I've followed the instructions at https://wiki.wireshark.org/CaptureSetup/Loopback to enable capturing on the loopback interface as follows:
When I do ipconfig, I can see the Npcap adapter as follows:
However, it doesn’t show up in WireShark’s list of interfaces. There I have just my normal LAN and WLAN interfaces. What could be preventing WireShark from seeing the Npcap interface? Is there some extra configuration I can try? asked 15 Oct ‘15, 12:59 bcalmac showing 5 of 6 show 1 more comments |
One Answer:
Thanks to Pascal and Kurt for responding to Npcap's questions before I got here:) This problem seems to be that the loopback adapter was failed to be opened by the driver, so it will not show up in the interface list of Wireshark/ You can enable the logging of Npcap by using the following debug version: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.05-debug.exe Then you can use DebugView Pascal has mentioned, to capture the debugging trace when Npcap driver is first started. ensure you selected "Capture Kernel“ and "Enable Verbose Kernel Output" when using DebugView. As Npcap starts its driver when installation is done, you can start DebugView before installation finishes, then launch Wireshark and show the interface list, then save the log in DebugView, and send it to me ([email protected]). answered 17 Oct '15, 18:02 Yang Luo Done, thanks for your help. (17 Oct '15, 22:38) bcalmac Hi, bcalmac, I didn't see the "DriverEntry" string in your log which is expected to be there, because it is the main function of Npcap driver, it seems that you didn't capture the events before Npcap starts. I told you another easier way here: you start capture logs with DebugView first, then run "net stop npf" and "net start npf" in your CMD. These two commands will restart the Npcap driver, and DebugView should have captured all the initialization trace, then send it to me again, thanks. (18 Oct '15, 07:08) Yang Luo PS: Npcap has an known issue that SOMETIMES the network will halt for at most 50 seconds when Npcap finishes its installation. After 50 seconds, the network will automatically recover, or you can just manually restart the network and it will be good at once, this phenomenon is documented by Microsoft, and I will try to figure out a solution for this. (18 Oct '15, 07:14) Yang Luo I have seen your log, and this time it shows the information I needs:) It seems that "Npcap Loopback Adapter" Npcap has created is never attached by NDIS's FilterAttach function. I never see this condition before, and I suspect it is some driver compatibility issue (I think you have installed another LWF filter driver or something else). I want you to complete these steps for further diagnosis: use the debug version without loopback support here: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.05-debug-no_loopback.exe Using this version, Npcap will view "Npcap Loopback Adapter" as just a normal interface, so Wireshark should see it with no difference with others. If this doesn't work, then you can manually create a MS loopback interface by following any helpful guide in Internet (because Npcap does nothing but to automate the creation of a MS loopback interface and rename it to "Npcap Loopback Adapter"), then launch Wireshark to see if it is there, let me know the result. (18 Oct '15, 10:04) Yang Luo Have you tried to configure a new MS Loopback Interface by your own (you can follow this link: https://social.technet.microsoft.com/Forums/windows/en-US/259c7ef2-3770-4212-8fca-c58936979851/how-to-install-microsoft-loopback-adapter) and see if it appears on the Wireshark list? Tell me the result. If this interface even didn't show up, I think the issue you encountered if more of your side: your computer refuses to recognize any Microsoft loopback interfaces (including Npcap Loopback Adapter, since it is also one of them). Have you installed any special softwares or network drivers? I noticed that you have installed VPN drivers, perhaps you could try installing Npcap with that VPN software uninstalled. (18 Oct '15, 17:06) Yang Luo Besides troubleshooting, I have a workaround for you. This is a method that can change ANY interface into an equivalent "Npcap Loopback Adapter". This method doesn't seem to be graceful but it should work. The steps are: 1) Run “dumpcap -D -M” and find an available interface that you don't use, copy its ID. Like the below example, I didn't want to capture the bluetooth in Wireshark , so I copied its ID. C:\Program Files\Wireshark>dumpcap -D -M 1. \Device\NPF_{0E5642B1-1D9D-47ED-AD66-088313E6365E} Bluetooth Device (Person al Area Network) Bluetooth Network Connection 4 fe80::45ed:e05a: ab2d:7baf,0.0.0.0 network 2. \Device\NPF_{337D25A4-3367-41A5-9E12-6C8C365A3A31} Intel(R) PRO/1000 MT Net work Connection Local Area Connection 0 fe80::1893:5a3d:7a37:17ba,192.16 8.47.133 network 3. \Device\NPF_{D0B41E69-FB15-4503-A689-AE5B725FB79E} Microsoft Loopback Adapt er Npcap Loopback Adapter 0 fe80::80d3:e1d5:21f:cd88,169.254.205.136 loopback 2) Stop Npcap driver by running "net stop npf" 3) Go to registry's HKLM\system\CurrentControlSet\services\npf, you should see a value named "Loopback", replace its content with the ID from 1), in my example the new content is "\Device\NPF_{0E5642B1-1D9D-47ED-AD66-088313E6365E}" (no quote). 4) Start Npcap driver by running "net start npf" 5) Launch Wireshark, you should get all loopback traffic by capturing on your "Bluetooth Network Connection" interface (the original traffic of that interface will not show).Tell me if this workaround works. (18 Oct '15, 17:07) Yang Luo showing 5 of 6 show 1 more comments |
Did you have to uninstall WinPcap before installing NPcap? If yes, did you reboot your PC before installing NPcap?
I suggest you to uninstall NPcap, reboot, install NPcap, reboot and then launch Wireshark. Hopefully the loopback interface will appear (I just tested here and it is working fine on my PC).
Do you see the loopback interface if you run the following command?
@Pascal: I reinstalled NPcap with reboots after each operation and WireShark still can’t see the adapter created by NPcap.
@Kurt: dumpcap shows the same interfaces as the UI (the NPcap one is missing)
Is there some logging I can enable to further troubleshoot the problem?
I’ve tried the same steps on another machine and everything is fine. It’s not a general problem.
You should capture kernel logs with DebugView (https://technet.microsoft.com/en-us/sysinternals/bb896647) when launching Wireshark, and get in touch with NPcap author on the address listed at the end of https://github.com/nmap/npcap/
Yang is quite responsive so hopefully he will be able to figure out what’s wrong.