Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

asked 2018-10-15 23:12:39 +0000

JoM gravatar image

updated 2018-10-16 05:26:20 +0000

Jaap gravatar image

Hello,

I'm trying to work with Windows 8.1 with Wireshark 2.6.4 and npcap 0.99-r7. I obtain correctly the list of interfaces with dumpcap via prompt command, and I'm able also to capture some traffic on a specific interface with dumpcap, save it on .pcap files, and open them with wireshark.

However, if I try to use Wireshark GUI, there are no interfaces found, and so I cannot start any capture. If I type wireshark -D or tshark -D in the prompt command, I get the message "There are no interfaces on which a capture can be done". But with dumpcap -D my interfaces appear correctly.

Please, if somebody can help me, it would be great. I have reinstalled several times both npcap and Wireshark. By the way, I had a similar problem with older versions of Wireshark and WinPcap in this computer, which I was not able to fix (although I didn't try previously to see if dumpcap was working correctly until now).

Thank you in advance.

edit retag flag offensive close merge delete

Comments

Please add a comment to your question with the contents of the Wireshark Help -> About Wireshark -> Wireshark tab (the text beginning with "Version", you can highlight it and copy and paste it).

grahamb gravatar imagegrahamb ( 2018-10-16 10:55:47 +0000 )edit

Yes, this is the content:

Version 2.6.4 (v2.6.4-0-g29d48ec8) 

Copyright 1998-2018 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.9.5, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 

Running on 64-bit Windows 8.1, build 9600, with Intel(R) Core ...
(more)
JoM gravatar imageJoM ( 2018-10-16 11:15:02 +0000 )edit

Odd that running dumpcap produces a list, both Wireshark and tshark run dumpcap themselves to access interfaces.

Do you have an AV or VPN software installed?

grahamb gravatar imagegrahamb ( 2018-10-16 11:33:41 +0000 )edit

There were some recent changes made where interfaces were not loaded under certain conditions, such as if a capture file was loaded. It's possible a regression was introduced here. Can you temporarily revert to 2.6.3 to see if your interfaces are available? If so, then a Wireshark bug report should probably be filed for this against 2.6.4.

cmaynard gravatar imagecmaynard ( 2018-10-16 15:07:02 +0000 )edit

@cmaynard

Those UI changes to not display interfaces were only in current master and should not be present in a 2.6.x build.

grahamb gravatar imagegrahamb ( 2018-10-16 15:48:40 +0000 )edit

Right, good point.

cmaynard gravatar imagecmaynard ( 2018-10-16 15:55:38 +0000 )edit

Does F5 (Refresh Interfaces) do anything? I suppose you could try running Wireshark as an Administrator to see if that helps. What does "Capture -> Options -> Manage Interfaces..." show, if anything?

cmaynard gravatar imagecmaynard ( 2018-10-16 16:39:38 +0000 )edit

I have tried your suggestions: uninstalled vpn client, deactivated antivirus software, installed previous version 2.6.3, but still the same, this is the output within command prompt:

C:\Program Files\Wireshark>dumpcap -D
1. \Device\NPF_{C78F5791-4CB1-44F7-9751-39BC723FDFEA} (Ethernet Loopback)
2. \Device\NPF_{7628A231-F2B4-4FA4-B59A-941834EFCDE9} (Conexión de área local* 1)
3. \Device\NPF_{D0A926B1-FEAE-41CF-B216-229FEF5D9B16} (Ethernet)
4. \Device\NPF_{F8D63B81-5E25-442F-BE8C-E0FC7DE91716} (Wi-Fi)
5. \Device\NPF_{924DF545-BBCE-4A8D-AEEB-A9823D102495} (VirtualBox Host-Only Network)
6. \Device\NPF_{2F15DEBB-3B82-4D81-B1D2-E1EE9AC196B0} (Npcap Loopback Adapter)

C:\Program Files\Wireshark>wireshark -D

C:\Program Files\Wireshark>

wireshark: There are no interfaces on which a capture can be done

Also, if I run Wireshark as Administrator, nothing seems to change, and the list of Capture->Options->Manage Interfaces is empty.

JoM gravatar imageJoM ( 2018-10-16 21:53:40 +0000 )edit

Well, I've got some news... I'm able to launch Wireshark (as well as tshark) if I specify on the command prompt the interface with the npf id, as example:

wireshark -i \Device\NPF{F8D63B81-5E25-442F-BE8C-E0FC7DE91716}

opens the GUI with the WiFI interface ready to capture, and it works!!

However, if I try to write the short name, in this case, Wi-Fi:

dumpcap -i Wi-Fi

works also properly, but both tshark and wireshark show an error opening the interface.

So, maybe the names translation of the interfaces are the origin of my problem?? I don't know which can be the reason for this. By the way, at the moment I have changed to WinPcap instead of npcap, although I suspect that with npcap this solution also works. At least, I've got finally a method for using Wireshark GUI.

JoM gravatar imageJoM ( 2018-10-17 00:20:06 +0000 )edit
see more comments