When I start up Wireshark, why do I see this message?
"The NPF driver isn't running. You may have trouble capturing or listing interfaces."
4 Answers
You need to run Wireshark with administrator privileges.
- Exit Wireshark.
- Find Wireshark on the Start Menu.
- Right-click on it.
- Select "Run as administrator",
- Click "Yes" in the user account control dialog.
It's really best not to run Wireshark as Administrator. See here for an explanation - bugs in the dissector can do a lot more damage when it runs as administrator. A better solution (offered here) is the following:
- Open a command prompt (cmd.exe) using the "Run as administrator" option
- Run the command sc qc npf
You will see output similar to this:
C:\Windows\system32>sc qc npf [SC] QueryServiceConfig SUCCESS SERVICE_NAME: npf TYPE : 1 KERNEL_DRIVER START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : system32\drivers\npf.sys LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NetGroup Packet Filter Driver DEPENDENCIES : SERVICE_START_NAME :
If it looks like this, you will need to start the service using sc start npf
so that it displaysSTATE : 4 RUNNING.To start the service automatically in future, use sc config npf start= auto
(that space after the equals sign is important)
Run "cmd.exe" as Administrator, and go
cd C:\Windows\system32then
C:\Windows\system32>sc qc npf start= autoTo make sure type "sc qc npf", you will get the output:
C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf TYPE : 1 KERNEL_DRIVER START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : system32\drivers\npf.sys LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NetGroup Packet Filter Driver DEPENDENCIES : SERVICE_START_NAME :To make it back type:
C:\Windows\system32> sc qc npf start= demandRTI Protocol Analyzer with Wireshark uses the Windows Packet capture (WinPcap) driver called NPF driver when it starts to capture live data. Loading the driver requires Administrator privileges.
To cllear this error, you need to open the file called npf.sys which is located at
* C:\Windows\System32\Drivers\in Windows 7. Follow the below guide to open the npf.sys file.
Firstly, make sure that you have installed winpcap, if you didn't install it, just go to its official site and download it for installation: Next, find cmd.exe which is located at
* C:\Windows\System32in Windows 7, right click and "Run as administrator". When it opened, input net start npf, then the NPF driver is successfully opened. That is,the file npf.sys is opened. At last, restart Wireshark, it will be OK now.
Note:
If you are using Linux or Ubuntu, after WinpCap is installed, use the common " >$ su Administrator " to switch to the highest authority account, then input net start npf .
If you are using Windows XP, login with administrator account then open cmd, input net start npf.
