I am using Windows 7 64bit edition; when i first installed Wireshark it worked, but after restart its constantly telling me NPF driver is not running error and therefore I cannot see any of my network cards. Please help

asked 07 Dec '10, 23:42

Engr%20Mansoor%20Habib's gravatar image

Engr Mansoor...
accept rate: 0%

edited 20 Jan '11, 12:11

Jaap's gravatar image

Jaap ♦

Hi all, I have the exact same symptoms but without the NPF driver error and also I get the proper output from the SC command. Any ideas?

(16 Dec '11, 14:07) Jim Willows


I am using Wireshark on the 64-bit edition of Windows 7 without problem.

The npf driver is not visible in your regular "Computer Management" WMI-interface. The npf status is best checked with the command line.

Run a cmd.exe as administrator and run the command sc qc npf.

You should get some output like this:

C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS

        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :

If your driver is not properly started, activate it with the command sc start npf

Finally, to start the service automatically, use the command sc config npf start=auto

Remember to run your cmd.exe as administrator when issuing these command.


answered 08 Dec '10, 01:26

packethunter's gravatar image

accept rate: 5%

I am running Windows 7 and I have the same issue with the NPF file not running. I tried your command line stuff. I am set as the administrator on this machine and I get an Access Denied error when I try the sc start npf. Any suggestions?

(19 Jan '11, 21:11) Joshua

I have also activated NPF fow windows 7. And wireshark 1.4.3 still says it is not active. And also says there are no interfaces that a capture can be done. I'm running an HP Desktop and Windows 7 Home Premium.

(20 Jan '11, 17:39) yate4899

try to run cmd.exe as an administrator (i mean right click it then choose run as administrator) and then use the command sc start npf

(09 Feb '11, 13:23) EssAm

There must be a space after equal sign, i.e.

sc config npf start= auto

The rest is perfect:

sc qc npf
Run as Administrator:
sc start npf

(02 Aug '11, 22:54) Champion

Thank you packethunter, your answer enabled me to get working with Wireshark. One thing though, I can't find the npf service - whose DISPLAY_NAME is given as "NetGroup Packet Filter Driver" listed in the Windows Services. Can anyone enlighten me please?

(17 Oct '11, 16:56) pcwizard

You can find the NPF driver under Non-Plug and Play Drivers
To open the Computer Management console go to:
Start | Run
type: compmgmt.msc and hit OK
Computer Management (Local) | System tools | Device Manager
Pull-down menu View | Show Hidden Devices
Non-Plug and Play Drivers | NetGroup Packet Filter Driver

(17 Oct '11, 21:14) joke

Great!! it is working...BIG THANKS to you. Back to business!

(12 Jan '12, 07:35) deo

Sorry: I meant for the above "Great ..." to have been converted to a comment under answer #1 (not this answer).

(12 Jan '12, 08:05) Bill Meier ♦♦

I had to go into the non-plug and play how do I get it to start once I get there?

(10 May '12, 20:01) angelar

right-click NetGroup Packet Filter Driver
select Properties
select tab Driver
Current status: hit Start
Here you can read more about Startup - Type

(10 May '12, 21:18) joke

This solution also works for Windows 8.

(09 Oct '12, 13:41) SamsonSF

Tanx alot, was really helpfull.

(02 Mar '13, 13:28) s_atayi379

You need to add a space between "start=" and "auto".

(14 Jun '13, 03:10) Mladen B

run as administrator, sc config npf start= auto is the exact command. Space is required after "=".

(13 Jul, 05:09) Utkal Barik
showing 5 of 14 show 9 more comments

Just run the shark under administrator and it will work as well.


answered 04 Aug '11, 00:44

projek7r's gravatar image

accept rate: 0%


While this may well "work" it isn't really recommended.

There is a huge amount of code in Wireshark that attempts to interpret network data, and allowing that code to run as administrator does open a window (albeit quite small) to "bad stuff" gaining access to the host system as the administrator.

(04 Aug '11, 01:18) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 07 Dec '10, 23:42

Seen: 170,301 times

Last updated: 13 Jul, 05:54

powered by OSQA