Ask Your Question
0

AirPcap and Wireshark 3.03

asked 2019-08-09 14:28:23 +0000

me gravatar image

updated 2019-08-09 14:47:07 +0000

grahamb gravatar image

I cannot get Wireshark to recognize either my AirPcap Classic or TX. To troubleshoot I have:

  1. validated that they are recognized in Cain and Abel and in the AirPcap Control panel
  2. Installed Wireshark with:
    1. both WinPcap 4.1.3 and NPcap 0.9982 (NPcap both in compatibility mode and NOT in compatibility mode)
    2. Installed only NPcap and removed WinPcap
    3. Installed only WinPcap and removed NPcap
  3. done a Google search for the problem and noted the prior question and answer here, plus a few other places, all to no avail.
  4. Completely disabled any virus protection. This is validated because Cain and Abel were able to install and work.
  5. When AirPcap first came out, I was also unable to make it work in Wireshark

I am running Windows 7, with the latest patches as a domain member

edit retag flag offensive close merge delete

Comments

Help About:

Version 3.0.3 (v3.0.3-0-g6130b92b0ec6) 

Compiled (64-bit) with Qt 5.12.4, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 

Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz (with SSE4.2), with 4006 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS ...
(more)
me gravatar imageme ( 2019-08-12 22:05:51 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-08-13 13:30:10 +0000

cmaynard gravatar image

From your Wireshark Help -> About Wireshark information:

Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz (with SSE4.2), with 4006 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.16, build 27030).

Note without AirPcap.

Compare to the relevant information from my system:

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) CPU E3-1505M v5 @ 2.80GHz (with SSE4.2), with 16225 MB of physical memory, with locale English_United States.1252, with light display mode, without HiDPI, with Npcap version 0.996, based on libpcap version 1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, with AirPcap 4.1.0 build 1622, binary plugins supported (19 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.15, build 26730). 

You may want to try to reinstall the AirPcap drivers or contact Riverbed for support. Until Wireshark sees with AirPcap 4.1.0 build 1622 or equivalent, it's not going to recognize your AirPcap adapter.

edit flag offensive delete link more

Comments

FYI, I installed the latest AirPcap 4.1.3 drivers from Riverbed, here and my Wireshark help shows:

with AirPcap 4.1.3 build 3348
grahamb gravatar imagegrahamb ( 2019-08-13 13:40:10 +0000 )edit

It appears that takes a complete uninstall of Wireshark, WinPcap and the Airpcap drivers, followed by install of the AirPcap drivers, WinPcap and then Wireshark for it to work.

me gravatar imageme ( 2019-08-13 17:51:41 +0000 )edit
0

answered 2019-08-09 15:47:38 +0000

grahamb gravatar image

You need to use WinPcap. Any installation of npcap will have to be removed so that Wireshark will use the WinPcap driver.

I tested with Win 10, Wireshark 3.1.1 (shouldn't be any change from the current release 3.0.3 w.r.t. AirPcap), WinPcap 4.1.3 and an AirPcap Nx.

edit flag offensive delete link more

Comments

I had tried that. In fact I did a total uninstall of WinPcap, Npacp and Wireshark, followed by a reboot, prior to posting the question.

To confirm that I had done the proper steps, I have repeated the above, and further, I disabled the anti-virus in case there was some weird interaction. Wireshark will detect my USB Wireless card and Cain and Abel will detect the Airpcap card. Wireshark will still not detect the Airpcap card, however.

me gravatar imageme ( 2019-08-10 04:01:06 +0000 )edit

Can you verify that WinPcap is being used by Wireshark by posting your "Help -> About Wireshark" details? Perhaps when npcap was uninstalled, something went awry and some "breadcrumbs" were left behind and Wireshark is still picking it up; that had happened to me once with an older version of npcap and I had to manually delete it (i.e., C:\Windows\System32\Npcap or possibly in another location if it was installed in WinPcap-compatibility mode).

Does dumpcap.exe -D list the AirPcap adapter as one of the interfaces?

Can you verify from the command-line that WinPcap driver is running using sc qc npf? If not, you can start it manually with sc start npf, or if it is you could try sc stop npf followed by sc start npf to try restarting it.

Have you tried uninstalling Cain and Abel temporarily in case that tool installed something possibly causing ...(more)

cmaynard gravatar imagecmaynard ( 2019-08-10 14:51:39 +0000 )edit

Note that you will need an elevated prompt to run the sc start and sc stop commands.

grahamb gravatar imagegrahamb ( 2019-08-11 12:24:15 +0000 )edit

Dumpcap -D:

1. \Device\NPF_{B4BCF253-3859-49AE-B888-581CAB7EAC19} (Bluetooth Network Connection)
2. \Device\NPF_{DD23F56C-59C4-4291-9934-FE7C3AEEED93} (Local Area Connection 5)
3. \Device\NPF_{8565A170-B127-4E78-BC25-B950C99CDD1F} (Local Area Connection)
(no AirPcap devices is listed)

SC qc npf:

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       : 
        SERVICE_START_NAME :

Help About:

(I cannot poste a screen capture but the "help about" section includes "...with Gcrypt 1.8.3, without AirPcap, binary plugins supported..."

Note

An inventory of the system drive identified several npf.sys files in various driver directories, but but only the npf install log in the npf directory

me gravatar imageme ( 2019-08-11 16:32:37 +0000 )edit

The text in the Help => About dialog can be highlighted using the mouse and Ctrl + C copied to the clipboard and then pasted in a comment here.

grahamb gravatar imagegrahamb ( 2019-08-11 18:12:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-08-09 14:28:23 +0000

Seen: 4,160 times

Last updated: Aug 13 '19