Wireshark sees a few interfaces that I cannot find in the Windows registry, where does Wireshark get its list of interfaces?

  • retag add tags

I have gone into the registry, Windows 10, and removed all of the unused, old network adapters so there should only be 8 adapters showing in the system. That is the number which now shows in the Network GUI on this Win10 box. However, when I run Wireshark, and it discovers interfaces it finds 12 Adapters. When I do "show hidden devices" in Device Manager I see 10 Adapters - I know those extra 2 are for the VPN I use. I would like to know what file, or registry entry, or whatever Wireshark queries to get the list of interfaces it displays after it runs "finding local interfaces". I need to know what I am missing removing to resolve this discrepancy.

selmafrog's avatar
1
selmafrog
asked 2020-07-24 18:49:09 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2020-07-24 22:30:08 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Still digging. Similar issue here on the nmap/npcap email list.
On Windows, Wireshark is calling npcap to get the interface list. The wireshark code that does this is similar to this example code in the Npcap Development Tutorial.

If you don't mind poking around in the Registry, there is some info in this article.
It shows the Wireshark: Interface Details window but alas that got dropped.

Chuckc's avatar Chuckc (2020-07-24 22:37:38 +0000) edit
more
  • delete

What is the output of ipconfig/all and dumpcap -D in a Command Prompt window?

Guy Harris's avatar Guy Harris (2020-07-24 23:23:50 +0000) edit
more
  • delete

how do I get the results of ipconfig /all and dumpcap to you. I tried adding as a comment and get that this content is forbidden. Anyway, dumpcap -D returns "'dumpcap' is not recognized as an internal or external command, operable program or batch file. ipconfig /all :

Ethernet adapter Ethernet: 
Unknown adapter NordLynx:
Ethernet adapter Ethernet 3:
Wireless LAN adapter Local Area Connection* 2:
Wireless LAN adapter Local Area Connection* 4:
Ethernet adapter VMware Network Adapter VMnet1:
Ethernet adapter VMware Network Adapter VMnet8:
Wireless LAN adapter Wi-Fi:
Ethernet adapter Bluetooth Network Connection 2:
selmafrog's avatar selmafrog (2020-07-25 01:55:26 +0000) edit
more
  • delete

The Wireshark install directory may not be in your path. Typical (not always) is C:\Program Files\Wireshark.

Chuckc's avatar Chuckc (2020-07-25 02:42:14 +0000) edit
more
  • delete

how do I get the results of ipconfig /all and dumpcap to you.

You just did. (I assume you removed all the IP address etc. details from the output of ipconfig/all; those details aren't necessary, so you don't need to supply them.)

dumpcap -D returns "'dumpcap' is not recognized as an internal or external command, operable program or batch file

Try "C:\Program Files\Wireshark\dumpcap" -D, as per @Chuckc's suggestion.

Guy Harris's avatar Guy Harris (2020-07-25 02:47:46 +0000) edit
more
  • delete
add a comment see more comments