Ask Your Question
0

Why does the Portable version of Wireshark show only these odd interfaces?

asked 2023-06-15 09:29:20 +0000

thany gravatar image

updated 2023-06-15 20:41:43 +0000

Guy Harris gravatar image

I just download the portable version of the program. What with these intefaces? They are oddly specific.

I just want to capture everything coming in on localhost - which interface should I pick??

(also uploading an image on this forum is broken - I'd love to show what I'm seeing but I guess you should be able to see it as well if you just download and start the portable version).

edit retag flag offensive close merge delete

Comments

As an anti-spam measure we have to limit what new users can post. You can share a link to your image hosted elsewhere though.

You should also post the contents of the Help -> About Wireshark -> Wireshark dialog using the "Copy to Clipboard button".

grahamb gravatar imagegrahamb ( 2023-06-15 09:41:30 +0000 )edit

It is (or really should be) the same for everyone downloading the portable version:

Version 4.0.6 (v4.0.6-0-gac2f5a01286a).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with
Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with 12th Gen Intel(R)
Core(TM) i9-12900H (with SSE4.2), with 32439 MB of physical memory, with GLib
2.72 ...
(more)
thany gravatar imagethany ( 2023-06-15 16:12:03 +0000 )edit

Btw, in the mean time I was able to capture what I needed using RawCap. So it should definitely be possible what I'm trying to achieve.

Perhaps Wireshark isn't quite what I remember it to be from years ago. Like, capturing network traffic from a given physical/logical interface. I guess it can't do that anymore for some reason. RawCap can though, so my immediate problem is gone. Not sure if this is still a bug or missing feature in Wireshark.

Seems like core functionality really, but I'm no expert.

thany gravatar imagethany ( 2023-06-15 16:18:28 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-06-15 20:17:08 +0000

Guy Harris gravatar image

updated 2023-06-15 20:43:07 +0000

Perhaps Wireshark isn't quite what I remember it to be from years ago. Like, capturing network traffic from a given physical/logical interface. I guess it can't do that anymore for some reason. RawCap can though, so my immediate problem is gone. Not sure if this is still a bug or missing feature in Wireshark. Seems like core functionality really, but I'm no expert.

You may remember using something other than a "portable" version of Wireshark from years ago (or you may remember it from running it on a UN*X, rather than on Windows).

"Portable" apps are fine for programs that don't require adding kernel-level drivers; unfortunately, on Windows, packet capture in Wireshark requires adding Npcap, which requires a kernel-level driver. This mean that if you want to capture traffic, you shouldn't use the "portable" version, you should install the regular version, and, when the installer asks you whether you want to install Npcap, tell it to install Npcap.

So this is a feature missing from "portable" Wireshark, which is, unfortunately, the result of 1) Windows not providing an adequate supported-by-libpcap capture mechanism by default (unlike UN*Xes) and 2) "portable" applications not being able to install kernel drivers. Yes, packet capture is core functionality, which is why "portable" Wireshark is problematic.

If you want to use the "portable" version, try downloading and installing Npcap on your machine before using the "portable" Wireshark.

edit flag offensive delete link more

Comments

To be pedantic there is built-in native capture on Windows via ETW but it's a PITA to use. There is an extcap (ETWDump) that will load ETW files and several external projects attempting to directly add ETW support.

grahamb gravatar imagegrahamb ( 2023-06-16 09:26:29 +0000 )edit

"Directly" as in "with a libpcap module", so that any program using libpcap can capture using ETW?

Guy Harris gravatar imageGuy Harris ( 2023-06-16 21:04:30 +0000 )edit

Apparently, for example see https://github.com/airbus-cert/Winshark

grahamb gravatar imagegrahamb ( 2023-06-18 11:22:21 +0000 )edit
0

answered 2023-06-15 18:07:03 +0000

Jaap gravatar image

"Running on 64-bit Windows 10 (22H2), .... without Npcap or WinPcap". So you have no capture engine installed, therefore cannot capture from your network interface using Wireshark. What is left is a the collection of extcap interface, which enable capture from non-network interfaces.

Of course you can use RawCap instead. The difference is that your captured packets start at the IPv4 layer, rather than the Ethernet layer.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-06-15 09:29:20 +0000

Seen: 2,961 times

Last updated: Jun 15 '23