Wireshark and proxy not playing well together?

asked 2019-09-30 16:12:24 +0000

herby gravatar image

Here at work we use a proxy system. Works OK. I light up Wireshark, and it all breaks. Nothing connects, and I get nasty messages "can't find web page, etc...". I then try to quit wireshark, and it still is "crashed". Nothing but a reboot will cure anything. I read in the old place that someone was having problems like this, but saw no resolution.

Some info: Windows 10. Any browser (I tried all 4 of them, Chrome, Firefox, Edge, and Explorer), all with same results. I don't even need to connect to an interface. The tasks relate to using Wireshark to analyze streams piped into it (from another machine). and just opening up wireshark to its first window is enough for it to all come falling down. I really don't want to lose connectivity while doing analysis. I do note that EXISTING connections seem to be OK. I was on a WebEx and talking nicely when this first started. After the start of Wireshark, it all went down. I just downloaded this, so I should have the most recent version (3.x). I'd check the version, but I suspect I couldn't finish this online report if I did.


edit retag flag offensive close merge delete


A few ideas:

Do you have some anti-virus or host-based IDS that is colliding with NPCAP?

Do you find any useful information in your event logs? Application and System Event log would be my first, but certainly not the last stop. Running the Sysinternals Process Monitor while launching Wireshark could reveal return codes from system calls that are otherwise hidden.

Another (more gruesome) though: We have seen some malware that reacts to Wireshark. They rather break the network connection than allowing a sniff. The same class of malware would also cause strange reactions when investigative tools like Sysinternals Process Monitor or Autoruns are launched.

Good Luck!

Eddi gravatar imageEddi ( 2019-10-01 08:33:44 +0000 )edit

I will run the event logs. I (strongly) doubt that it is some malware, but it could be an IDS (we're pretty locked down here) that is not happy with NPCAP. After I look at some of the logs as suggested, I will try to report back here.

"Film at 11"

herby gravatar imageherby ( 2019-10-02 19:39:51 +0000 )edit

I have the same problem. Start wireshark and chrome and Edge lose connectivity. The only way to recover is reboot. Firefox for whatever reason is not affected. however I believe firefox uses a different proxy method,, so i don't know whether that is connected. Like the original submitter we have a lot anti spying software here so it could be connected, but it is irritating

hammarbytp gravatar imagehammarbytp ( 2019-10-10 08:55:56 +0000 )edit

On our system there seems to be a conflict with a program called Digital Guardian which installed to stop us stealing company secrets (Hah!). If we kill the npcap services

sc stop npcap sc stop npf

It recovers

hammarbytp gravatar imagehammarbytp ( 2019-10-10 11:01:10 +0000 )edit

I don't know whether this has anything to do with it https://github.com/nmap/nmap/issues/1529

hammarbytp gravatar imagehammarbytp ( 2019-10-11 07:26:17 +0000 )edit