Ask Your Question
0

After upgrade to 3.0.0 & install Npcap, no traffic seen

asked 2019-03-20 22:57:42 +0000

feenyman99 gravatar image

updated 2019-03-21 02:25:37 +0000

Guy Harris gravatar image

So... Last night I downloaded and installed Wireshark 3.0.0, as well as Npcap. Afterwards, I found I could not capture any packets. Here is what I see...

When I launch Wireshark, under the "Capture" heading in the middle of the page, it displays 13 interfaces...

  • Npcap Loopback Adapter
  • 5 Local Area Connections
  • 6 USBPcap interfaces
  • 1 Microsoft: Wi-Fi interface

* The only one that shows traffic is the Npcap Loopback Adapter. *

I am logging in as the Administrator. Below is the output of Help -> About Wireshark -> Wireshark tab.

Version 3.0.0 (v3.0.0-0-g937e33de)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729.

Running on 64-bit Windows 10 (1803), build 17134, with AMD A6-5350M APU with Radeon(tm) HD Graphics (with SSE4.2), with 15512 MB of physical memory, with locale English_United States.1252, with Npcap version 0.99-r9, based on libpcap version 1.8.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded).

Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835).

Where did I go wrong?

feenyman99

edit retag flag offensive close merge delete

Comments

Likely to be an issue with npcap. Did you have WinPcap installed previously? My advice is to manually uninstall any WinPcap install and npcap, then re-install npcap (available from the nmap website).

grahamb gravatar imagegrahamb ( 2019-03-21 09:08:23 +0000 )edit

OK, after grahamb's comment, here is what I have done (to no avail)…

  • Uninstalled Npcap, WinPcap and Wireshark
  • Reinstalled Wireshark 3.0.0, selecting Npcap during the install

Wireshark still only shows traffic on Npcap Loopback Adapter.

I also noticed the following "disagreement"...

Wireshark shows the following network interfaces:

- Npcap Loopback Adapter
- Local Area Connection* 10
- Microsoft: Wi-Fi- Local Area Connection* 10
- Local Area Connection* 4
- Local Area Connection* 14
- Local Area Connection* 3
- Local Area Connection* 15

But "ipconfig" shows these interfaces:

- Ethernet Adapter Ethernet
- Ethernet adapter Npcap Loopback Adapter
- Wireless LAN adapter Local Area Connection* 3
- Wireless LAN adapter Local Area Connection* 4
- Wireless LAN adapter Wi-Fi

Again, only the Npcap adapter shows any traffic, and that shows very little. In the meantime, I browsed to youtube and played some videos, thus generating lots of network packets, but none were seen by Npcap, nor any other interface ...(more)

feenyman99 gravatar imagefeenyman99 ( 2019-03-25 14:50:15 +0000 )edit

I find the PowerShell Get-NetAdapter command to be more useful than the legacy ipconfig. You can compare the output with that of tshark (which is what Wireshark shows) using a PowerShell prompt as follows:

> Get-NetAdapter -IncludeHidden  | Select-Object -Property InterfaceGUID, Name, InterfaceDescription

