Ask Your Question
0

Can Wireshark 3.x run with WinPCap 4.1.3?

asked 2019-11-04 18:09:38 +0000

npcap in its various versions has been causing trouble for me under Windows 10 ever since I first installed it about six months ago. I realize that Wireshark 3.x would prefer to use npcap, but if I have a WinPCap 4.1.3 installation and I do not install npcap during my Wireshark 3.x installation, will Wireshark 3.x run anyway using my WinPCap?

edit retag flag offensive close merge delete

Comments

npcap in its various versions has been causing trouble for me under Windows 10 ever since I first installed it about six months ago.

If you haven't reported the issues to the Npcap developers at the Nmap issue tracker (yes, Nmap, not Npcap, at least for now), please do so.

Guy Harris gravatar imageGuy Harris ( 2019-11-04 19:32:27 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-11-05 11:17:46 +0000

grahamb gravatar image

The answer from @bubbasnmp is almost correct but you need to look at the "Running on ..." section of the output rather than the "Compiled with ..." section to see what Wireshark has found and is using.

With npcap installed I get the following (I have emphasised the important part):

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9.

Running on 64-bit Windows 10 (1903), build 18362, with Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (with SSE4.2), with 16225 MB of physical memory, with locale English_United Kingdom.1252, with Npcap version 0.9983, based on libpcap version 1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, binary plugins supported (0 loaded).

With WinPcap installed I get the following:

Compiled (64-bit) with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9.

Running on 64-bit Windows 10 (1903), build 18362, with Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (with SSE4.2), with 16225 MB of physical memory, with locale English_United Kingdom.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, binary plugins supported (0 loaded).

Wireshark 3.x and later will first check for npcap and if found use that. If it doesn't find npcap then it will fall back to WinPcap. This only affects which user space DLL Wireshark loads, there is no change in functionality as currently Wireshark is compiled with the WinPcap SDK so can only use the API originally exposed by WinPcap that is also supported by npcap. This is why the "Compiled with ... " section does not change regardless of which capture driver is used.

Note that if you install npcap in WinPcap mode then Wireshark will correctly report (by querying the driver) that npcap is being used, i.e. the output of -v will be identical to the first item I've shown above.

edit flag offensive delete link more
0

answered 2019-11-04 18:37:03 +0000

bubbasnmp gravatar image

Yes.
- verify that output from "wireshark -v" or "dumpcap -v" includes "with WinPcap SDK (WpdPack) 4.1.2"
(the version string 4.1.2 is hard coded and doesn't relate to the WinPcap version displayed farther down)
- use the latest version 4.1.3 of WinPcap. There are bugs reported for 4.1.2 in some of the code comments.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-11-04 18:09:38 +0000

Seen: 37 times

Last updated: Nov 05