Ask Your Question
0

Wireshark no longer displays packets as they are being captured, and "Packets <n>" in footer remains 0

asked 2022-02-19 11:04:56 +0000

martinu gravatar image

updated 2022-02-19 11:08:08 +0000

I'm running Windows 7 Home Premium, Wireshark 3.6.2 and NPCap 1.55. I used to be able to capture traffic on my Ethernet adaptor, but recently (having made no change that I know of other than updating from 3.6.1 to 3.6.2) Wireshark no longer displays the one-line summary pf packets as it is capturing, and the "Packets <n>" counter in the status bar at the bottom of the window remains at zero.

I have confirmed that a .pcapng file is created in c:\users\<username>\appdata\temp, which seems to be normal behaviour, comparing with a Win10 PC that runs Wireshark fine. If I stop capturing and open this file, it seems to display sensible traffic.

I have tried uninstalling Wireshark and then NPCap, deleting any remaining contents of c:\program files\wireshark, rebooting, and installing both NPCap and Wireshark from the Wireshark-win64-3.6.2.exe installation file, with NPCap using the default flags of

Restrict NPCap drivers access to Admins=unchecked Support raw 802.11 traffic for wireless adapters= unchecked Install NPcap in Winpcap API-compaible mode=unchecked

I have chosen not to install USBcap.

When I start to capture, Wireshark often displays "not responding" in the window title, and will not then respond to the red-square stop capture button or the X button in the top right of the window: I have to kill the process from Task Manager. Even though the window becomes unresponsive, the .pcapng file still captures packets until I kill off the process.

I've tried reinstalling 3.6.1, but that doesn't help. Something about the upgrade from 3.6.1 to 3.6.2 seems to have prevented me even being able to solve the problem by rolling back to an earlier version.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-02-19 11:18:11 +0000

grahamb gravatar image

Maybe you have disabled the updating the list of packets in real time? Have a look at Edit -> Preferences -> Capture -> "Update list of packets in real time", this is normally checked.

edit flag offensive delete link more

Comments

No, it's not that. Good suggestion. But on Edit -> Preferences -> Capture I've got promiscuous, capture in pcapng, update list in real time, automatic scrolling checked, and don't load interfaces at startup and disable external interfaces unchecked.

The fact that the Wireshark window seems to go into "not responding" state soon after starting a capture, suggests that something is not right with the app, even if the raw packet capture to a temporary file is working OK.

Is there anything else I should try, in order to remove all reference to a prior state before reinstalling from scratch?

martinu gravatar imagemartinu ( 2022-02-19 12:24:13 +0000 )edit

Try eliminating (or moving to another place for safe keeping) all local profiles, you can locate the directory from the Help -> About Wireshark dialog on the Folders tab and the "Personal Configuration" item.

grahamb gravatar imagegrahamb ( 2022-02-19 12:33:24 +0000 )edit

I've tried that: I moved the <user>\appdata\roaming\wireshark folder to somewhere else and then restarted Wireshark. No difference.

I'm actually running NCPAP 1.60. I'd forgotten that 1.55 gave me an error "Can't get list of interfaces: PacketGetAdapterNames: The system cannot find the path specified. (3)" which thread https://ask.wireshark.org/question/25... says is a known bug in 1.55 and recommends installing 1.60 over the top of 1.55 - which I did with "install in Wincap API-comaptible mode" unchecked (it was checked by default).

Here are two screenshots, one taken just before I start capturing (which shows that device "Local Area Network" is seeing traffic); and one just after starting capturing, showing the "not responding" status, the "0 packets" in the status bar and the presence of a new .pcapng file in <user>\appdata\local\temp.

https://i.postimg ...(more)

martinu gravatar imagemartinu ( 2022-02-19 13:26:35 +0000 )edit

Wireshark starts a new process (dumpcap) to run the actual capture and then communicates with dumpcap via a pipe to receive the packets. This is what allows the capture to continue when the main application is blocked as in your case.

As I can't remember this being reported before and many other users are successfully using Wireshark, the likelihood is that there's something "odd" about your environment. Are you running any third-party anti-virus products?

grahamb gravatar imagegrahamb ( 2022-02-19 17:16:00 +0000 )edit

I'm running Avast anti-virus, but that's been installed for ages. I suppose a recent update to the program or the virus definitions could be responsible.

Is there any debug tracing that I can run to show details of the starting of dumpcap and the attempt at the GUI front end trying to do inter-process pipe comms with dumpcap? The fact that the wireshark process goes into "not responding" state suggests that it is waiting for a response from dumpcap which it never sees. I've no idea what caused the problem to start or when it happened. It may or may not relate to a recent update: I tend to update from one version to another as I see it is available, without necessarily doing a test capture after each update.

I did try to take my PC back to the earliest system restore point (which may or ...(more)

martinu gravatar imagemartinu ( 2022-02-19 17:57:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2022-02-19 11:04:56 +0000

Seen: 137 times

Last updated: Feb 19