Deploying npcap with Network Packet Capture integration #2132
Description
Our Network Packet Capture integration (based on Packetbeat) requires a packet sniffing library on most platforms. This is a non-issue on most platforms as you can install libpcap, however Windows requires a library such as npcap, which implements the libpcap interfaces.
NPCAP licensing only allows installation on 5 nodes, after which a license is required. This was often a surprise to our users, who ended up having to pay a significant sum for a license, plus annual maintenance cost. NCPAP also has to be installed independently.
We now have an OEM NPCAP license which allows us to distribute npcap and deploy silently. This ensures our users no longer have to incur additional npcap licensing costs and can easily deploy npcap.
Requirements
- NPCAP will be be included with both Packetbeat + Network Packet Capture integration.
- NPCAP will be included in our Basic license.
- NPCAP will only be installed when the Network Packet Capture integration is enabled, and limited to Windows machines. Installation should be silent (command line arguments here). NPCAP installation should be optional via a setting within the integration - defaulting to true.
- We currently require WinPcap compatible mode. Is it worth changing to native mode, to avoid having to enable WinPcap mode? Any benefits to native mode?
- The NCP integration (i.e., for Windows hosts) will need to be governed by a more restrictive license that disallows modification or distribution by the end user, i.e. Elastic License v1.0. These terms should be presented in at least two ways: (1) shown in the integration description and (2) in a LICENSE.TXT (or similar) file accompanying the binary that is downloaded and run.
- Offline environments - how does a user access the installer and deploy the Network Packet Capture integration in an offline environment?