Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-06-01 20:46:20 +0000

Guy Harris gravatar image
  1. What configurations does it touch/modify/change?

It may put the interface in promiscuous mode, which has, on occasion, been known to change some network behavior in ways that clear up networking problems; however, as you tried both with and without promiscuous mode, with no change, that's probably not what's happening here.

Npcap, which provides the capture mechanisms that Wireshark (and other programs) use, adds a "filter driver" to the networking stack. As far as I know, that driver is always in the stack, but when a capture is in progress, that might change the behavior of the networking stack. You'd have to ask the Npcap developers about that.

  1. Which services does it start? If any?

It doesn't directly start any services; if installed with Npcap, there's a service that's part of Npcap that I think is started when the machine is booted.

  1. Which processes does it use?

The Wireshark UI process and a subprocess, running the "dumpcap" utility that's part of Wireshark, which does the packet capturing and writes the packets to a file.

  1. Does it change any OS settings?

Nothing other than the stuff Npcap does.

  1. What configurations does it touch/modify/change?

It may put the interface in promiscuous mode, which has, on occasion, been known to change some network behavior in ways that clear up networking problems; however, as you tried both with and without promiscuous mode, with no change, that's probably not what's happening here.

Npcap, which provides the capture mechanisms that Wireshark (and other programs) use, adds a "filter driver" to the networking stack. As far as I know, that driver is always in the stack, but when a capture is in progress, that might change the behavior of the networking stack. You'd have to ask the Npcap developers about that.

  1. Which services does it start? If any?

It doesn't directly start any services; if installed with Npcap, there's a service that's part of Npcap that I think is started when the machine is booted.

  1. Which processes does it use?

The Wireshark UI process and a subprocess, running the "dumpcap" utility that's part of Wireshark, which does the packet capturing and writes the packets to a file.

  1. Does it change any OS settings?

Nothing other than the stuff Npcap does.