Monday, March 9, 2015

WinPcap Installation, Status and other Tips

WinPcap is an essential packet capturing driver for many programs, especially Wireshark and also our own NetScanTools Pro. I have been working with a few of our customers who have had problems getting it installed and properly running on Windows 8.1. What I've done here is gather together a few important tips that you can use to make sure it is running.

This post is current as of WinPcap 4.1.3 and is written from the perspective of Windows 7, 8.1 and 10.

1. How do you tell if WinPcap is installed?

Quick check: WinPcap will show up in Control Panel/Programs and Features. This is not a guarantee that it is properly installed or running.

Detailed check: WinPcap has three main components. Here is where to find them on a 64 bit Windows operating system:

  1. c:\windows\system32\drivers\npf.sys (this is the actual kernel mode driver)
  2. c:\windows\system32\packet.dll (64 bit version of DLL) and c:\windows\SysWOW64\packet.dll (32 bit version of DLL)
  3. c:\windows\system32\wpcap.dll (64 bit version of DLL) and c:\windows\SysWOW64\wpcap.dll (32 bit version of DLL)
All DLLs and the driver should be showing version 4.1.0.2980 which is really 4.1.3 (go figure).

2.  How do you tell if WinPcap is running?

The WinPcap driver does not show up in the list of services accessible through Control Panel/Administrative Tools/Services - but you can find out another way.

Start up a Command Prompt using Run as administrator and enter the following command that shows the driver configuration:

C:\WINDOWS\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\drivers\npf.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetGroup Packet Filter Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

Make a note of the START_TYPE, we will discuss that later.

This command shows the actual WinPcap driver state, whether running or stopped:

C:\WINDOWS\system32>sc query npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

3. How do you start WinPcap?

From an administrator Command Prompt, enter this and look at the STATE to make sure it is running:

C:\WINDOWS\system32>sc start npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

4. How do you stop WinPcap?

From an administrator Command Prompt, enter this and look at the STATE to make sure it is stopped. If it does not stop, you need to exit any programs using it.

C:\WINDOWS\system32>sc stop npf
SERVICE_NAME: npf
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

5. Some people have trouble starting Wireshark, it starts to load OK but stops at Configuration 100%. What can be done?

Remember the START_TYPE entry from number 2 above? It needs to change. From an administrator Command Prompt, enter this command then reboot your system, then try Wireshark again. The space after start= is required.

C:\WINDOWS\system32>sc config npf start= delayed-auto
[SC] ChangeServiceConfig SUCCESS

6. How can I tell which program is currently using WinPcap?

That can be a little difficult, but if a program is actively using WinPcap there is a way to find out by using Sysinternal's Process Explorer.

  1. Download Process Explorer and run it from here: https://technet.microsoft.com/en-us/sysinternals/bb896653
  2. Make sure npf is running.
  3. In Process Explorer, click on Find menu/Find Handle or DLL
  4. Enter wpcap or packet and press Search. If NetScanTools Pro is running, it shows nstpro.exe, PID, DLL and C:\Windows\SysWOW64\wpcap.dll - in other words, if a program is actively using WinPcap, it will show up there.
I hope these WinPcap tips help you, please let me know if you have any others to share.

Kirk

No comments: