Why do I see "The NPF driver isn't running. You may have trouble capturing or listing interfaces." when starting Wireshark?
You need to run Wireshark with administrator privileges.
- Exit Wireshark.
- Find Wireshark on the Start Menu.
- Right-click on it.
- Select "Run as administrator",
- Click "Yes" in the user account control dialog.
It's really best not to run Wireshark as Administrator. See here for an explanation - bugs in the dissector can do a lot more damage when it runs as administrator. A better solution (offered here) is the following:
- Open a command prompt (cmd.exe) using the "Run as administrator" option
- Run the command sc qc npf
You will see output similar to this:
C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\npf.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetGroup Packet Filter Driver
DEPENDENCIES :
SERVICE_START_NAME :
If it looks like this, you will need to start the service using sc start npf
so that it displaysSTATE : 4 RUNNING.To start the service automatically in future, use sc config npf start= auto
(that space after the equals sign is important)
Run "cmd.exe" as Administrator, and go
cd C:\Windows\system32
then
C:\Windows\system32>sc qc npf start= auto
To make sure type "sc qc npf", you will get the output:
C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\npf.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetGroup Packet Filter Driver
DEPENDENCIES :
SERVICE_START_NAME :
To make it back type:
C:\Windows\system32> sc qc npf start= demand