Fixes to support the Npcap library on Windows

- Ignore conan libpcap if PCAP_ROOT_DIR is passed
- Update the cmake submodule to pick up changes for finding the right
  paths to npcap
- Add lazy-loading of npcap so the library path gets set correctly
  at startup

CMakeLists.txt

@@ -71,10 +71,13 @@ if ( MSVC )
     endif()
 
     # Set LibPCAP to point to libpcap binaries.
-    find_package(libpcap)
+    if ( NOT PCAP_ROOT_DIR )
-    set(PCAP_ROOT_DIR "${libpcap_LIB_DIRS}/../")
+        find_package(libpcap)
-    set(PCAP_INCLUDE_DIR ${libpcap_INCLUDES})
+        set(PCAP_ROOT_DIR "${libpcap_LIB_DIRS}/../")
-    set(PCAP_LIBRARY ${libpcap_LIBS})
+        set(PCAP_INCLUDE_DIR ${libpcap_INCLUDES})
+        set(PCAP_LIBRARY ${libpcap_LIBS})
+    endif()
+
     set(LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER false)
 
     # Set ZLib to point at the right variable.

cmake

@@ -1 +1 @@
-Subproject commit 99ee0e757df66d81d78e59a32f61101058bc00fc
+Subproject commit f69e08247ed4d7e36258157df6328bad3c81269d

src/CMakeLists.txt

@@ -543,6 +543,15 @@ if (ZEEK_STANDALONE)
                 ${bro_SUBDIR_LIBS}
                 ${bro_PLUGIN_LIBS}
     )
+
+    # npcap/winpcap need to be loaded in delayed mode so that we can set the load path
+    # correctly at runtime. See https://npcap.com/guide/npcap-devguide.html#npcap-feature-native
+    # for why this is necessary.
+    if ( MSVC AND HAVE_WPCAP )
+        set(zeekdeps ${zeekdeps} delayimp.lib)
+        set_target_properties(zeek PROPERTIES LINK_FLAGS "/DELAYLOAD:wpcap.dll")
+    endif()
+
     target_link_libraries(zeek ${bro_PLUGIN_LINK_LIBS} ${zeekdeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS})
 
     # Export symbols from zeek executable for use by plugins

src/main.cc

@@ -11,6 +11,37 @@
 
 #ifdef _MSC_VER
 #include <fcntl.h> // For _O_BINARY.
+
+// By default, Windows only looks in the System32 directory for dlls. Npcap installs
+// into System32\Npcap, so we have to add that path to the search path for DLLs or
+// the process won't find it. This is annoying, but it's how the Npcap project
+// recommends we do it. See https://npcap.com/guide/npcap-devguide.html#npcap-feature-native
+// for further info.
+static void init_npcap_dll_path()
+	{
+#ifdef HAVE_WPCAP
+	BOOL(WINAPI * SetDllDirectory)(LPCTSTR);
+	char sysdir_name[512];
+	int len;
+
+	SetDllDirectory = (BOOL(WINAPI*)(LPCTSTR))GetProcAddress(GetModuleHandle("kernel32.dll"),
+	                                                         "SetDllDirectoryA");
+	if ( SetDllDirectory == NULL )
+		{
+		fprintf(stderr, "Error in SetDllDirectory");
+		}
+	else
+		{
+		len = GetSystemDirectory(sysdir_name, 480); //	be safe
+		if ( ! len )
+			fprintf(stderr, "Error in GetSystemDirectory (%d)", GetLastError());
+		strcat(sysdir_name, "\\Npcap");
+		if ( SetDllDirectory(sysdir_name) == 0 )
+			fprintf(stderr, "Error in SetDllDirectory(\"System32\\Npcap\")");
+		}
+#endif
+	}
+
 #endif
 
 int main(int argc, char** argv)
@@ -18,7 +49,10 @@ int main(int argc, char** argv)
 #ifdef _MSC_VER
 	_setmode(_fileno(stdout), _O_BINARY);
 	_setmode(_fileno(stderr), _O_BINARY);
+
+	init_npcap_dll_path();
 #endif
+
 	auto time_start = zeek::util::current_time(true);
 	auto setup_result = zeek::detail::setup(argc, argv);
 

zeek-config.h.in

@@ -54,6 +54,9 @@
 /* Define if libpcap supports pcap_dump_open_append(). */
 #cmakedefine HAVE_PCAP_DUMP_OPEN_APPEND
 
+/* Define if the pcap library is winpcap or npcap */
+#cmakedefine HAVE_WPCAP
+
 /* line editing & history powers */
 #cmakedefine HAVE_READLINE