wireshark

by

Wireshark – The NPF driver isn’t running

When starting Wireshark On a new Windows7 box, getting error
“The NPF driver isn’t running. You may have trouble capturing or listing interfaces”
wireshark_nfp_driver_notrunning

this error refers to Wincap.

Checking to see if  Netgroup PF is installed , open the Computer Management console:

  1.  Start | compmgmt.msc  |OK
  2. system tools > Device Manager
  3. menu : view | show Hidden Devices
  4. system tools > Device Manager > Non-Plug and Play Drivers | NetGroup Packet Filter Driver

nettgroup_packet_filter_driver

if not available, then  download Wincap from here.

bring up a command prompt (as administrator) :

C:\Windows\system32>sc qc npf

[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
 TYPE : 1 KERNEL_DRIVER
 START_TYPE : 2 AUTO_START
 ERROR_CONTROL : 1 NORMAL
 BINARY_PATH_NAME : system32\drivers\npf.sys
 LOAD_ORDER_GROUP :
 TAG : 0
 DISPLAY_NAME : NetGroup Packet Filter Driver
 DEPENDENCIES :
 SERVICE_START_NAME :

all that was needed was to start it

C:\Windows\system32>sc start npf

and then change it to start automatically

C:\Windows\system32>sc config npf start= auto
[SC] ChangeServiceConfig SUCCESS

Using Wireshark to trace packets

Recently been using wireshark to determine network activity when using multicasting – is proved invaluable to helping to track down some application features.

Wireshark is a great free tool available from http://www.wireshark.org/

Image

Use wireshark to sniff the network.  Download here

to start a trace:

  1. define filter – see examples below
  2. menu – capture/interfaces.  Select interfaces you wish to trace :  wireshark_interfaces
  3. press start

The filter is all powerful, change it to do what you need!

examples

trace UDP traffic only for a define port

here, we want to trace all UDP traffic on ports 7980 and 6980
So, the filter will be ” udp.port==7980 or udp.port==6980″
wireshark_udp_example

show all traffic originating from a given IP and being sent to another IP

Set the filter to be ip.dst==xxx.xxx.xxx.xxx&&ip.src==xxx.xxx.xxx.xxx

example

wireshark_example2

Eg ip.dst==230.6.8.1&&ip.src==172.27.98.15   .  ie i used this example to show all traffic sent from my source machine (.15) onto the multicast pool address (230.6.8.1).