First time here? Check out the FAQ!

Ask Your Question
0

At what stage does Wireshark check which capture library (npf) is installed?
 
  
 
  
 
 
 
 
 
 
    
        
        asked Mar 19 '18  
 
 sindy gravatar image  
 
 
 
 
 
The thing is that I've uninstalled WinPcap and installed npcap in native (as in "not WinPcap-compatible") mode after installing Wireshark, and Wireshark works with it but continues to declare in the help that it uses WinPcap. So does Wireshark only check the library used once during installation, or during the very first start after installation, or not at all?
 
Preview: (hide)
 
 
 
 
          
 
Comments
Wireshark checks at start-up and is probably using npcap, just the reporting is less than helpful.
Please post the contents of your About Wireshark dialog (you can highlight the text and copy it).
grahamb gravatar imagegrahamb (
    
        Mar 19 '18
    )
Version 2.4.5 (v2.4.5-0-g153e867ef1)
Copyright 1998-2018 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.3, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 16299, with        Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141 ...
(more)
sindy gravatar imagesindy (
    
        Mar 19 '18
    )
add a comment
 
 
 
 
 
 1 Answer
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Mar 19 '18  
 
 grahamb gravatar image  
 
 
 
 
 
The line (packet.dll version 0.99-r2) tells me that it's using npcap.  Please raise an issue (if there isn't one already) on the Wireshark  Bugzilla to get the surrounding text fixed up.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Bug 14543 filed.
sindy gravatar imagesindy (
    
        Mar 19 '18
    )
...and the outcome is that if WinPcap had ever been installed on the machine before npcap has been installed, it is not enough to uninstall WinPcap but it is necessary to manually remove some files which the WinPcap uninstaller doesn't remove, as npcap doesn't rewrite these files and uses them instead of its own ones, or something similarly crazy. Maybe it is because the files are actually the same ones and so npcap unintentionally "switches" itself to WinPcap-compatible mode because use of those files is how the WinPcap-compatible mode is actually implemented? Regardless the background, if the remainders of WinPcap installation are not removed, not only the indication of used capture library is broken in Wireshark, but Wireshark also does not use npcap's additional features such as monitoring mode of wireless interfaces.
sindy gravatar imagesindy (
    
        Mar 20 '18
    )
add a comment
 
 
 
 
  
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 

        
        
            1 follower
        
    
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Mar 19 '18  
 
 
        Seen: 6,348 times 
 

        Last updated: Mar 19 '18 
 
 
 
Related questions
 
 
 when I open WS it does not show any interfaces, why? 
 
 Is WinPcap still being developed? 
 
 NPCAP 0.995 gives duplicate packets 
 
 Can Wireshark 3.x run with WinPCap 4.1.3? 
 
 Can we freely distribute customized wireshark windows installer with npcap? 
 
 WireShark just does not see my Wintun Userspace Tunnel vpn interface 
 
 No wireless interfaces appearing - Win 11 [closed] 
 
 How do I fix "WinPcap will not install" problem? 
 
 silent uninstall of WinPcap 
 
 "No interfaces found" on Windows 10 laptop