Ask Your Question

At what stage does Wireshark check which capture library (npf) is installed?

asked 2018-03-19 14:53:06 +0000

sindy gravatar image

The thing is that I've uninstalled WinPcap and installed npcap in native (as in "not WinPcap-compatible") mode after installing Wireshark, and Wireshark works with it but continues to declare in the help that it uses WinPcap. So does Wireshark only check the library used once during installation, or during the very first start after installation, or not at all?

edit retag flag offensive close merge delete


Wireshark checks at start-up and is probably using npcap, just the reporting is less than helpful.

Please post the contents of your About Wireshark dialog (you can highlight the text and copy it).

grahamb gravatar imagegrahamb ( 2018-03-19 15:18:45 +0000 )edit

Version 2.4.5 (v2.4.5-0-g153e867ef1)

Copyright 1998-2018 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <>
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.6.3, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 16299, with        Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141 ...
sindy gravatar imagesindy ( 2018-03-19 15:39:49 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-03-19 16:13:59 +0000

grahamb gravatar image

The line (packet.dll version 0.99-r2) tells me that it's using npcap. Please raise an issue (if there isn't one already) on the Wireshark Bugzilla to get the surrounding text fixed up.

edit flag offensive delete link more


Bug 14543 filed.

sindy gravatar imagesindy ( 2018-03-19 19:11:47 +0000 )edit

...and the outcome is that if WinPcap had ever been installed on the machine before npcap has been installed, it is not enough to uninstall WinPcap but it is necessary to manually remove some files which the WinPcap uninstaller doesn't remove, as npcap doesn't rewrite these files and uses them instead of its own ones, or something similarly crazy. Maybe it is because the files are actually the same ones and so npcap unintentionally "switches" itself to WinPcap-compatible mode because use of those files is how the WinPcap-compatible mode is actually implemented? Regardless the background, if the remainders of WinPcap installation are not removed, not only the indication of used capture library is broken in Wireshark, but Wireshark also does not use npcap's additional features such as monitoring mode of wireless interfaces.

sindy gravatar imagesindy ( 2018-03-20 12:08:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-03-19 14:53:06 +0000

Seen: 6,164 times

Last updated: Mar 19 '18