CapturePrivileges
During installation of Wireshark and WinPcap I ran into some problems. I've installed the following packages: WinPcap 4.1.3; Wireshark 1.8.6; When I try to run Wireshark I get the message: The NPF driver isn't running. You may have trouble capturing or listing interfaces After some research I tried the command sc start npf. One comment that Wireshark doesn't need npf if running as admin has to be pure BS. Npf is the WinPCAP driver!! So, the focus here needs to be in getting the WinPCAP driver installed and running in a system that seems to not want to do that. I used no special tricks on the first system. I'm using the same internet security. Again with no tricks.
You need to run Wireshark or TShark on an account with sufficient privileges to capture, or need to give the account on which you're running Wireshark or TShark sufficient privileges to capture. The way this is done differs from operating system to operating system.
To be secure (at least in a way), it is recommended that even an administrator should always run in an account with (limited) user privileges, and only start processes that really need the administrator privileges. The Security page provides explanations why this is a good idea.
[[TOC]]
Virtual machine
If you are running inside a virtual machine, make sure the host allows you to put the interface into promiscous mode.
Windows
The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it's stopped again.
Note: Simply stopping Wireshark won't stop the WinPcap driver!
It might not be desirable that any local user can also capture from the network while the driver is loaded, but this can't be currently circumvented. Please note that this is not a limitation of the Wireshark implementation, but of the underlying WinPcap driver; see this note in the WinPcap FAQ.
There are three possible solutions to start Wireshark with the privilege to capture:
Start Wireshark as Administrator
Advantage: Very easy to work with.
Disadvantage: It's very unsecure running Wireshark this way as every possible Wireshark exploit will be running with the administrator account being able to compromise the whole system.
Start the NPF driver automatically at system start
The easiest way to do this is to select Start WinPcap service 'NPF' at startup in the Wireshark installer. You can change the start settings of the NPF service to 'automatic' or 'system' at any time using the following methods:
From the Device Manager you can select View->Show hidden devices, then open Non-Plug and Play Drivers and right click on NetGroup Packet Filter Driver. In the driver properties you can set the startup type as well as start and stop the driver manually.
From the command line you can run
(This must be run as Administrator under Vista.)
In the registry you can change HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNPFStart from 0x3 (SERVICE_DEMAND_START) to 0x2 (SERVICE_AUTO_START) or 0x1 (SERVICE_SYSTEM_START).
As the driver is already started you can run Wireshark as user all the time.
Advantage: Very easy to work with.
Disadvantage: Every local user can always capture live data.
Start the NPF driver by hand
You can start the driver by hand before starting Wireshark and stop it afterwards.
Using Wireshark running in a user account could look like:
Start the NPF driver:
runas /u:administrator 'net start npf'
Start Wireshark as a user and work with it, including capturing, until the specific job is finished.
Stop the NPF driver again:
runas /u:administrator 'net stop npf'
This can obviously be automated using a batch file.
Advantage: Most secure solution.
Disadvantage: You'll have to enter the password each time you start/stop Wireshark.
Most UNIXes
Wireshark has implemented Privilege Separation which means that the Wireshark GUI (or the tshark CLI) can run as a normal user while the dumpcap capture utility runs as root. This can be achieved by installing dumpcap setuid root. The advantage of this solution is that while dumpcap is run as root the vast majority of Wireshark's code is run as a normal user (where it can do much less damage).
GNU/Linux distributions, Wireshark is installed using a package manager
GNU/Linux distributions usually provide package managers which handle installation, configuration and removal of software packages. Wireshark is provided by several distributions and some of them help in configuring dumpcap to allow capturing even for non-root users.
Debian, Ubuntu and other Debian derivatives
By installing Wireshark packages non-root users won't gain rights automatically to capture packets. To allow non-root users to capture packets follow the procedure described in the Wiresharkdebian/README.Debian.
Other Linux based systems or other installation methods
Other Linux distributions may require that you give dumpcap sufficient privileges by hand.
Setting network privileges for dumpcap if your kernel and file system support file capabilities
Ensure that you have installed the necessary tools, such as the setcap command.
sudo setcap cap_net_raw,cap_net_admin+eip /usr/sbin/dumpcap
(NOTE: Replace/usr/sbin
with/usr/bin
in case you receive an error that indicates that dumpcap isn't in/usr/sbin
)Start Wireshark as non-root and ensure you see the list of interfaces and can do live capture.
