Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

A situation where the npcap loopback adapter is not listed by wireshark (and a solution)

From: Carl Hauser <hauser () eecs wsu edu>
Date: Fri, 17 Mar 2017 23:55:06 -0700
This really belongs in https://ask.wireshark.org/questions/46579/wireshark-does-not-see-npcap-loopback-interface which although old is is the most relevant item that Google searching finds for the problem of wireshark and dumpcap not finding npcap's loopback interface. Unfortunately I can't post it there because the captcha fails every time I try it.
TL;DR: Check to make sure that the Basic Filter Engine (BFE) service is started.</p>
Long answer: After following most of the suggestions in the above wireshark question, including building a debugging version of packet.dll for npcap 0.83, I finally lucked into a solution, at least in my case. The machine in question is Windows Server 2008 R2. For some reason, which I do not know, the Basic Filter Engine (BFE) service was disabled on the machine. The Packet.log file, created by the debugging version of packet.dll, showed the error code 0x6d9 (1753) when it attempted to open the loopback adapter (which was properly listed in the registry as far as I was able to determine). It was completely unclear what this meant, but a lot of web searching eventually led me to try the command "netsh wfp show state", which produced the error "Unable to connect to BFE; error = 1753 (EPT<em>S</em>NOT_REGISTERED)" -- i.e. the same error number.
That led to investigating services on the machine which revealed that the BFE service was disabled. Enabling it solved the problem and the adapter now shows up and captures 127.0.0.1 traffic as it should. (Be careful enabling the BFE service if is disabled; for me it also allowed the windows firewall to start working and the firewall settings immediately locked me out of my Remote Desktop Connection. The server administrator happened to be on hand to reset the firewall settings, so I'm now finally able to start the work for which I needed wireshark to work on loopback traffic.) 

-- Carl Hauser

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: