Why am I not seeing any interfaces other than USBPcap1 on Windows?

retag add tags

Hello all.

I am new to downloading, installing, and using WireShark. I would like to use it to monitor network traffic on my home wireless router and the devices that are connected to it.

I looked at a tutorial, and there are some videos on YouTube on "How To".

Well, right off the bat, one of the videos I saw on YouTube? The user interface does not resemble mine when launched. I believe I have the latest version of WireShark v 3.0.1 I used the feature "Help", "Check For Updates", and it came back as "You're Up To Date!".

Granted, this video I saw on YouTube goes back quite a few years (it's dated Sept. 4, 2015), so maybe the interface has changed in the intervening years.

Here's a link to the video I'm referring to: link text

After the video starts (around the 6 second mark), you see the left-hand side? Underneath "Interface List"? Down below you see a list of the Wi-Fi's; you could click on one then select Start.

Well, when I launch my WireShark, here's what it looks like: link text

So....did I do something wrong during the install? How do I get it to display properly so that I can select my home wireless network and then monitor its traffic, etc.?

Thanks for any info & help; Pez

Pez

asked 2019-04-20 20:49:54 +0000

19.9k

Guy Harris

updated 2019-04-20 23:22:21 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Wireshark has evolved quite considerably since 2015, so any such "guides" from 2015 are likely to be out of date as far as how the UI looks. Indeed our own User Guide requires some updates.

One possible cause for lack of interfaces is that you haven't installed a capture library, Wireshark 3.x (on Windows) comes with npcap and when running the installer you can opt to not install it. Can you copy and paste (into your question or a comment) the contents of the Help -> About Wireshark -> Wireshark dialog as that shows the Wireshark environment including any capture library?

grahamb (2019-04-21 09:56:36 +0000) edit

Hi grahamb; thanks for your reply.

OK, I navigated to where you said: Help -> About Wireshark ->

You also put "Wireshark dialog", but I didn't actually see anything spelled out as "Wireshark dialog", so when I go to "Help -> About Wireshark ->", I just Copied the contents of what was there. Here it is:

Version 3.0.1 (v3.0.1-0-gea351cd8) 

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua ...

(more)

Pez (2019-04-21 18:18:45 +0000) edit

The content you posted shows that you have npcap installed and that Wireshark has found it, Running on ... libpcap version 1.9.0 (packet.dll version 0.992).

So the issue is why npcap isn't reporting the interfaces you have. Can you run the following command in a cmd prompt and post the output:

sc query npcap

grahamb (2019-04-21 20:07:24 +0000) edit

Hi; thanks for getting back to me.

I ran the command line text in a CMD prompt; here's what came back:

C:\WINDOWS\system32>sc query npcap

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

So, I see the word "STOPPED"; why would that be....and how can I Start it? ;-) Pez

Pez (2019-04-21 23:33:52 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

Unsurprisingly having the npcap driver in state stopped will prevent the locating of capture interfaces. We'll need to check if the service is configured to start, if not make it so and then start it.

Check the service config:

sc qc npcap

On my system I get:

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 1   SYSTEM_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : \SystemRoot\system32\DRIVERS\npcap.sys
        LOAD_ORDER_GROUP   : NDIS
        TAG                : 24
        DISPLAY_NAME       : Npcap Packet Driver (NPCAP)
        DEPENDENCIES       :
        SERVICE_START_NAME :

If the START_TYPE isn't SYSTEM_START, then make it so. This will need an Administrative (elevated) CMD prompt (note the odd spacing is required):

sc config npcap start= system

and now start the service, again an elevated CMD prompt is required:

sc start npcap

As to how you got into this state, there is an npcap installer option to NOT start npcap at system startup, which you may have chosen. Another possible way to fix this is to reinstall Wireshark and\or npcap and make sure it's permitted to start at system startup.

23.8k

grahamb

answered 2019-04-23 10:29:05 +0000

edit flag offensive 0 remove flag delete link

Comments

Yup, that did it! :)

I used the command sc qc npcap, and my service was not running.

I then used the command sc config npcap start= system, and then sc start npcap. And then this time when I ran WireShark, I can see networks listed ;-)

And I think you're right: When I initially installed WireShark, I believe I chose the option to NOT have npcap start at system startup. I thought that launching WireShark would then just have npcap start with it; I guess not :(

So yes, I guess I could always re-install WireShark and choose the option of letting npcap start with system startup.

Say, while I'm here, let me ask this:

Now that I can see the interface properly, yes, I see my network listed, and it's just listed as "Ethernet". I have a DSL combo of modem/ wireless router. I've customized the SSID ... (more)

Pez (2019-04-25 18:48:06 +0000) edit

Say, while I'm here, let me ask this:

Please ask that as a separate question. This is a Q&A site; think of it as a "crowdsourced FAQ" rather than as a forum. The goal is to allow users who have a question to search the site, so that if their question has already been asked, and somebody has already answered it, they get an immediate answer to their question without having to ask it and wait for an answer. To make that work well, each question should be asked separately.

Guy Harris (2019-04-25 19:03:41 +0000) edit

The interface is named by your computer, not by the Access Point SSID that it's connected to.

You can set the names of interfaces to anything you like, use "win" key + "r", type ncpa.cpl and hit enter, then right-click any interface and select "Rename".

grahamb (2019-04-25 19:07:32 +0000) edit

And to help others who may have the same question, please accept the answer that solved your issue by clicking the checkmark to the left of it.

grahamb (2019-04-25 19:15:22 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Why am I not seeing any interfaces other than USBPcap1 on Windows? edit

Comments

1 Answer

Comments