Npf Driver Isn't Running
Setting network privileges for dumpcap if your kernel and file system don't support file capabilities
In this case, you will need to make dumpcap set-UID to root.
chown root /usr/sbin/dumpcap
(NOTE: Replace/usr/sbin
with/usr/bin
in this command and the next command in case you receive an error that indicates that dumpcap isn't in/usr/sbin
)chmod u+s /usr/sbin/dumpcap
Limiting capture permission to only one group
Before setting dumpcap's network privileges (for example, using the file capabilities approach above):
Create group 'wireshark' and add yourself to it:
Re-login to apply the group changes or use
newgrp wireshark
as the normal user to enter the wireshark group. (Run thegroups
command to verify that you are part of the wireshark group.)sudo chgrp wireshark /usr/sbin/dumpcap
sudo chmod o-rx /usr/sbin/dumpcap
(Changing the group will clear file capabilities (or setuid bits), so reset it using setcap as described above.)
Ensure Wireshark works only from a user in the 'wireshark' group
BSD (including macOS)
In order to capture packets, you must have read access to the BPF devices in /dev/bpf*.
On BSDs without a devfs, the special files for those devices are on your root file system, and changes to them will persist across reboots. In order to allow yourself, or yourself and others, to capture traffic without running Wireshark as root, either make them owned by you, or make them owned by a group to which you and others to whom you want to give capture permission belong and give that group read access, or, if your BSD supports ACLs on special files, add the users who should have permission to capture to the ACL, with the ACL entry giving them read permission. You will probably need super-user permission to do this.
On BSDs with a devfs (this includes macOS), this might involve more than just having somebody with super-user access setting the ownership and/or permissions on the BPF devices - it might involve configuring devfs to set the ownership or permissions every time the system is booted, if the system supports that; FreeBSD 5.x's devfs does. If the system doesn't support that - macOS's devfs doesn't, you might have to find some other way to make that happen at boot time, such as a command in one of the system rc files, or a startup item or launchd launch daemon in macOS; see the ChmodBPF directory in libpcap 0.9.1 or later for such a launch daemon.
Digital/Tru64 UNIX
Any user can, in principle, capture network traffic. However, no user (not even the super-user) can capture in promiscuous mode on an interface unless the super-user has enabled promiscuous-mode operation on that interface using pfconfig(8), and no user (not even the super-user) can capture unicast traffic received by or sent by the machine on an interface unless the super-user has enabled copy-all-mode operation on that interface using pfconfig, so useful packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface. You might be able to limit the set of users allowed to capture traffic by changing the ownership and/or permissions of the /dev/pfilt* devices.
Imported from https://wiki.wireshark.org/CaptureSetup/CapturePrivileges on 2020-08-11 23:11:50 UTC
What causes the message “The NPF driver isn’t running. In the list of results, right-click Command Prompt, and then click Run as administrator. Running it as an admin worked for me. Answers Answers and Comments. Hello, installed wireshark 1.
Uploader: | Daikree |
Date Added: | 28 February 2012 |
File Size: | 58.56 Mb |
Operating Systems: | Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X |
Downloads: | 95521 |
Price: | Free* [*Free Regsitration Required] |
Answers Answers and Comments. Wireshark start npf to lazy to think for myself, googled and found this sollution which worked out nicely. This way it was able to automatically start the NPF driver by itsef at start up.
WireShark: The NPF driver isn’t running
Winpcap Error Npf Driver
Thanks for the solution! You can refer to this method https: I am using Wireshark on the bit edition of Windows 7 without problem.
I have setup the darwin server and also the Wireshark. Use wireshark start npf shell to enter wireshark start npf start npf. Firstly, make sure that you have installed winpcap, if you didn’t install it, just go to its official site and download it for installation: Riverbed is Wireshark’s primary sponsor and provides our funding.
Jan Doggen 3, 5 25 Wireshark start npf Windows 10 july cumulative updatewireshark can’t see interface. Riverbed Technology lets you seamlessly move between packets and flows for comprehensive monitoring, analysis and troubleshooting. Assuming there is a solution.
I had to go into the non-plug wireshark start npf play how do I get it to start once I get there? I am set as the administrator on this machine and I get an Access Denied error when I try the sc start npf.
Right click a shortcut to the command prompt and tell it to run as an administrator. I wireshark start npf your command line stuff. What is the meaning of this error? You need to run Wireshark with administrator privileges.
The NPF driver isn’t running – Wireshark
Your email address will not be published. Check out the FAQ!
Hope you see this as an efficient use of this forum. Right-click wireshark, Run As Administrator Don’t do that!!
[closed] The NPF driver isn’t running – Wireshark Q&A
Right click it, Choose “Run as Administrator” and type “net start npf”. Related questions How to test if promiscuous mode is supported and enabled on my adapter? To cllear this error, you need to open the file called npf.
Skip to wireshark start npf content. You need to see four of them.
The NPF driver isn’t running – Wireshark | Jared Heinrichs
After Windows 10 july cumulative updatewireshark can’t see interface. GBU windows winpcap npf asked 15 May ’12, wireshark start npf A little black command prompt window will open.
Select “Run as administrator”, Click “Yes” in the user account control dialog.
Please submit a new question rather than piggy-backing on this one. Hi, I am new at using Wireshark.