Hello. I'm using windows 10 build 10041 and wireshark 1.12.4 (v1.12.4-0-gb4861da from master-1.12). But I can't see any capture interface. I've tried different options: run as administrator, install in compatibility mode (Windows 7, 8), tried another wireshark version (latest development release), but with no success. Is there any way to get wireshark working? asked 28 Mar '15, 22:41 SergeyM |
3 Answers:
This is a problem with WinPcap on specific preview builds of Windows 10, which is a separate project from Wireshark and is used by Wireshark for capture on the Windows platform. To get by at the moment you can install Message Analyzer from Microsoft to make captures, save them to .cap format and load them into Wireshark. WinPCap runs just the same as on older version of Windows on all released versions of Windows 10. answered 28 Mar '15, 22:54 grahamb ♦ edited 06 Jul '17, 06:23 showing 5 of 8 show 3 more comments |
Hey guys, So I found out a way for this to work that I am using on build 10049 currently. I encountered the same problems. I noticed my ethernet adapter had shown up in wireshark now after creating a Virtual Switch in Hyper-V (Included on Windows 10) that uses an External interface on my Ethernet adapter. Once this was created, for whatever reason, my ethernet adapter became an interface again for wireshark. To Replicate: - Install Hyper-V feature and open it - Open Virtual Switch Manager and create a switch for "External Network" using your ethernet adapter and ensure "Allow management operating system to share this network adapter" is checked. - Click OK (adapter will create) - Launch Wireshark - Ethernet adapter should be present. I can't guarantee this will work for everyone but it worked for me and I cannot explain why :-/ I can't attach screenshots because of Karma because I just signed up however here are links to screenshots. 1: https://drive.google.com/file/d/0B6J5HXP6P8uceF8wWFVNa2N2VVU/view?usp=sharing 2: https://drive.google.com/file/d/0B6J5HXP6P8ucR1pvaGw4cEZXb2c/view?usp=sharing 3: https://drive.google.com/file/d/0B6J5HXP6P8ucWm9xTUxsdjJzNWc/view?usp=sharing answered 22 Apr '15, 11:07 mikeullar edited 22 Apr '15, 11:10 |
Hi Everyone, I found a solution to this problem. Install "Win10Pcap" based on GNU public license from their official website (http://www.win10pcap.org/download/). Restart or open Wireshark or similar packet analyzer tool and you're good to go. It should show you the active network interfaces on your device. If you've disabled any network interfaces, make sure to turn them on from 'device manager'. I tried using Virtual Switch on Hypervisor , didn't work for me. This should solve your problems. Thank You. answered 25 Oct '16, 22:46 Aritra_B edited 26 Oct '16, 03:32 What happens if you un-install WinPcap and install Npcap instead? It's more modern, and supports NDIS 6 (25 Oct '16, 23:23) Guy Harris ♦♦ The original question was asked for a beta of Windows 10 that had issues with running WinPCap, later on in the run-up to RTM of Windows 10, Microsoft fixed the issues and WinPCap 4.1.3 runs on Windows 10 in exactly the same manner as on earlier versions of Windows and is the current recommended capture library for use with Wireshark. If you need capture features that aren't supported by WinPCap on any version of Windows such as local loopback capture or 802.11 monitor mode, then you can try (the currently experimental) npcap from the nmap project. Wireshark has support for npcap, but has not been tested at all with Win10Pcap. A further note, npcap is also under heavy development, Win10Pcap has not been updated for more than a year, and looks like it's been abandoned. (26 Oct '16, 00:20) grahamb ♦ I received a free update to Windows 10 in late August.I've received all subsequent updates as well including the beta Bash on Windows 10. But, WinPCap & npcap are not standard features in the distribution as of yet. So, I had to look for other options to use Wireshark to detect packets causing possible DDOS attacks(ICMP Flood,ACK Flood & SYN Flood) to my IP which reflected on my router. So, I tried all options I could find on the internet but to no avail until I stumbled upon Win10PCap which did the trick for me thereafter. So, you might be speaking from updates & news but I'm the one to have experienced it personally and practically. I've no idea why you guys try to be trolls reading up articles on the internet. Why not learn from the viewpoint of the person