Ask Your Question
0

At what stage does Wireshark check which capture library (npf) is installed?

asked 2018-03-19 14:53:06 +0000

sindy gravatar image

The thing is that I've uninstalled WinPcap and installed npcap in native (as in "not WinPcap-compatible") mode after installing Wireshark, and Wireshark works with it but continues to declare in the help that it uses WinPcap. So does Wireshark only check the library used once during installation, or during the very first start after installation, or not at all?

edit retag flag offensive close merge delete

Comments

Wireshark checks at start-up and is probably using npcap, just the reporting is less than helpful.

Please post the contents of your About Wireshark dialog (you can highlight the text and copy it).

grahamb gravatar imagegrahamb ( 2018-03-19 15:18:45 +0000 )edit

Version 2.4.5 (v2.4.5-0-g153e867ef1)

Copyright 1998-2018 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.3, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 16299, with        Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141 ...
(more)
sindy gravatar imagesindy ( 2018-03-19 15:39:49 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-03-19 16:13:59 +0000

grahamb gravatar image

The line (packet.dll version 0.99-r2) tells me that it's using npcap. Please raise an issue (if there isn't one already) on the Wireshark Bugzilla to get the surrounding text fixed up.

edit flag offensive delete link more

Comments

Bug 14543 filed.

sindy gravatar imagesindy ( 2018-03-19 19:11:47 +0000 )edit

...and the outcome is that if WinPcap had ever been installed on the machine before npcap has been installed, it is not enough to uninstall WinPcap but it is necessary to manually remove some files which the WinPcap uninstaller doesn't remove, as npcap doesn't rewrite these files and uses them instead of its own ones, or something similarly crazy. Maybe it is because the files are actually the same ones and so npcap unintentionally "switches" itself to WinPcap-compatible mode because use of those files is how the WinPcap-compatible mode is actually implemented? Regardless the background, if the remainders of WinPcap installation are not removed, not only the indication of used capture library is broken in Wireshark, but Wireshark also does not use npcap's additional features such as monitoring mode of wireless interfaces.

sindy gravatar imagesindy ( 2018-03-20 12:08:48 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-03-19 14:53:06 +0000

Seen: 6,363 times

Last updated: Mar 19 '18

Related questions

when I open WS it does not show any interfaces, why?

Is WinPcap still being developed?

NPCAP 0.995 gives duplicate packets

Can Wireshark 3.x run with WinPCap 4.1.3?

Can we freely distribute customized wireshark windows installer with npcap?

WireShark just does not see my Wintun Userspace Tunnel vpn interface

No wireless interfaces appearing - Win 11 [closed]

How do I fix "WinPcap will not install" problem?

silent uninstall of WinPcap

"No interfaces found" on Windows 10 laptop