First time here? Check out the FAQ!

Ask Your Question
0

At what stage does Wireshark check which capture library (npf) is installed?

asked Mar 19 '18

sindy gravatar image

The thing is that I've uninstalled WinPcap and installed npcap in native (as in "not WinPcap-compatible") mode after installing Wireshark, and Wireshark works with it but continues to declare in the help that it uses WinPcap. So does Wireshark only check the library used once during installation, or during the very first start after installation, or not at all?

Preview: (hide)

Comments

Wireshark checks at start-up and is probably using npcap, just the reporting is less than helpful.

Please post the contents of your About Wireshark dialog (you can highlight the text and copy it).

grahamb gravatar imagegrahamb ( Mar 19 '18 )

Version 2.4.5 (v2.4.5-0-g153e867ef1)

Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.3, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 16299, with        Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141 ...
(more)
sindy gravatar imagesindy ( Mar 19 '18 )

1 Answer

Sort by » oldest newest most voted
0

answered Mar 19 '18

grahamb gravatar image

The line (packet.dll version 0.99-r2) tells me that it's using npcap. Please raise an issue (if there isn't one already) on the Wireshark Bugzilla to get the surrounding text fixed up.

Preview: (hide)
link

Comments

Bug 14543 filed.

sindy gravatar imagesindy ( Mar 19 '18 )

...and the outcome is that if WinPcap had ever been installed on the machine before npcap has been installed, it is not enough to uninstall WinPcap but it is necessary to manually remove some files which the WinPcap uninstaller doesn't remove, as npcap doesn't rewrite these files and uses them instead of its own ones, or something similarly crazy. Maybe it is because the files are actually the same ones and so npcap unintentionally "switches" itself to WinPcap-compatible mode because use of those files is how the WinPcap-compatible mode is actually implemented? Regardless the background, if the remainders of WinPcap installation are not removed, not only the indication of used capture library is broken in Wireshark, but Wireshark also does not use npcap's additional features such as monitoring mode of wireless interfaces.

sindy gravatar imagesindy ( Mar 20 '18 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: Mar 19 '18

Seen: 6,348 times

Last updated: Mar 19 '18