Installed Wireshrk on my PC but can'nt see PC NIC listed
asked 26 Sep '17, 06:58
accept rate: 0%
Can you amend your question with the output of the Help -> About Wireshark -> Wireshark tab. You can highlight it and copy it to the clipboard, then paste it into your question.
I ran into this as well. Right-click on your Wireshark.exe and select "Run as administrator." Wireshark requires admin rights to list interfaces and capture packets. Windows 8 and 10 seem to ignore those rights sometimes even if you are admin, so you have to force it to run as admin.
You comment is totally incorrect, Wireshark on Windows does NOT require administrative privileges to list interfaces and capture packets. Running with elevated privileges is an incredible security risk as millions of lines of code is exposed to whatever network traffic happens to pass by the interfaces you're capturing on.
If your system requires administrative rights to list interfaces and capture, then it's likely this is due to how you've installed either WinPCap or Npcap, the most common capture libraries used on Windows, where you haven't set the drivers to start automatically. Have a look at the Wireshark Wiki page on Capture Privileges for more info.
@grahamb Please be careful with words like "totally incorrect" and "incredible security risk." This is a nice and respectful community. My response does answer the question and will more than likely work. Security risks are also fairly subjective. Just because you think you have a better answer or you prefer a more detailed response does not make my answer wrong. Forgive my brevity in the original post. I gave a quick and generic answer. This would be my detailed response:
Wireshark's underlying driver (winpcap) requires administrator rights. Please see the link in the previous post to set this up correctly if you have not already done so. If that doesn't work, you may be encountering a similar problem that I have. My company limits elevated privileges. We may be granted temporary admin rights on an as needed basis. Unfortunately, in win 8/10 WinPcap and Wireshark do not work well under these conditions for some reason. We definitely cant get winpcap to run at startup. As a workaround you can force wireshark to run as administrator. This will list your interfaces. Being that you're running Wireshark I assume you already understand your administrative and security footprints. As always, though, you should be careful how and where you use administrative privileges as this exposes you to more risk. Please adhere to your personal or company policies. However, if you know your environment and what traffic you are capturing, I personally think opening an email on a network connected PC is far more risky than running wireshark (a single application on an isolated PC.) Of course, this risk increases if you are doing security investigations and capturing malicious traffic.
If this workaround is not acceptable or you'd like to work with and understand the underlying drivers better, please answer grahamb's original question and continue working through root cause with him.
The whole reason that folks put a lot of effort into privilege separation was entirely down to the security risk and I won't retract my strong warnings against running Wireshark with elevated privileges.
If company policies prevent you correctly installing a capture driver that you need to complete a company mandated task then your issues are with the impossible restrictions imposed on you. Presumably, those imposing the restrictions wouldn't be happy with you running Wireshark with elevated privileges either.
There are possibly a few edge cases where running with elevated privileges is required and the risks might be evaluated as acceptable, but blindly recommending a user do so is IMHO irresponsible.
@csereno first of all, I doubt there are that many people in the world who know more about running Wireshark on Windows than @grahamb, if any.
Of course access to the network cards requires certain privileges, like it does on any other plattform. From a security point of view it is quite careless to run Wireshark "as Administrator", because that exposes the huge (and still vulnerable) code base of the packet dissectors to potentially bad packets. As a reference: so far, there are 48 CVE numbers assigned for Wireshark in 2017 alone: http://www.cvedetails.com/vulnerability-list/vendor_id-4861/product_id-8292/year-2017/Wireshark-Wireshark.html
A much more safe way is to run Wireshark as normal user, and only allow dumpcap to access the network card via the NPF driver, which has an attack surface that is orders of a magnitude smaller. If NPF doesn't work for you, try npcap instead: https://nmap.org/npcap/
So I absolutely second the warning of @grahamb, and if you run Wireshark as administrator you're using a potentially dangerous workaround that should be treated as a workaround (meaning: don't make it a permanent solution ;-))
Ok, @grahamb and @Jasper. I think we have some miscommunication. First off, I recognize both of you as respected leaders of this community. In fact, I follow your blogs, postings, videos, etc. Thank you for all you do. Secondly, no where did I mean to insult anyone's intelligence. If I did, I apologize.
In responding to this post, I saw @grahamb was heading up a legitimate and technical diagnosis of the problem. I also saw it was a very brief and open question. I saw this question in passing and decided to offer up my experience with this issue. I only replied and did not mark my response as an answer or permanent solution. It was meant as a workaround and troubleshooting step only. In my experience, I did not have a problem with obtaining temporary admin rights for the thousands of users I support when I needed to install Wireshark and WinPCAP and obtain a packet capture until Win8/10. I have not had time to diagnose the problem yet to determine if it lies with WinPCAP, Wireshark, Windows, or our security policies. This is a workaround I have needed to use on several occasions to get the data I needed when in a pinch. I thought I would offer that up quickly as something to try, while @grahamb continued the formal diagnosis.
Onto the topic of security. No statement was given in regards to security in the initial question. Is this for a dedicated PC in an isolated test environment, an end user PC in a company, a personal PC at home, or a domain controller, etc? All of these have very different security measures. I treated my answer with the same brevity omitting the topic of security and left that to the admin's discretion. Any infrastructure admin should know their environment, policies, and acceptable security risk. I agree, security should be in the forefront and the best practices should be adhered to. However, I also know workarounds, temporary solutions, and testing is needed in the real world and sometimes that means even security has to take a back seat momentarily. @Jasper npcap and other tools are great alternatives, and might be better long-term solutions. Again, I was allowing @grahamb to get to those eventually if he felt they were the proper solution. This question specifically regarded Wireshark, so I limited my response to Wireshark.
I was just offering a suggestion as something to try. I thought it would be taken as such and not result in a reprimand and inflamed response from, now 2, of the community leaders. I apologize.
No need for apologies, we're all just trying to keep folks safe while they're trying to get their tasks done.
@csereno, no hard feelings; I just try to hammer some security conscience into people's minds, which is hard enough as it is. So I am a bit overprotective maybe when it comes to running Wireshark as root/admin.
I'm sorry if this sounded too harsh (or "inflamed"), as it most certainly wasn't meant that way. It wasn't at all personal - we just need to make sure users to do not "take the easy way" as soon as they hit a wall if that means increasing the attack surface. And that means we need to point out that that approach isn't safe.