This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

There are no interfaces on which a capture can be done

0

Hi,

I am using Wireshark. In one Proxy Server, the Live list of the capture interfaces are not showing in Wireshark. On selecting the Interface List there is an error message shows "There are no interfaces on which a capture can be done."

In order to fix this, i tried:- 1. Restarted the NPF service. It didn't help me. 2. I tried to edit the Interface list. But there is no interfaces displaying in "Wireshark Preferences - Profile". (Please see Preferences.png)

Please advice.

Regards, lal

asked 04 Jul '12, 18:52

Prajilal's gravatar image

Prajilal
1124
accept rate: 0%

what is your Windows version?
what do you see, if you run Wireshark as Administrator?

(08 Jul '12, 11:23) Kurt Knochner ♦

Server 2006 is using.. yes I am using administrator account to run Wireshark.

(08 Jul '12, 13:25) Prajilal

Server 2006?? Never heard of that... Either 2003 or 2008.

(08 Jul '12, 14:17) Kurt Knochner ♦

Typing mistake ..2003 is using

(08 Jul '12, 17:25) Prajilal

2 Answers:

1

yes I am using administrator account to run Wireshark.

in that case I believe that WinPcap was not installed properly. Please reinstall either wireshark 1.8.0 completely (uninstall WinPcap if asked) or just reinstall WinPcap: http://www.winpcap.org/install/bin/WinPcap_4_1_2.exe

Regards
Kurt

answered 08 Jul '12, 14:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Reinstalled Wireshark and Wincap But this didn't help me..

(09 Jul '12, 04:05) Prajilal
1

can you please post the output of the following commands (run them in a DOS box):

sc query npf
sc queryex npf
sc stop npf && sc start npf
ipconfig /all

(09 Jul '12, 04:49) Kurt Knochner ♦

C:>sc query npf

SERVICE_NAME: npf

    TYPE               : 1  KERNEL_DRIVER
    STATE              : 4  RUNNING
                            (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
    WIN32_EXIT_CODE    : 0  (0x0)
    SERVICE_EXIT_CODE  : 0  (0x0)
    CHECKPOINT         : 0x0
    WAIT_HINT          : 0x0
(10 Jul '12, 18:44) Prajilal

C:>sc queryex npf

SERVICE_NAME: npf

 TYPE               : 1  KERNEL_DRIVER
 STATE              : 4  RUNNING
                            (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
    WIN32_EXIT_CODE    : 0  (0x0)
    SERVICE_EXIT_CODE  : 0  (0x0)
    CHECKPOINT         : 0x0
    WAIT_HINT          : 0x0
    PID                : 0
    FLAGS              :
(10 Jul '12, 18:44) Prajilal

C:>sc stop npf

SERVICE_NAME: npf

    TYPE               : 1  KERNEL_DRIVER
    STATE              : 1  STOPPED
                            (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))

WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0</code></pre></div><div id="comment-12581-info" class="comment-info"><span class="comment-age">(10 Jul '12, 18:45)</span> <span class="comment-user userinfo">Prajilal</span></div></div><span id="12582"></span><div id="comment-12582" class="comment not_top_scorer"><div id="post-12582-score" class="comment-score"></div><div class="comment-text"><p>C:&gt;sc start npf</p><p>SERVICE_NAME: npf</p><pre><code>   TYPE               : 1  KERNEL_DRIVER



STATE              : 4  RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0
PID                : 0
FLAGS              :
(10 Jul ‘12, 18:46) Prajilal

C:>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : prxy-w03
Primary Dns Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Team_#1:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : BASP Virtual Adapter

Physical Address. . . . . . . . . : F0-4D-A2-06-B3-C3

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.1.7.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

(10 Jul ‘12, 18:46) Prajilal

IP Address : 10.0.5.32

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.29

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.26

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.22

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.18

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.16

(10 Jul ‘12, 18:47) Prajilal

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.14

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.8

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.5.254

DNS Servers (Pasting wrong IP address as per rules) : 103.216.108.33 111.14.3.119 111.14.3.73

(10 Jul ‘12, 18:48) Prajilal
showing 5 of 9 show 4 more comments

0

Ethernet adapter Team_#1:
Connection-specific DNS Suffix . :
`Description . . . . . . . . . . . : BASP Virtual Adapter

your system uses Broadcam Adapter Teaming technology (BASP). I believe WinPcap does not detect that interface properly, although I have not found any information about problems with BASP in general.

Even here it says:

For servers, Broadcom has a virtual miniport driver, the Broadcom Advanced Server Program (BASP), which splits VLAN enabled interfaces to virtual interfaces. It is possible to capture from these interfaces without any known problems. Capturing from an aggregated interface also works, but LACP packets are seemingly not captured.

I suggest to file a bug report at winpcap.org. Please read the following instructions:

http://www.winpcap.org/bugs.htm

HINT: Please report back any result of your further troubleshooting with winpcap, as this might be interesting for other wireshark users as well.

Regards
Kurt

answered 10 Jul '12, 23:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you very much kurt.

i am using Wireshark in another server with the same configurations and BASP virtual adapter. And it is working fine.

Following is the output from

C:>ipconfig /all Windows IP Configuration

Host Name . . . . . . . . . . . . : prxy-w05

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : Yes

WINS Proxy Enabled. . . . . . . . : No

(11 Jul '12, 04:06) Prajilal

Ethernet adapter Team _#1:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : BASP Virtual Adapter

Physical Address. . . . . . . . . : 18-03-73-F6-92-04

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.0.5.35

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.34

Subnet Mask . . . . . . . . . . . : 255.255.255.0

IP Address. . . . . . . . . . . . : 10.0.5.25

Subnet Mask . . . . . . . . . . . : 255.255.255.0

(11 Jul '12, 04:10) Prajilal

IP Address. . . . . . . . . . . . : 10.0.5.21

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.5.254

DNS Servers (Pasting wrong IP address as per rules) : 103.216.108.33 111.14.3.119 111.14.3.73

And for this server i used Wireshark two months ago.

(11 Jul '12, 04:10) Prajilal

same OS? same patches?

O.K. Can you please follow the instructions on http://www.winpcap.org/bugs.htm and post the files winpcap_debug.txt, adapters.reg and npf.reg somewhere (pastebin or so).

Please post those file from BOTH servers (working and non-working)!!

(11 Jul '12, 04:15) Kurt Knochner ♦

Yes.. While running the Windump.exe on nonworking server getting the following error

D:\Test>WinDump.exe

WinDump.exe: listening on \Device\NPF_{938EC403-2C8A-4B23-84F7-DED07FE03188}

WinDump.exe: driver error: not enough memory to allocate the kernel buffer

(11 Jul '12, 04:33) Prajilal

Please run windump -D. Do you get the same error message?

The error messages could explain why you don't see any interfaces on one of the servers. Please compare RAM usage of both servers (Task Manager).

(11 Jul '12, 04:36) Kurt Knochner ♦

Could u please send me your mail id? i will send the zip files to you

(11 Jul '12, 04:45) Prajilal

please send it to [email protected]binkmail.com. That's a disposable mail service and a one-shot e-mail address.

(11 Jul '12, 04:47) Kurt Knochner ♦

what is the plain output of windump -D at the CLI for both servers?

(11 Jul '12, 05:08) Kurt Knochner ♦

a blank screen appeared in the non-working server. for the working server it is

D:\Test>windump -D

1.\Device\NPF_{3E0BD1DA-9EA4-4D66-BACF-26E7577C0622} (Broadcom L2 NDIS client driver)

2.\Device\NPF_{3EA8EAD6-BB65-43B1-9487-7B0F7D57F645} (Broadcom L2 NDIS client driver)

3.\Device\NPF_{9EAB7FD7-5560-4B34-B309-81AA53CBB2B9} (Broadcom Advanced Server Program Driver for Windows Server 2003 with SNP)

4.\Device\NPF_{FBBDA9AA-E8A7-4D0D-B678-AC08B21DA490} (Broadcom L2 NDIS client driver)

5.\Device\NPF_{657FF0FD-2849-46FB-B73D-54C1112FE183} (Broadcom L2 NDIS client driver)

(11 Jul '12, 05:15) Prajilal

windump shows those adapters in the debug output on the non-working server, however it detects less interfaces than the working server. I have no idea why windump does not show the interface list, even though I can see them in the debug output. Maybe the "memory error" is a first hint. I suggest to send those files to winpcap-bugs [at] winpcap.org with a description of the problem. Please add a link to this thread.

Did you try to reboot the server? HINT: Be aware that this could cause severe problems, IF the server is in a (kind of) broken state!!!

(11 Jul '12, 05:26) Kurt Knochner ♦

D:\Test>WinDump.exe
WinDump.exe: listening on \Device\NPF_{938EC403-2C8A-4B23-84F7-DED07FE03188}
WinDump.exe: driver error: not enough memory to allocate the kernel buffer

That adapter is the BASP adapter (Teaming) that is listed in the debug output.

The error message is not a good sign. I assume there is either a bigger problem with the driver or with memory consumption in general on the non-working server.

As I said, check RAM usage and/or try to reboot the server. See HINT above!!

(11 Jul '12, 05:41) Kurt Knochner ♦

Thank you very much!!.

I sent a mail to winpcap-bugs [at] winpcap.org. Let us wait for the output. We cannot restart the server every time. The server restart is limited to once in 45 days. The last reboot was on July 4. Let me check the RAM usage. I will get back you once i got any input.

Thanks Again!!

Warm Regards, Lal

(11 Jul '12, 05:50) Prajilal

Great. I'm interested in the solution, so please update this thread with the results from winpcap.org.

BTW: Did you restart the server AFTER you installed WinPcap/Wireshark?

(11 Jul '12, 05:53) Kurt Knochner ♦

Yes. i installed WinPcap/Wireshark before the last restart. Any way i will raise a request to restart the server.

(11 Jul '12, 06:01) Prajilal
showing 5 of 16 show 11 more comments