2

Wireshark doesn't show the Ethernet interface after the miniport driver is installed. Wireshark shows "No interfaces found". But Microsoft Message Analyzer and NetMon can locate the adapter interface and show the captured packets.

But if I restart the machine then Wireshark is able to find the interface. I suspect it's due to binding issues between WinPcap and my miniport driver. Please correct me if I'm wrong! Do I need to change the INF file or look at the OID requests part as the NPF filter (used by WinPcap) isn't able to get it's hands on the miniport driver ?

With regards, Jenson

Jenson Pais
  • 45
  • 9
  • Seems like it could be a WinPcap driver limitation. It cannot detect any new adapter installed unless the adapter was already present during bootup [Link to reference](http://www.winpcap.org/pipermail/winpcap-bugs/2010-March/001183.html). Would still like someone to confirm if this bug persists in Wireshark 2.2.1 with WinPcap (4_1_3) – Jenson Pais Nov 17 '16 at 13:17

1 Answers1

3

From what I recall, if network adapters are installed or removed the pcap service needs to be restarted to pick up the changes.

To stop the service, from a command line with Administrator rights:

net stop npf

To start it again:

net start npf
Carsten Hansen
  • 1,508
  • 2
  • 21
  • 27
  • So this is a known limitation of npf/WinPCap ?! **Can you confirm if this issue persists in WinPcap 4.1.3. too ?** I did come across the emailing list for WinPcap which mentioned the solution you have mentioned or a reboot. – Jenson Pais Nov 18 '16 at 04:43
  • 1
    I am fairly certain 4.1.3 behaves this way - that's the version I'm currently running. Whether the winpcap team considers it to be an issue I don't know. It may just be a design decision - after all, adding or removing network adapters is not a frequent event in most environments – Carsten Hansen Nov 18 '16 at 05:42
  • Cheers for the prompt reply Carsten. I needed some ammunition in case someone came blaming my driver for this issue. – Jenson Pais Nov 18 '16 at 05:50