InterfaceGUID                          Name                                  InterfaceDescription
-------------                          ----                                  --------------------
{F8F74B1E-0890-4D76-AADA-982306C78C53} Local Area Connection* 7              WAN Miniport (PPPOE)
{E60ABD87-2A88-4335-BF18-FFDD21902102} Local Area Connection* 1              WAN Miniport (SSTP)
{D6CADB47-A7B6-4480-965F-EE9D92BF5A6F} Local Area Connection* 8              WAN Miniport (IP)
{CA63AA4C-13BE-4D16-B990-0841E3E9FA2D} Local Area Connection* 3              Microsoft Wi-Fi Direct Virtual Adapter #2
{B1DD9FC5-6EF9-4A52-8833-341EE74B7976} Local Area Connection* 4              WAN Miniport (IKEv2)
{9FDD9185-5F73-4432-B453-65BED8286AD2} Local Area Connection* 6              WAN Miniport (PPTP)
{93123211-9629-4E04-82F0-EA2E4F221468} Teredo Tunneling Pseudo-Interface
{8A47E7AA-FDE0-422A-BFF1-6E6F5FD42AFE} Ethernet (Kernel Debugger)            Microsoft Kernel Debug Network Adapter
{894856F1-C535-4D73-95CD-5A9B93DB0DF5} Npcap Loopback Adapter                Npcap Loopback Adapter
{83340A48-C0F5-4A06-9C0F-A4D8620B718D} Local Area Connection* 10             WAN Miniport (Network Monitor)
{7FDBE438-E7D0-4065-895E-C68E161EAA3D} Local Area Connection* 9              WAN Miniport (IPv6)
{7E2C477F-AB52-4741-AEC1-37770031215C} Ethernet 2                            Npcap Loopback Adapter
{540FFAB3-AB6C-4491-983E-621D6711D5E3} Local Area Connection* 5              WAN Miniport (L2TP)
{2EE2C70C-A092-4D88-A654-98C8D7645CD5} Microsoft IP-HTTPS ...
(more)
grahamb gravatar imagegrahamb ( 2019-03-25 15:42:05 +0000 )edit

And tshark:

> tshark -D
1. \Device\NPF_{7E2C477F-AB52-4741-AEC1-37770031215C} (Ethernet 2)
3. \Device\NPF_{83340A48-C0F5-4A06-9C0F-A4D8620B718D} (Local Area Connection* 10)
4. \Device\NPF_{7FDBE438-E7D0-4065-895E-C68E161EAA3D} (Local Area Connection* 9)
5. \Device\NPF_{D6CADB47-A7B6-4480-965F-EE9D92BF5A6F} (Local Area Connection* 8)
6. \Device\NPF_{CA63AA4C-13BE-4D16-B990-0841E3E9FA2D} (Local Area Connection* 3)
7. \Device\NPF_{03CF0490-78EA-460A-B360-64B84794CBEB} (Bluetooth Network Connection)
8. \Device\NPF_{894856F1-C535-4D73-95CD-5A9B93DB0DF5} (Npcap Loopback Adapter)
9. \Device\NPF_{1D39112E-A6B5-4E55-9ECD-1A4F8F7D7FC9} (Local Area Connection* 2)
10. \Device\NPF_{06E76EDA-507E-41DF-9258-2F74B7137C90} (Ethernet)
12. \Device\NPF_{1F624625-335B-4ED5-8DA5-0A8C7E951254} (Wi-Fi)
grahamb gravatar imagegrahamb ( 2019-03-25 15:43:33 +0000 )edit

Regardless, as your issue seems to be with npcap you should take this up with the npcap support folks, as per their website.

grahamb gravatar imagegrahamb ( 2019-03-25 15:45:06 +0000 )edit

Well, things are going from bad to worse, I'm afraid...

My most recent step was to uninstall Wireshark and Npcap, and then re-install Wireshark WITHOUT Npcap. Now, when I launch Wireshark, 

Version 3.0.0 (v3.0.0-0-g937e33de) 

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with ...
(more)
feenyman99 gravatar imagefeenyman99 ( 2019-03-26 01:45:04 +0000 )edit

Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\MF> Get-NetAdapter -IncludeHidden | Select-Object -Property InterfaceGUID, Name, InterfaceDescription

