenced version. In some cases users may wish to use +their own installed version. In order to do this the `packetbeat.npcap.never_install` +option can be used. Setting this option to `true` will not attempt to install the +bundled Npcap library on start-up. + +[source,yaml] +------------------------------------------------------------------------------ +packetbeat.npcap.never_install: true +------------------------------------------------------------------------------ [float] === Sniffing configuration options