Why do I see "The NPF driver isn't running. You may have trouble capturing or listing interfaces." when starting Wireshark?

Question

When I start up Wireshark, why do I see this message?

"The NPF driver isn't running. You may have trouble capturing or listing interfaces."

score 13 · Accepted Answer · answered Jul 26 '11 at 19:17

13

You need to run Wireshark with administrator privileges.

Exit Wireshark.
Find Wireshark on the Start Menu.
Right-click on it.
Select "Run as administrator",
Click "Yes" in the user account control dialog.

answered Jul 26 '11 at 19:17

Matthew Simoneau

639

score 5 · Answer 2 · answered Feb 07 '14 at 09:29

It's really best not to run Wireshark as Administrator. See here for an explanation - bugs in the dissector can do a lot more damage when it runs as administrator. A better solution (offered here) is the following:

Open a command prompt (cmd.exe) using the "Run as administrator" option
Run the command sc qc npf
You will see output similar to this:


    C:\Windows\system32>sc qc npf
    [SC] QueryServiceConfig SUCCESS
    SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

If it looks like this, you will need to start the service using sc start npf
so that it displays STATE : 4 RUNNING.
To start the service automatically in future, use sc config npf start= auto
(that space after the equals sign is important)

score 1 · Answer 3 · answered Jan 21 '15 at 21:37

Run "cmd.exe" as Administrator, and go

cd C:\Windows\system32

then

C:\Windows\system32>sc qc npf start= auto

To make sure type "sc qc npf", you will get the output:

C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

To make it back type:

C:\Windows\system32> sc qc npf start= demand

score 0 · Answer 4 · edited Dec 24 '14 at 09:09

RTI Protocol Analyzer with Wireshark uses the Windows Packet capture (WinPcap) driver called NPF driver when it starts to capture live data. Loading the driver requires Administrator privileges.

To cllear this error, you need to open the file called npf.sys which is located at

* C:\Windows\System32\Drivers\

in Windows 7. Follow the below guide to open the npf.sys file.

Firstly, make sure that you have installed winpcap, if you didn't install it, just go to its official site and download it for installation: http://www.winpcap.org Next, find cmd.exe which is located at

* C:\Windows\System32

in Windows 7, right click and "Run as administrator". When it opened, input net start npf, then the NPF driver is successfully opened. That is,the file npf.sys is opened. At last, restart Wireshark, it will be OK now.

Note:
If you are using Linux or Ubuntu, after WinpCap is installed, use the common " >$ su Administrator " to switch to the highest authority account, then input net start npf .

If you are using Windows XP, login with administrator account then open cmd, input net start npf.

Why do I see "The NPF driver isn't running. You may have trouble capturing or listing interfaces." when starting Wireshark?

4 Answers4

Linked