This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

WinPcap/NPF not in the Device Manager

0

Hello When installing Wireshark in a Windows XP Virtual Macine, I saw that WinPcap was installed, yet it is not showing up in the Device Manager.

From the Device Manager you can select View->Show hidden devices, then open Non-Plug and Play Drivers and right click on NetGroup Packet Filter Driver. In the driver properties you can set the startup type as well as start and stop the driver manually.

In Windows XP I could only find the "Computer Management (local)/Device Manager" and the NetGroup does not show up, and neither the NPF.

Question; Does WinPcap/NPF work with a Virtual OS? The NPF driver does show up in the Registry; HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START).

asked 08 Jan '12, 17:17

will's gravatar image

will
1223
accept rate: 0%

edited 09 Jan '12, 11:44

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

0

I'm not sure what type of virtual machine you have, but I run Windows XP on a virtual machine under VMware Fusion on Mac OS X. It has Wireshark and WinPcap installed, and if I open "Properties" for "My Computer", select the "Hardware" tab, open "Device Manager" with the button, select View -> Show hidden devices, open up Non-Plug and Play Drivers, and control-click (this is a MacBook Pro, that's the only "right click" I can do :-)) on NetGroup Packet Filter Driver and select Properties from the menu, I get a "NetGroup Packet Filter Driver Properties" window.

And, yes, I can capture traffic with Wireshark on that virtual machine.

What happens if you do the same?

answered 09 Jan '12, 12:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Guy, I have Windows XP Mode – Virtual Machine Shell Information (.vmcx)and was able to find NDF in the Program Files. I have been trying to capture data, and I have the interface correct, but it does not capture any.

(09 Jan '12, 12:35) will

I should add that it is a company PC and I have requested from IT if I could get VMWare Fusion. If there are $$$ involved they will probably say no.

(09 Jan '12, 13:57) will

If your company PC is running Windows or Linux one would hope they'd say no! VMware Fusion is the Mac client version. For Windows or Linux, the client would be VMware Workstation; I suspect from the ".vmcx" that you have some VMware software for the virtual machine.

As for capturing the traffic, try downloading Microsoft Network Monitor and seeing whether it can capture traffic.

(09 Jan '12, 14:14) Guy Harris ♦♦

Wirehark runs and captures successfully for me using a vanilla XP Mode virtual machine. Have you modified the network settings of the VM in anyway (from the VM Settings, not within the VM)?

.vmcx is the extension for the XP Mode VM settings file. This is Microsoft's VM technology in Windows 7, not VMWare.

(10 Jan '12, 03:20) grahamb ♦