InterfaceGUID                          Name                                  InterfaceDescription
-------------                          ----                                  --------------------
{FD04C847-5174-4AD6-8678-C02B2D008287} Local Area Connection* 15             WAN Miniport (Network Monitor)
{BE52A661-236B-4833-BCAC-DAFF182CF073} Local Area Connection* 3              Microsoft Wi-Fi Direct Virtual Adapter #4
{BE24666C-6316-43F7-A907-6A91185CA821} Local Area Connection* 7              WAN Miniport (L2TP)
{93123211-9629-4E04-82F0-EA2E4F221468} Teredo Tunneling Pseudo-Interface
{89FCA183-5383-4670-92C1-FDF804B1963C} Local Area Connection* 6              WAN Miniport (IKEv2)
{8718928D-CBEB-45EA-A621-800A9249001D} Local Area Connection* 1              Microsoft Kernel Debug Network Adapter
{7D09E90B-029C-4BFC-8AB8-76B075F79667} Ethernet                              Realtek PCIe GBE Family Controller
{7A9E15A8-3D2B-4A02-B90B-FE9EE6B99A3E} Wi-Fi                                 Realtek RTL8188E Wireless LAN 802.11n P...
{66A794B3-3427-4F9A-BEF8-31746F11333C} Local Area Connection* 10             WAN Miniport (IP)
{5F5A7B51-3E7F-4ED0-A188-3BCC03EC35B5} Local Area Connection* 9              WAN Miniport (PPPOE)
{2EE2C70C-A092-4D88-A654-98C8D7645CD5} Microsoft IP-HTTPS Platform Interface
{22D914E3-BA66-46E9-9220-ECB2ECEA6C0C} Local Area Connection* 8              WAN Miniport (PPTP)
{2064A597-76A7-4209-BA05-3A48D5DF3C24} Local Area Connection* 4              Microsoft Wi-Fi Direct Virtual Adapter #5
{13689708-BE46-44D4-9323-099A2F29951E} Local Area Connection* 5              WAN Miniport (SSTP)
{1042743A-D98C-4F08-BE09-C7C0A1E96C67} Local Area Connection* 14             WAN Miniport (IPv6)
{07374750-E68B-490E-9330-9FD785CD71B6} 6to4 Adapter

PS C ...(more)

feenyman99 gravatar imagefeenyman99 ( 2019-03-26 01:45:37 +0000 )edit

C:\Program Files\Wireshark>tshark -D tshark: There are no interfaces on which a capture can be done

feenyman99 gravatar imagefeenyman99 ( 2019-03-26 01:46:30 +0000 )edit
see more comments

1 Answer

Sort by » oldest newest most voted
0

answered 2019-04-04 16:33:26 +0000

feenyman99 gravatar image

Well, I finally got this working, though I'm not sure which step made the difference. Here is what I did...

  1. Uninstalled Wireshark 3.0.0
  2. Uninstalled WinPcap
  3. Uninstalled Npcap
  4. Installed Wireshark 2.2.7. After this install completed, the Ethernet interface started showing traffic again and I could capture from it. (The Ethernet interface had NOT been showing any traffic with my previously installed 3.0.0 version.)
  5. Went to Help -> Check for Updates
  6. Followed prompts to install Wireshark 3.0.0, including selecting Npcap.
  7. Install was successful, and I'm capturing from the Ethernet interface again!!!

Thanx for everyone's help!

feenyman99

edit flag offensive delete link more

Comments

I had a similar problem today. I upgraded to Windows 10 Wireshark 3.0.6 with npcap-0.9983. It then found a lot of interfaces but not my real Ethernet interface. Following feenyman99's suggestion above, I uninstalled Wireshark and npcap, and then installed Wireshark 2.6.6, the latest 2.x version I had that uses winpcap instead of npcap. Sure enough, there was my Ethernet again.

Alas feenyman99's step 6 left me without my Ethernet interface again, so I re-executed his steps 1-4 and called it a day. npcap just isn't as bulletproof for me as winpcap is. Maybe that's why npcap is still at version 0.9983: it hasn't yet earned the coveted 1.0.

mccreigh gravatar imagemccreigh ( 2019-11-04 16:51:00 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-03-20 22:57:42 +0000

Seen: 4,925 times

Last updated: Nov 04 '19

Related questions

At what stage does Wireshark check which capture library (npf) is installed?

disable interface discovery

Steps to setup radiotap captures with Netgear A6210?

Dumpcap captures traffic, but Wireshark and Tshark can't see the interfaces

when I open WS it does not show any interfaces, why?

Is WinPcap still being developed?

npcap loopback driver Locks up Win 10 [closed]

TCP traffic is not captured over npcap loopback.

Npcap Loopback Adapter Packet Capture

view vlan tagging with Win10pcap, not npcap - a good idea?