`agentbeat packetbeat` not installing wpcap.dll on first run

[strawgate]

The Agentbeat binary, when run as packetbeat via agentbeat.exe packetbeat ..., does not install the wpcap.dll required to capture network traffic on Windows. This also causes the Network Traffic Capture integration to not send traffic on Agents that weren't previously running a non-Agentbeat version.

Agentbeat 8.16.0 detects no npcap and exits

PS C:\Users\strawgate\Desktop\elastic-agent-8.16.0-windows-x86_64\data\elastic-agent-3f07f2\components> ./agentbeat.exe packetbeat run -c packetbeat.yml -v -e
...
{"log.level":"warn","@timestamp":"2024-11-21T03:16:13.825Z","log.logger":"npcap","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/beater.installNpcap.func1","file.name":"beater/install_npcap.go","file.line":54},"message":"no version available for npcap","service.name":"packetbeat","ecs.version":"1.6.0"}
...
{"log.level":"info","@timestamp":"2024-11-21T03:15:59.574Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":713},"message":"packetbeat stopped.","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-11-21T03:15:59.578Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1590},"message":"Exiting: failed to get device list: couldn't load wpcap.dll","service.name":"packetbeat","ecs.version":"1.6.0"}
Exiting: failed to get device list: couldn't load wpcap.dll

packetbeat 8.13.0 detects that npcap is missing, installs the npcap dll and runs

PS C:\Users\strawgate\Desktop\elastic-agent-8.13.0-windows-x86_64\data\elastic-agent-1eb18c\components> ./packetbeat.exe -v -e -d *
...
{"log.level":"info","@timestamp":"2024-11-21T03:33:52.146Z","log.logger":"npcap_install","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/npcap.install","file.name":"npcap/npcap.go","file.line":59},"message":"installing Npcap DLL","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-21T03:34:05.412Z","log.logger":"npcap","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/beater.installNpcap.func1","file.name":"beater/install_npcap.go","file.line":56},"message":"npcap version: Npcap version 1.79, based on libpcap version 1.10.4","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-21T03:34:05.413Z","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/procs.(*ProcessesWatcher).init","file.name":"procs/procs.go","file.line":114},"message":"Process watcher disabled","service.name":"packetbeat","ecs.version":"1.6.0"}

Unhealthy agent from network traffic capture

[pierrehilbert]

@blakerouse Do you know what would cause this issue? I thought Agentbeat was starting Packetbeat and therefore we would have the same behavior

[amitkanfer]

more interesting is how this floated around so long w/o us knowing about it... :/

[cmacknz]

FYI @nfritts @andrewkroh

[ycombinator]

packetbeat 8.13.0 detects that npcap is missing, installs the npcap dll and runs

I can further confirm that the same is true with Packetbeat 8.16.0:

c:\Users\Shaunak Kashyap\Downloads\packetbeat-8.16.0-windows-x86_64>packetbeat.exe -v -e -d *
{"log.level":"info","@timestamp":"2024-11-25T18:16:19.311-0800","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":1058},"message":"Home path: [c:\\Users\\Shaunak Kashyap\\Downloads\\packetbeat-8.16.0-windows-x86_64] Config path: [c:\\Users\\Shaunak Kashyap\\Downloads\\packetbeat-8.16.0-windows-x86_64] Data path: [c:\\Users\\Shaunak Kashyap\\Downloads\\packetbeat-8.16.0-windows-x86_64\\data] Logs path: [c:\\Users\\Shaunak Kashyap\\Downloads\\packetbeat-8.16.0-windows-x86_64\\logs]","service.name":"packetbeat","ecs.version":"1.6.0"}
...
{"log.level":"info","@timestamp":"2024-11-25T18:16:22.489-0800","log.logger":"npcap_install","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/npcap.install","file.name":"npcap/npcap.go","file.line":59},"message":"installing Npcap DLL","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-25T18:16:42.899-0800","log.logger":"npcap","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/beater.installNpcap.func1","file.name":"beater/install_npcap.go","file.line":56},"message":"npcap version: Npcap version 1.80, based on libpcap version 1.10.4","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-25T18:16:42.906-0800","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/procs.(*ProcessesWatcher).init","file.name":"procs/procs.go","file.line":114},"message":"Process watcher disabled","service.name":"packetbeat","ecs.version":"1.6.0"}

So it's definitely something to do with Agentbeat's running of Packetbeat and not Packetbeat by itself.

[ibollman]

I just wanted to say: We are also affected by this bug ☹️

{"log.level":"error","@timestamp":"2024-11-20T13:22:52.350Z","message":"Exiting: failed to get device list: couldn't load wpcap.dll","component":{"binary":"packetbeat","dataset":"elastic_agent.packetbeat","id":"packet-default","type":"packet"},"log":{"source":"packet-default"},"service.name":"packetbeat","ecs.version":"1.6.0","log.origin":{"file.line":1590,"file.name":"instance/beat.go","function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError"},"ecs.version":"1.6.0"}

[cmacknz]

It's not super obvious what is happening here, there is an init() in gopacket that we potentially aren't hitting. I recall we had many problems elsewhere with global init() calls in agentbeat.

https://github.com/elastic/gopacket/blob/3eaba08943250fd212520e5cff00ed808b8fc60a/pcap/pcap_windows.go#L157-L159

[cmacknz]

We are also pulling in the packetbeat specific linker arguments, perhaps the problem is in how they are applied https://github.com/elastic/beats/blob/367d94e1dc40a82713d651735eac7921bb584474/x-pack/agentbeat/magefile.go#L73-L79

[blakerouse]

I don't know exactly why this is not happening on agentbeat but it does happen on packetbeat.

It's not super obvious what is happening here, there is an init() in gopacket that we potentially aren't hitting. I recall we had many problems elsewhere with global init() calls in agentbeat.

I do know that this as an func init() is not something we want. This means that every time that agentbeat is started even if its started with agentbeat filebeat that it would result in that func init() being called. We would not want that. We want that to only be called when agentbeat packetbeat is being called.

Looking at the code it doesn't seem like that func init() is being called. There is a specific path to installing Npcap here: https://github.com/elastic/beats/blob/main/packetbeat/beater/processor.go#L139

Seems that a configured interface is required for this to be called.

[strawgate]

I just wanted to say: We are also affected by this bug ☹️

{"log.level":"error","@timestamp":"2024-11-20T13:22:52.350Z","message":"Exiting: failed to get device list: couldn't load wpcap.dll","component":{"binary":"packetbeat","dataset":"elastic_agent.packetbeat","id":"packet-default","type":"packet"},"log":{"source":"packet-default"},"service.name":"packetbeat","ecs.version":"1.6.0","log.origin":{"file.line":1590,"file.name":"instance/beat.go","function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError"},"ecs.version":"1.6.0"}

Just as a heads up -- I believe this bug should only occur on systems that have never run an 8.13 (or prior) agent. If you install the 8.13 agent, let the network monitoring integration start, and then upgrade to a newer version, you can workaround this issue while we work through resolution.