THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why does the Portable version of Wireshark show only these odd interfaces?

  • retag add tags

I just download the portable version of the program. What with these intefaces? They are oddly specific.

I just want to capture everything coming in on localhost - which interface should I pick??

(also uploading an image on this forum is broken - I'd love to show what I'm seeing but I guess you should be able to see it as well if you just download and start the portable version).

thany's avatar
1
thany
asked 2023-06-15 09:29:20 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2023-06-15 20:41:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

As an anti-spam measure we have to limit what new users can post. You can share a link to your image hosted elsewhere though.

You should also post the contents of the Help -> About Wireshark -> Wireshark dialog using the "Copy to Clipboard button".

grahamb's avatar grahamb (2023-06-15 09:41:30 +0000) edit
more
  • delete

It is (or really should be) the same for everyone downloading the portable version:

Version 4.0.6 (v4.0.6-0-gac2f5a01286a).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap,
with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.10.1, with
Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with
QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with
SpeexDSP (using bundled resampler), with Minizip, with binary plugins.

Running on 64-bit Windows 10 (22H2), build 19045, with 12th Gen Intel(R)
Core(TM) i9-12900H (with SSE4.2), with 32439 MB of physical memory, with GLib
2.72 ...
(more)
thany's avatar thany (2023-06-15 16:12:03 +0000) edit
more
  • delete

Btw, in the mean time I was able to capture what I needed using RawCap. So it should definitely be possible what I'm trying to achieve.

Perhaps Wireshark isn't quite what I remember it to be from years ago. Like, capturing network traffic from a given physical/logical interface. I guess it can't do that anymore for some reason. RawCap can though, so my immediate problem is gone. Not sure if this is still a bug or missing feature in Wireshark.

Seems like core functionality really, but I'm no expert.

thany's avatar thany (2023-06-15 16:18:28 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

"Running on 64-bit Windows 10 (22H2), .... without Npcap or WinPcap". So you have no capture engine installed, therefore cannot capture from your network interface using Wireshark. What is left is a the collection of extcap interface, which enable capture from non-network interfaces.

Of course you can use RawCap instead. The difference is that your captured packets start at the IPv4 layer, rather than the Ethernet layer.

Jaap's avatar
13.7k
Jaap
answered 2023-06-15 18:07:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Perhaps Wireshark isn't quite what I remember it to be from years ago. Like, capturing network traffic from a given physical/logical interface. I guess it can't do that anymore for some reason. RawCap can though, so my immediate problem is gone. Not sure if this is still a bug or missing feature in Wireshark. Seems like core functionality really, but I'm no expert.

You may remember using something other than a "portable" version of Wireshark from years ago (or you may remember it from running it on a UN*X, rather than on Windows).

"Portable" apps are fine for programs that don't require adding kernel-level drivers; unfortunately, on Windows, packet capture in Wireshark requires adding Npcap, which requires a kernel-level driver. This mean that if you want to capture traffic, you shouldn't use the "portable" version, you should install the regular version, and, when the installer asks you whether you want to install Npcap, tell it to install Npcap.

So this is a feature missing from "portable" Wireshark, which is, unfortunately, the result of 1) Windows not providing an adequate supported-by-libpcap capture mechanism by default (unlike UN*Xes) and 2) "portable" applications not being able to install kernel drivers. Yes, packet capture is core functionality, which is why "portable" Wireshark is problematic.

If you want to use the "portable" version, try downloading and installing Npcap on your machine before using the "portable" Wireshark.

Guy Harris's avatar
19.9k
Guy Harris
answered 2023-06-15 20:17:08 +0000, updated 2023-06-15 20:43:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

To be pedantic there is built-in native capture on Windows via ETW but it's a PITA to use. There is an extcap (ETWDump) that will load ETW files and several external projects attempting to directly add ETW support.

grahamb's avatar grahamb (2023-06-16 09:26:29 +0000) edit
more
  • delete

"Directly" as in "with a libpcap module", so that any program using libpcap can capture using ETW?

Guy Harris's avatar Guy Harris (2023-06-16 21:04:30 +0000) edit
more
  • delete

Apparently, for example see https://github.com/airbus-cert/Winshark

grahamb's avatar grahamb (2023-06-18 11:22:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer