Ask Your Question
1

Can I skip "Finding Local Interfaces"?

asked 2019-01-23 22:29:33 +0000

feenyman99 gravatar image

Hi...

When I launch Wireshark, it takes ~30 seconds to initialize. Of this initialization time, the display indicates that about 25 seconds is spent "Finding Local Interfaces".

I use Wireshark virtually every day (I'm lucky that way!), and 99% of the time I am reading in an existing .pcap file. I almost never use Wireshark to capture the packets.

Is there a way for me to launch Wireshark in "No Capture" mode, so it does not bother looking for local interfaces?

(Always trying to be more efficient :-))

Thx...

feenyman99

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by » oldest newest most voted
0

answered 2019-01-24 15:41:17 +0000

Jasper gravatar image

What I do currently (on WIndows) is to stop / disable the autostart capture service. For that you need to run a elevated (administrative) command prompt and enter

sc config npf start=demand             (if using WinPCAP)

sc config npcap start=demand           (if using npcap)

That prevents the capture driver to load on start. If I need to capture I open the elevated command prompt again and run 

sc start npcap

which runs the npcap capture service until the next reboot, or until I stop it again using

sc stop npcap

If you use WinPCAP you need to replace "npcap" with "npf" in both commands.

edit flag offensive delete link more

Comments

And for those with a more modern view, the PowerShell equivalents (also requiring an elevated prompt) are:

Set-Service npcap -StartupType Manual

and to start\stop the service

Start-Service npcap
Stop-Service npcap

again swapping "npcap" with "npf" for WinPcap.

grahamb gravatar imagegrahamb ( 2019-01-24 15:50:47 +0000 )edit

Thanks @grahamb - I guess I'm on the "Old School" track :-)

Jasper gravatar imageJasper ( 2019-01-24 15:55:53 +0000 )edit
1

There's hope for you yet @Jasper!

grahamb gravatar imagegrahamb ( 2019-01-24 15:59:59 +0000 )edit

Note that, as per bug 15126, there are two parts to "Finding local interfaces" - there's finding the interfaces that libpcap/WinPcap/Npcap knows about and there's finding the extcap interfaces. The "It's really slow" part tends to be the extcap part; disabling the driver for WinPcap/Npcap on Windows only eliminates the "finding the interfaces that libpcap/WinPcap/Npcap knows about" part, so if disabling the driver doesn't speed things up significantly, the problem is with extcap.

Guy Harris gravatar imageGuy Harris ( 2019-01-24 18:14:59 +0000 )edit

In my case I wonder why, but extcap doesn't seem to be the problem - especially my tower PC starts Wireshark in fractions of a second compared to multiple seconds after I disable npcap

Jasper gravatar imageJasper ( 2019-01-24 19:29:56 +0000 )edit

so... I did as suggested...

C:\windows\system32>sc config npf start= demand

[SC] ChangeServiceConfig SUCCESS

... but there was no big payoff :-(. It still takes ~30 seconds to load. Guy Harris' comment indicates that the problem is with extcap, yeah?. Is there a remedy for that problem?

Thx everyone for the "active engagement" on this question! There's no better forum on the planet!!

feenyman99

feenyman99 gravatar imagefeenyman99 ( 2019-01-24 21:28:56 +0000 )edit
1

Your problem might be with extcap. Jasper's problem is with *pcap.

As this is Windows, Wireshark is probably installed in C:\Program Files\Wireshark. If so, see if there's a directory C:\Program Files\Wireshark\extcap, with files such as android dump.exe in it. If so, rename that directory to, for example, C:\Program Files\Wireshark\NOTextcap, and see if that speeds up loading.

Guy Harris gravatar imageGuy Harris ( 2019-01-24 21:45:28 +0000 )edit

As it turns out, C:\Program Files\Wireshark\extcap exists, but is EMPTY. There's no sense renaming it, right?

feenyman99 gravatar imagefeenyman99 ( 2019-01-24 22:56:55 +0000 )edit

As it turns out, C:\Program Files\Wireshark\extcap exists, but is EMPTY.

You probably didn't install the extcap programs; that might be an option at install time.

There's no sense renaming it, right?

Probably, as all Wireshark would do is scan the directory, find nothing, and run nothing. Renaming it would test whether that presumably-quick operation isn't, in fact, quick, though.

Also, you might try uninstalling WinPcap or Npcap, to see whether there's a delay due to loading and starting WinPcap/Npcap up.

Guy Harris gravatar imageGuy Harris ( 2019-01-25 00:03:26 +0000 )edit
see more comments
0

answered 2019-01-23 22:46:07 +0000

grahamb gravatar image

See bug 15126 that details this issue. An associated change was committed and is available in the nightly builds and will be in the forthcoming 3.0 release.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-01-23 22:29:33 +0000

Seen: 3,337 times

Last updated: Jan 24 '19

Related questions

Operation not permitted on Mac when Wireshark downloaded with SigmaOS browser

Wireshark not launching in a headless VNC Server on Alma 9.2

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2