question

Andre V. avatar image
Andre V. asked ·

Install OneAgent without WinPcap component

Is it possible to install OneAgent without installing the WinPcap component? Alternatively, is there a way to silently remove WinPcap after OneAgent installation?

I understand the impact of not having WinPcap installed, so not looking to debate that ;-)

oneagentinstallationnetwork
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Sebastian K. avatar image
Sebastian K. answered ·

I don't think that impacting any dependency of OneAgent is actually good idea. OneAgent possibly will crash and not start at all.

Sebastian

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

OneAgent runs fine without WinPcap, however, you lose out on network quality and connectivity metrics, which will impact the AI's ability to detect the network as the root cause of problems.

0 Likes 0 · ·
Julius L. avatar image
Julius L. answered ·

No there is not. But you can turn off the functionality by disabling network monitoring for the agent. You , however, lose some metrics and functionality.

1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Unfortunately, turning off network monitoring for the agent doesn't remove the npf.sys driver, which is the real cause of concern. Hence the questions about removing it completely.

0 Likes 0 · ·
Joe H. avatar image
Joe H. answered ·
Can you clarify the reason or concern regarding having WinPcap installed. Is there a technical conflict your having or is it a security concern, or ??
3 comments Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Both, actually.

We've had BSOD at two clients in SA, both due to WinPcap. Once the agent is installed, they experienced blue screens. Support was involved and it was pinned down to WinPcap driver causing the issue.

The other reason is security: WinPcap has not been maintained since 2013 and doesn't have the functionality to prevent non-administrative users to gain access to the npf.sys driver used by WinPcap. Npcap is a safer option and I've been informed that Dynatrace is looking at replacing WinPcap with Npcap, but this is not 100% confirmed, nor do I have a 'cast in stone' release version or date yet. Dave also mentions this in his reply :-)

0 Likes 0 · ·

Have any security tools been running on the host when BSOD happened?

0 Likes 0 · ·

The typical McAfee, but it is also running on hosts where they didn't experience BSOD. We ruled it out anyway, by turning McAfee off: issue persisted. Logs and crash dumps indicated npf.sys as the culprit, so we got support involved and turning off network monitoring plus removing WinPcap resolved the BSOD issue.

0 Likes 0 · ·
Dave M. avatar image
Dave M. answered ·

I found these internal notes that might help:

"first disable network traffic monitoring (Settings->Monitoring->Monitored technologies->Network traffic switch off), disable autoupdates (because winpcap will be installed again) and then uninstall winpcap (Control Panel -> uninstall section -> OneAgent Winpcap 4.1.3 entry)"

"Smartscape connections should be still visible. they will lost network metrics - traffic per process, responsiveness, connectivity"

Also, we are actively working to replace winpcap with a better solution and it appears that npcap is the most likely: https://nmap.org/npcap/. But there is no ETA or anything for this AFAIK.

HTH,

dave






1 comment Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

@Dave M. thanks for the info and steps; I've actually tested that about a week or two ago already and that is what we've advised our client to do too. One thing: you'd have to stop the OneAgent service prior to uninstalling WinPcap, since it locks a dll. Removal takes about 5 seconds, after which the agent starts up just fine and works as expected.

The reason for my question today, was to see if anyone knows of a way to remove only the OneAgent WinPcap component, via script or another non-GUI way, but I couldn't find any - it seems WinPcap never supported silent installations, which means no way to silently remove it either...and I've been trying everything the past few days to figure that out, until I found this earlier today: https://www.winpcap.org/pipermail/winpcap-bugs/2011-January/001344.html

You're correct, the only things affected by the removal of WinPcap is network quality and network connectivity metrics, both of which unfortunately drives the AI's ability to detect the network as a possible root cause. It is the client's decision whether they can live without this, until such time WinPcap is replaced. Smartscape is not affected so far I can tell, although I always thought the network agent was the main driving force for that.

I've been given a non-commital ETA, so hoping it will be firmed up in the not too distant future.

0 Likes 0 · ·
Joe H. avatar image
Joe H. answered ·

If you're experiencing BSOD, there is a known workaround to this issue. Contact support. This can happen when swap file is disabled (one case).

As mentioned we will be replacing WinPCap.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Space Topics

mobile monitoring dotnet synthetic monitoring reports iis chat kubernetes servicenow amazon web services mysql mainframe rest api errors cassandra dashboard oneagent sdk cmc application monitoring openkit smartscape request attributes monitoring developer community user tagging log monitoring services ufo syntheticadvisory activegate ip addresses auto-detection high five award oracle hyperion webserver uem usql iib test automation license web performance monitoring ios news migration management zones index ibm mq web services notifications sso host monitoring knowledge sharing reports browser monitors java hybris sap vmware maintenance window user action naming javascript appmon ai synthetic classic availability tipstricks automation extensions session replay diagnostic tools permissions davis assistant faq documentation problem detection http monitors server easytravel apdex aws-quickstart network docker tags and metadata cloud foundry google cloud platform synthetic monitoring process groups account usability dynatrace saas gui paas openshift key user actions administration user actions postgresql synthetic locations oneagent security Dynatrace Managed user management custom python technologies mongodb openstack user session monitoring continuous delivery citrix configuration alerting NGINX action naming linux nam installation masking error reporting database mission control jmeter recorder apache mobileapp RUM php threshold azure purepath davis scripting agent aix nodejs android