# Can I skip "Finding Local Interfaces"?

Hi...

When I launch Wireshark, it takes ~30 seconds to initialize. Of this initialization time, the display indicates that about 25 seconds is spent "Finding Local Interfaces".

I use Wireshark virtually every day (I'm lucky that way!), and 99% of the time I am reading in an existing .pcap file. I almost never use Wireshark to capture the packets.

Is there a way for me to launch Wireshark in "No Capture" mode, so it does not bother looking for local interfaces?

(Always trying to be more efficient :-))

Thx...

feenyman99

edit retag close merge delete

Sort by » oldest newest most voted

What I do currently (on WIndows) is to stop / disable the autostart capture service. For that you need to run a elevated (administrative) command prompt and enter

sc config npf start=demand             (if using WinPCAP)

sc config npcap start=demand           (if using npcap)


That prevents the capture driver to load on start. If I need to capture I open the elevated command prompt again and run

sc start npcap


which runs the npcap capture service until the next reboot, or until I stop it again using

sc stop npcap


If you use WinPCAP you need to replace "npcap" with "npf" in both commands.

more

And for those with a more modern view, the PowerShell equivalents (also requiring an elevated prompt) are:

Set-Service npcap -StartupType Manual


and to start\stop the service

Start-Service npcap
Stop-Service npcap


again swapping "npcap" with "npf" for WinPcap.

( 2019-01-24 15:50:47 +0000 )edit

Thanks @grahamb - I guess I'm on the "Old School" track :-)

( 2019-01-24 15:55:53 +0000 )edit
1

There's hope for you yet @Jasper!

( 2019-01-24 15:59:59 +0000 )edit

Note that, as per bug 15126, there are two parts to "Finding local interfaces" - there's finding the interfaces that libpcap/WinPcap/Npcap knows about and there's finding the extcap interfaces. The "It's really slow" part tends to be the extcap part; disabling the driver for WinPcap/Npcap on Windows only eliminates the "finding the interfaces that libpcap/WinPcap/Npcap knows about" part, so if disabling the driver doesn't speed things up significantly, the problem is with extcap.

( 2019-01-24 18:14:59 +0000 )edit

In my case I wonder why, but extcap doesn't seem to be the problem - especially my tower PC starts Wireshark in fractions of a second compared to multiple seconds after I disable npcap

( 2019-01-24 19:29:56 +0000 )edit

so... I did as suggested...

C:\windows\system32>sc config npf start= demand

[SC] ChangeServiceConfig SUCCESS

... but there was no big payoff :-(. It still takes ~30 seconds to load. Guy Harris' comment indicates that the problem is with extcap, yeah?. Is there a remedy for that problem?

Thx everyone for the "active engagement" on this question! There's no better forum on the planet!!

feenyman99

( 2019-01-24 21:28:56 +0000 )edit
1

Your problem might be with extcap. Jasper's problem is with *pcap.

As this is Windows, Wireshark is probably installed in C:\Program Files\Wireshark. If so, see if there's a directory C:\Program Files\Wireshark\extcap, with files such as android dump.exe in it. If so, rename that directory to, for example, C:\Program Files\Wireshark\NOTextcap, and see if that speeds up loading.

( 2019-01-24 21:45:28 +0000 )edit

As it turns out, C:\Program Files\Wireshark\extcap exists, but is EMPTY. There's no sense renaming it, right?

( 2019-01-24 22:56:55 +0000 )edit

As it turns out, C:\Program Files\Wireshark\extcap exists, but is EMPTY.

You probably didn't install the extcap programs; that might be an option at install time.

There's no sense renaming it, right?

Probably, as all Wireshark would do is scan the directory, find nothing, and run nothing. Renaming it would test whether that presumably-quick operation isn't, in fact, quick, though.

Also, you might try uninstalling WinPcap or Npcap, to see whether there's a delay due to loading and starting WinPcap/Npcap up.

( 2019-01-25 00:03:26 +0000 )edit

Breaking News! I just launched Wireshark after my laptop was rebooted, and the launch time has shrunk significantly. From 30 to 9 seconds. Is it plausible that my ChangeService action did not take real effect until the reboot. In any event, thinks look MUCH better. Let me know if I should submit this info as an ANSWER to this topic. Thanx all.

( 2019-01-25 14:32:53 +0000 )edit

Oh, right, I forgot to mention that my commands only affect the service on startup. To shut it down immediately you'd need to use

sc stop npcap


Sorry. I think if you are more or less happy with the way it works you can simply accept this answer plus the comments, so people can find it when they have the same problem.

( 2019-01-25 14:38:08 +0000 )edit

See bug 15126 that details this issue. An associated change was committed and is available in the nightly builds and will be in the forthcoming 3.0 release.

more