and try to acknowledge the fact that they are speaking from their experience using it! By the way,I'm from India so the updates and features differ from what you might have received. (26 Oct '16, 03:20) Aritra_B And yes,Win10PCap does support loopback capture as well as 802.11 monitor mode if your packet analyzer tool supports it! (26 Oct '16, 03:25) Aritra_B None of npcap or WinPcap or Win10PCap are installed with Windows of any version, if you're using a capture tool, such as Wireshark, that expects a libpcap style interface then you'll have to install a libpcap based capture driver. If Win10Pcap works for you that's great, but it isn't recommended for use by the Wireshark project hence the comments here. And yes,Win10PCap does support loopback capture as well as 802.11 monitor mode if your packet analyzer tool supports it! Interesting, as Win10Pcap doesn't mention this on their web page, and as as it appears to be using the same elderly libpcap interface as WinPcap (wpcap.dll distributed by Win10Pcap is the original one from WinPcap 4.1.3) I don't see how it can put wireless NIC's into monitor mode. (26 Oct '16, 03:49) grahamb ♦ I do understand what you are saying but somehow WinPCap 4.1.3 didn't work with Wireshark 2.2.1,for me. It was Win10PCap that came to my rescue and I don't understand why! I wanted to be as helpful as possible from my experience for future users visiting this thread. I'd also like to be redirected or if possible in this thread, be helped with cross-checking the router returned possible Flood attacks with wireshark's captured filter. Is there anyone who can help me out with it? I couldn't find the same when I cross-checked the router's log with wireshark's captured packets. But an expert opinion would be helpful in resolving whether there are really any flood attacks going on at my IP. I found a lot of packets originating from Shenzen(China) as well & that was when the PC was idle without any browser sessions open! (26 Oct '16, 05:00) Aritra_B Please raise a separate question for your suspected flood attacks, but do mention that you're using Win10PCap as that is a somewhat unknown part for most users of this site and it's entirely possible that it may be affecting your results. (26 Oct '16, 05:30) grahamb ♦ Thank You. Will Do So. (26 Oct '16, 06:11) Aritra_B showing 5 of 8 show 3 more comments |
Given the absolute silence from the winpcap development team, are you saying that Wireshark on the Windows platform is dead?
At least from a capturing perspective?
Unless the Project is revived or forked, it does look that way. A bit sad as work to port it to NDIS 6 seems to have been done here https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/
When capturing and exporting to .cap using Message Analyzer, Wireshark sees every packet as TZSP protocol and all are [malformed packet].
Doing same exact trace with Network Monitor 3.4, wireshark sees everything just fine.
On another note, seeing as NDIS 6.0 or higher supports 802.11 miniport drivers, I doubt Riverbed would like to see something compete with their airpcap product.
Possible, but as indicated here http://stackoverflow.com/questions/17037907/the-compatibility-issue-between-ndis-version-and-windows-version The most interesting part beeing: "...Note also that it has been reported that, whilst NDIS 6 has APIs to support monitor mode, not all Wi-Fi devices have NDIS 6 drivers, not all those that do have NDIS 6 drivers have NDIS 6 drivers that support Native Wi-Fi (and thus do not have NDIS 6 drivers that support monitor mode), and even those that do have NDIS 6 drivers that support Native 802.11 don't necessarily have NDIS 6 drivers free of bugs that make the Native 802.11 stuff work well...."
I'd say there would still be a market for it.
Thank you for the very informative link!
Riverbed don't exert control over what is developed for Wireshark. That depends on the core developers under the guidance of Gerald.
Riverbed are very helpful supporters of the project though.
Ca you share the original message analyzer file and the converted cap? MS may have come up with new format tweaks.
Does this mean its the end for Wireshark on Windows? (If pcap is no longer i development)
No. It seems the current version of WinPCap does work on some builds of Win 10 preview, I suspect it may also work on the RTM.
Apart from that, work is in hand to develop a new version of WinPCap using NDIS 6.0 that will also work on Win 10.