This post is current as of WinPcap 4.1.3 and is written from the perspective of Windows 7, 8.1 and 10.
1. How do you tell if WinPcap is installed?
Quick check: WinPcap will show up in Control Panel/Programs and Features. This is not a guarantee that it is properly installed or running.
Detailed check: WinPcap has three main components. Here is where to find them on a 64 bit Windows operating system:
- c:\windows\system32\drivers\npf.sys (this is the actual kernel mode driver)
- c:\windows\system32\packet.dll (64 bit version of DLL) and c:\windows\SysWOW64\packet.dll (32 bit version of DLL)
- c:\windows\system32\wpcap.dll (64 bit version of DLL) and c:\windows\SysWOW64\wpcap.dll (32 bit version of DLL)
2. How do you tell if WinPcap is running?
The WinPcap driver does not show up in the list of services accessible through Control Panel/Administrative Tools/Services - but you can find out another way.
Start up a Command Prompt using Run as administrator and enter the following command that shows the driver configuration:
C:\WINDOWS\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\npf.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetGroup Packet Filter Driver
DEPENDENCIES :
SERVICE_START_NAME :
Make a note of the START_TYPE, we will discuss that later.
This command shows the actual WinPcap driver state, whether running or stopped:
C:\WINDOWS\system32>sc query npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
3. How do you start WinPcap?
From an administrator Command Prompt, enter this and look at the STATE to make sure it is running:
C:\WINDOWS\system32>sc start npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
4. How do you stop WinPcap?
From an administrator Command Prompt, enter this and look at the STATE to make sure it is stopped. If it does not stop, you need to exit any programs using it.
C:\WINDOWS\system32>sc stop npf
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
5. Some people have trouble starting Wireshark, it starts to load OK but stops at Configuration 100%. What can be done?
Remember the START_TYPE entry from number 2 above? It needs to change. From an administrator Command Prompt, enter this command then reboot your system, then try Wireshark again. The space after start= is required.
C:\WINDOWS\system32>sc config npf start= delayed-auto
[SC] ChangeServiceConfig SUCCESS
6. How can I tell which program is currently using WinPcap?
That can be a little difficult, but if a program is actively using WinPcap there is a way to find out by using Sysinternal's Process Explorer.
- Download Process Explorer and run it from here: https://technet.microsoft.com/en-us/sysinternals/bb896653
- Make sure npf is running.
- In Process Explorer, click on Find menu/Find Handle or DLL
- Enter wpcap or packet and press Search. If NetScanTools Pro is running, it shows nstpro.exe, PID, DLL and C:\Windows\SysWOW64\wpcap.dll - in other words, if a program is actively using WinPcap, it will show up there.
Kirk
No comments:
Post a Comment