First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

AirPcap and Wireshark 3.03

  • retag add tags

I cannot get Wireshark to recognize either my AirPcap Classic or TX. To troubleshoot I have:

  1. validated that they are recognized in Cain and Abel and in the AirPcap Control panel
  2. Installed Wireshark with:
    1. both WinPcap 4.1.3 and NPcap 0.9982 (NPcap both in compatibility mode and NOT in compatibility mode)
    2. Installed only NPcap and removed WinPcap
    3. Installed only WinPcap and removed NPcap
  3. done a Google search for the problem and noted the prior question and answer here, plus a few other places, all to no avail.
  4. Completely disabled any virus protection. This is validated because Cain and Abel were able to install and work.
  5. When AirPcap first came out, I was also unable to make it work in Wireshark

I am running Windows 7, with the latest patches as a domain member

me's avatar
1
me
asked 2019-08-09 14:28:23 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-08-09 14:47:07 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Help About:

Version 3.0.3 (v3.0.3-0-g6130b92b0ec6) 

Compiled (64-bit) with Qt 5.12.4, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 

Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz (with SSE4.2), with 4006 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS ...
(more)
me's avatar me (2019-08-12 22:05:51 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

You need to use WinPcap. Any installation of npcap will have to be removed so that Wireshark will use the WinPcap driver.

I tested with Win 10, Wireshark 3.1.1 (shouldn't be any change from the current release 3.0.3 w.r.t. AirPcap), WinPcap 4.1.3 and an AirPcap Nx.

grahamb's avatar
23.8k
grahamb
answered 2019-08-09 15:47:38 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I had tried that. In fact I did a total uninstall of WinPcap, Npacp and Wireshark, followed by a reboot, prior to posting the question.

To confirm that I had done the proper steps, I have repeated the above, and further, I disabled the anti-virus in case there was some weird interaction. Wireshark will detect my USB Wireless card and Cain and Abel will detect the Airpcap card. Wireshark will still not detect the Airpcap card, however.

me's avatar me (2019-08-10 04:01:06 +0000) edit
more
  • delete

Can you verify that WinPcap is being used by Wireshark by posting your "Help -> About Wireshark" details? Perhaps when npcap was uninstalled, something went awry and some "breadcrumbs" were left behind and Wireshark is still picking it up; that had happened to me once with an older version of npcap and I had to manually delete it (i.e., C:\Windows\System32\Npcap or possibly in another location if it was installed in WinPcap-compatibility mode).

Does dumpcap.exe -D list the AirPcap adapter as one of the interfaces?

Can you verify from the command-line that WinPcap driver is running using sc qc npf? If not, you can start it manually with sc start npf, or if it is you could try sc stop npf followed by sc start npf to try restarting it.

Have you tried uninstalling Cain and Abel temporarily in case that tool installed something possibly causing ... (more)

cmaynard's avatar cmaynard (2019-08-10 14:51:39 +0000) edit
more
  • delete

Note that you will need an elevated prompt to run the sc start and sc stop commands.

grahamb's avatar grahamb (2019-08-11 12:24:15 +0000) edit
more
  • delete

Dumpcap -D:

1. \Device\NPF_{B4BCF253-3859-49AE-B888-581CAB7EAC19} (Bluetooth Network Connection)
2. \Device\NPF_{DD23F56C-59C4-4291-9934-FE7C3AEEED93} (Local Area Connection 5)
3. \Device\NPF_{8565A170-B127-4E78-BC25-B950C99CDD1F} (Local Area Connection)
(no AirPcap devices is listed)

SC qc npf:

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       : 
        SERVICE_START_NAME :

Help About:

(I cannot poste a screen capture but the "help about" section includes "...with Gcrypt 1.8.3, without AirPcap, binary plugins supported..."

Note

An inventory of the system drive identified several npf.sys files in various driver directories, but but only the npf install log in the npf directory

me's avatar me (2019-08-11 16:32:37 +0000) edit
more
  • delete

The text in the Help => About dialog can be highlighted using the mouse and Ctrl + C copied to the clipboard and then pasted in a comment here.

grahamb's avatar grahamb (2019-08-11 18:12:17 +0000) edit
more
  • delete
add a comment see more comments
0

From your Wireshark Help -> About Wireshark information:

Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz (with SSE4.2), with 4006 MB of physical memory, with locale English_United States.1252, with WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.16, build 27030).

Note without AirPcap.

Compare to the relevant information from my system:

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) CPU E3-1505M v5 @ 2.80GHz (with SSE4.2), with 16225 MB of physical memory, with locale English_United States.1252, with light display mode, without HiDPI, with Npcap version 0.996, based on libpcap version 1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, with AirPcap 4.1.0 build 1622, binary plugins supported (19 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.15, build 26730).

You may want to try to reinstall the AirPcap drivers or contact Riverbed for support. Until Wireshark sees with AirPcap 4.1.0 build 1622 or equivalent, it's not going to recognize your AirPcap adapter.

cmaynard's avatar
11.1k
cmaynard
answered 2019-08-13 13:30:10 +0000
edit flag offensive 0 remove flag delete link
more

Comments

FYI, I installed the latest AirPcap 4.1.3 drivers from Riverbed, here and my Wireshark help shows:

with AirPcap 4.1.3 build 3348
grahamb's avatar grahamb (2019-08-13 13:40:10 +0000) edit
more
  • delete

It appears that takes a complete uninstall of Wireshark, WinPcap and the Airpcap drivers, followed by install of the AirPcap drivers, WinPcap and then Wireshark for it to work.

me's avatar me (2019-08-13 17:51:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer