This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Device/npf

0

I keep receiving a snooping device in my network using Device/NPf interface, and i don't know what that means or how to stop it, to stay private, and it flags red alerts all the time, so what Device/npf stands for and how to stop it ?

asked 23 Jun '17, 11:03

shawer6's gravatar image

shawer6
6224
accept rate: 0%

edited 23 Jun '17, 11:04


One Answer:

0

A npf (network packet filter) device is not an external device somewhere in your network, it is a piece of software in your PC provided by WinPcap, the library which Wireshark uses to capture packets. So it appeared in your system because you (or someone else who can install software to your PC) have installed Wireshark along with WinPcap. See details here.

So it is something you can use to monitor the traffic of your own PC, not something that someone else would use to spy on you (unless they can control your PC and run packet capture in the background without your knowledge, but if they can, packet capture is one of the least harmful activities they could do).

Regarding

it flags red alerts

can you be more specific and possibly provide a screenshot of what you have in mind?

answered 23 Jun '17, 14:12

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

another device in my network shares Device/NPF data with my machine and i discovered it using wireshark and previously was sharing information using UPnp before i blocked it.. now i see communication between my device and the same device using UDP and TCP ?

(23 Jun '17, 17:05) shawer6

In that case please capture that traffic, look for a couple of frame numbers of these susicious packets, and then use File -> Export specified packets, fill these numbers comma-separated into the Range window, choose a destination folder and fill in some file name, and press [Save].

Then open this new file using Wireshark to check that it really contains those packets, and if yes, publish it at Cloudshark or any ordinary file sharing service and edit your question with a link to it.

Without seeing what kind of traffic you talk about it is hard to provide you with any useful feedback.

(23 Jun '17, 22:54) sindy