[Winpcap-users] question about NPF driver

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu May 8 21:47:34 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Condor Kim wrote:
> Then one day, without previous sign, as soon as I opened my 
> wireshark, the message popped up: "The NPF driver isn't running...

As a local administrator do this:

net start npf

to start that driver.  Wireshark (well, more specifically the WinPcap
library) should be doing this on its own, but that operation will fail
if you don't run Wireshark as a local administrator.  The driver needs
to be running whenever you're capturing traffic; most of the time that
means it gets started once per boot.

If you want to have it running all the time, you can do this (on XP and
newer):

sc config npf start= auto

(note that the space between start= and auto is required) to make the
driver start automatically at boot time.  This means that the programs
you use won't have to start it themselves, which means you'll never have
to run them as a local admin.

Another possibility is that the driver is running, but somehow got
messed up to the point where it's denying open requests for the capture
interface.  You might be able to:

net stop npf
net start npf

to get it to re-set itself.  (A reboot would also reset it, assuming it
starts on boot or is allowed to start because the WinPcap-using program
is run as an admin.)

A final possibility is, perhaps your network card disappeared from the
Windows networking stack at some point; it's possible that the handle
that NPF holds to the card will get invalidated at that point.  (If the
card is disabled or removed when you try to capture on it, then there's
no way the handle could possibly work.)  Restarting the npf driver
should also help here, as it will re-enumerate the existing network
cards and re-generate its list.

(I don't *think* that's required in recent versions of WinPcap anymore,
but it might be.)

> And, what is the string of numbers and letters following NPF_...?

It's a GUID (globally unique ID).  Each NIC in the system gets assigned
a GUID by Windows when the NIC gets discovered (though I don't know if
those GUIDs will change if the NIC goes away and comes back; they
might).  When the npf driver starts up, it looks at all the installed
network cards, and creates a \Device\NPF_<copy of the GUID> device that
user programs can use to talk to npf itself.  The WinPcap API uses this
interface to capture packets.

> Just when I thought all was over, a week later, my wireshark is 
> working again. Did WinPcap fix itself or what?

If the machine restarted shortly before this, that could be the explanation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFII3T1S5vET1Wea5wRAyA6AKCqiUNxZZPQ8fDeExH7MLG2o60wJgCgjJcN
YgarwOEQ1jBwrCaYokmpDNU=
=EC5/
-----END PGP SIGNATURE-----

More information about the Winpcap-users mailing list