elastic · efd6 · Feb 3, 2023 · Jan 30, 2023 · Feb 2, 2023
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -218,8 +218,9 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Add option to allow sniffing multiple interface devices. {issue}31905[31905] {pull}32933[32933]
 - Bump Windows Npcap version to v1.71. {issue}33164[33164] {pull}33172[33172]
 - Add fragmented IPv4 packet reassembly. {issue}33012[33012] {pull}33296[33296]
-- Reduce logging level for ENOENT to WARN when mapping sockets to processes. {issue}33793[33793] {pull}[]
+- Reduce logging level for ENOENT to WARN when mapping sockets to processes. {issue}33793[33793] {pull}33854[33854]
 - Add metrics for TCP and UDP packet processing. {pull}33833[33833] {pull}34353[34353]
+- Allow user to prevent Npcap library installation on Windows. {issue}34420[34420] {pull}34428[34428]
 
 *Packetbeat*
 

@@ -59,6 +59,8 @@ packetbeat.interfaces.internal_networks:
 # can stay enabled even after beat is shut down.
 #packetbeat.interfaces.auto_promisc_mode: true
 
+{{- template "windows_npcap.yml.tmpl" .}}
+
 {{header "Flows"}}
 
 packetbeat.flows:

@@ -42,6 +42,8 @@ packetbeat.interfaces.poll_default_route: 1m
 packetbeat.interfaces.internal_networks:
   - private
 
+{{- template "windows_npcap.yml.tmpl" .}}
+
 {{header "Flows"}}
 
 # Set `enabled: false` or comment out all options to disable flows reporting.

@@ -0,0 +1,13 @@
+{{if and (eq .BeatLicense "Elastic License") (eq .GOOS "windows")}}
+
+{{header "Windows Npcap installation settings"}}
+
+# Windows Npcap installation options. These options specify how the Npcap packet
+# capture library for Windows should be obtained and installed.
+#
+#packetbeat.npcap:
+#  # If a specific local version of Npcap is required, installation by packetbeat
+#  # can be blocked by setting never_install to true. No action is taken if this
+#  # option is set to true.
+#  never_install: false
+{{- end -}}
@@ -54,11 +54,23 @@ func installNpcap(b *beat.Beat) error {
 		return nil
 	}
 
+	log := logp.NewLogger("npcap_install")
+
+	var cfg struct {
+		NeverInstall bool `config:"npcap.never_install"`
+	}
+	err := b.BeatConfig.Unpack(&cfg)
+	if err != nil {
+		return fmt.Errorf("failed to unpack npcap config: %w", err)
+	}
+	if cfg.NeverInstall {
+		log.Warn("npcap installation/upgrade disabled by user")
+		return nil
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), installTimeout)
 	defer cancel()
 
-	log := logp.NewLogger("npcap_install")
-
 	if npcap.Installer == nil {
 		return nil
 	}

@@ -54,6 +54,19 @@ packetbeat.interfaces.type: af_packet
 packetbeat.interfaces.buffer_size_mb: 100
 ------------------------------------------------------------------------------
 
+[float]
+=== Windows Npcap installation options
+
+On Windows {beatname} requires an Npcap DLL installation. This is provided by {beatname}
+for users of the Elastic Licenced version. In some cases users may wish to use
+their own installed version. In order to do this the `packetbeat.npcap.never_install`
+option can be used. Setting this option to `true` will not attempt to install the
+bundled Npcap library on start-up.
+
+[source,yaml]
+------------------------------------------------------------------------------
+packetbeat.npcap.never_install: true
+------------------------------------------------------------------------------
 
 [float]
 === Sniffing configuration options