Installing Npcap on Windows 10

0

Recently, after prompt initiated update, the Wireshark could no longer detect my ethernet interfaces, leaving only USBs on the list.

Since problems persisted after reboot I decided to reinstall Wireshark with all the same options. The situation didn't improve, at which point begun to suspect the driver.

Quick check gave me conflicting information.

>sc query npcap
SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 31  (0x1f)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

>sc qc npf

SERVICE_NAME: npf
    TYPE               : 1  KERNEL_DRIVER
    START_TYPE         : 1   SYSTEM_START
    ERROR_CONTROL      : 1   NORMAL
    BINARY_PATH_NAME   : \SystemRoot\system32\DRIVERS\npf.sys
    LOAD_ORDER_GROUP   : NDIS
    TAG                : 28
    DISPLAY_NAME       : Npcap Packet Driver (NPF)
    DEPENDENCIES       :
    SERVICE_START_NAME :

>sc start npcap
[SC] StartService FAILED 2:

The system cannot find the file specified.

>sc start npf
[SC] StartService FAILED 2:

The system cannot find the file specified.

So apprentlly, the service was present, but couldn't start, because relevant file was missing. With Wireshark still coming up empty, I decided to uninstall npcap also, and start with a clean slate.

Unfortunately, uninstalling Npcap turned out to be harder than I thought, failing and producing following log:

Reading service options from registry

Windows CurrentVersion: 10.0 (Win10)

Trying to stop the driver..

Stopping the npf driver

The Npcap Packet Driver (NPF) service is not started.

More help is available by typing NET HELPMSG 3521.

Stopping the npcap driver

The Npcap Packet Driver (NPCAP) service is not started.

More help is available by typing NET HELPMSG 3521.

Npcap service is not pending to stop.

Npcap. Device manager also detected the Npcap loopback interface.

So the driver service wasn't running but apparently some vestige of it remained. As a test, I tried to reinstall Wireshark, along with Npcap.

To my surprise, the Wireshark detected Npcap (of appropriate version) and didn't let me install it again.

And finally, I checked the: 

C:\Windows\System32\drivers

To see if the relevant files are present, only to find both of them.

This is all the more vexing, because I have the same version running on my laptop. I don't know where to go from here.

user1561358

Posted 2019-05-05T15:18:36.503

Reputation: 133

Answers

1

The issue were old Npcap drivers in Windows driver store file repository. For reasons beyond my knowledge neither the installation or removal procedure detected them.

While I'm not completely sure how, these leftovers blocked installation of full Ncap driver suite. To remove them I used following batch script (from Jonatan Van Hove):

@echo off
for /L %%A in (1,1,300) do (
  echo Deleting OEM%%A.INF
  pnputil /d OEM%%A.INF
)

Afterwards I simply reinstalled Wireshark, to find it's functionality restored. So far I haven't encountered any further issues.

user1561358

Posted 2019-05-05T15:18:36.503

Reputation: 133

0

found the answer on https://github.com/nmap/nmap/issues/1289

cd c:\windows\system32\

del npcap

cd c:\windows\Syswow64\

del npcap

press windows key type in control panel

select uninstall program

select npcap

that worked for me

Roy

Posted 2019-05-05T15:18:36.503

Reputation: 1

Asked: 2019-05-05T15:18:36.503

Viewed: 5 423 times

Active: 2019-11-03T22:56:34.483