This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

NPF driver Problem in Windows 7

2
1

I am using Windows 7 64bit edition; when i first installed Wireshark it worked, but after restart its constantly telling me NPF driver is not running error and therefore I cannot see any of my network cards. Please help

asked 07 Dec '10, 23:42

Engr%20Mansoor%20Habib's gravatar image

Engr Mansoor...
31124
accept rate: 0%

edited 20 Jan '11, 12:11

Jaap's gravatar image

Jaap ♦
11.7k16101

Hi all, I have the exact same symptoms but without the NPF driver error and also I get the proper output from the SC command. Any ideas?

(16 Dec '11, 14:07) Jim Willows

3 Answers:

13

I am using Wireshark on the 64-bit edition of Windows 7 without problem.

The npf driver is not visible in your regular "Computer Management" WMI-interface. The npf status is best checked with the command line.

Run a cmd.exe as administrator and run the command sc qc npf.

You should get some output like this:

C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npf
TYPE               : 1  KERNEL_DRIVER
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : system32\drivers\npf.sys
LOAD_ORDER_GROUP   :
TAG                : 0
DISPLAY_NAME       : NetGroup Packet Filter Driver
DEPENDENCIES       :
SERVICE_START_NAME :

If your driver is not properly started, activate it with the command sc start npf

Finally, to start the service automatically, use the command sc config npf start=auto

Remember to run your cmd.exe as administrator when issuing these command.

answered 08 Dec ‘10, 01:26

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

I am running Windows 7 and I have the same issue with the NPF file not running. I tried your command line stuff. I am set as the administrator on this machine and I get an Access Denied error when I try the sc start npf. Any suggestions?

(19 Jan ‘11, 21:11) Joshua

I have also activated NPF fow windows 7. And wireshark 1.4.3 still says it is not active. And also says there are no interfaces that a capture can be done. I’m running an HP Desktop and Windows 7 Home Premium.

(20 Jan ‘11, 17:39) yate4899
1

try to run cmd.exe as an administrator (i mean right click it then choose run as administrator) and then use the command sc start npf

(09 Feb ‘11, 13:23) EssAm
4

There must be a space after equal sign, i.e.

sc config npf start= auto

The rest is perfect:

sc qc npf
Run as Administrator:
sc start npf

(02 Aug ‘11, 22:54) Champion

Thank you packethunter, your answer enabled me to get working with Wireshark. One thing though, I can’t find the npf service - whose DISPLAY_NAME is given as “NetGroup Packet Filter Driver” listed in the Windows Services. Can anyone enlighten me please?

(17 Oct ‘11, 16:56) pcwizard
2

You can find the NPF driver under Non-Plug and Play Drivers
To open the Computer Management console go to:
Start | Run
type: compmgmt.msc and hit OK
Select:
Computer Management (Local) | System tools | Device Manager
Pull-down menu View | Show Hidden Devices
Non-Plug and Play Drivers | NetGroup Packet Filter Driver

(17 Oct ‘11, 21:14) joke

Great!! it is working…BIG THANKS to you. Back to business!

(12 Jan ‘12, 07:35) deo

Sorry: I meant for the above “Great …” to have been converted to a comment under answer #1 (not this answer).

(12 Jan ‘12, 08:05) Bill Meier ♦♦

I had to go into the non-plug and play how do I get it to start once I get there?

(10 May ‘12, 20:01) angelar

right-click NetGroup Packet Filter Driver
select Properties
select tab Driver
Current status: hit Start
BTW
Here you can read more about Startup - Type

(10 May ‘12, 21:18) joke
2

This solution also works for Windows 8.

(09 Oct ‘12, 13:41) SamsonSF

Tanx alot, was really helpfull.

(02 Mar ‘13, 13:28) s_atayi379

You need to add a space between “start=” and “auto”.

(14 Jun ‘13, 03:10) Mladen B

run as administrator, sc config npf start= auto is the exact command. Space is required after “=”.

(13 Jul ‘14, 05:09) Utkal Barik

very good , i study network from belém PA, thanks great!

(06 Nov ‘14, 15:53) Marciel Rodr…

I created a ‘shortcut icon’ in Windows 10 to do this. Just make shore that the shortcut properties has ‘Run as Admin’ selected. The command line in the shortcut target is: %windir%\system32\cmd.exe /K sc start npf

(24 Jan ‘17, 16:19) pcarew
showing 5 of 16 show 11 more comments

1

Find the file called npf.sys which is located at

  • C:\Windows\System32\Drivers\

in Windows 7. Then make sure that you have installed winpcap, if you didn't install it, just go to its official site and download it for installation: http://www.winpcap.org

Next, find cmd.exe which is located at

  • C:\Windows\System32

in Windows 7, right click and "Run as administrator". When it opened, input net start npf, then the NPF driver is successfully opened. That is,the file npf.sys is opened.

At last, restart Wireshark, it will be OK now.

BTW, if you have other driver problems or want to update, backup or restore drivers, the free program DriveTheLife (official site: http://www.drivethelife.com) is a perfect one.

This answer is marked "community wiki".

answered 23 Dec '14, 22:25

OliviaLewis's gravatar image

OliviaLewis
4113
accept rate: 0%

0

Just run the shark under administrator and it will work as well.

answered 04 Aug '11, 00:44

projek7r's gravatar image

projek7r
15
accept rate: 0%

1

While this may well "work" it isn't really recommended.

There is a huge amount of code in Wireshark that attempts to interpret network data, and allowing that code to run as administrator does open a window (albeit quite small) to "bad stuff" gaining access to the host system as the administrator.

(04 Aug '11, 01:18) grahamb ♦