Why do I see "The NPF driver isn't running. You may have trouble capturi...

1 of 3

http://superuser.com/questions/315439/why-do-i-see-the-npf-driver-isnt-r...

sign up

Super User is a question and answer site for computer enthusiasts and power users. It's 100% free, no registration
required.

log in tour

help

Why do I see The NPF driver isn't running. You may have trouble capturing or listing interfaces.
when starting Wireshark?

When I start up Wireshark, why do I see this message?

"The NPF driver isn't running. You may have trouble capturing or listing
interfaces."
wireshark

asked Jul 26 '11 at 19:13

Matthew Simoneau
437

17

4 Answers

You need to run Wireshark with administrator

privileges.
1. Exit Wireshark.
2. Find Wireshark on the Start Menu.
3. Right-click on it.
4. Select "Run as administrator",
5. Click "Yes" in the user account control dialog.
answered Jul 26 '11 at 19:17
Matthew Simoneau
437

17

It's really best not to run Wireshark as Administrator. See here for an explanation - bugs in the
dissector can do a lot more damage when it runs as administrator. A better solution (offered
here) is the following:
Open a command prompt (cmd.exe) using the "Run as administrator" option
Run the command sc qc npf
You will see output similar to this:

C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE
: 1 KERNEL_DRIVER
START_TYPE
: 3
DEMAND_START
ERROR_CONTROL
: 1
NORMAL
BINARY_PATH_NAME
: system32\drivers\npf.sys
LOAD_ORDER_GROUP
:
TAG
: 0
DISPLAY_NAME
: NetGroup Packet Filter Driver
DEPENDENCIES
:

7/14/2015 8:55 AM

Why do I see "The NPF driver isn't running. You may have trouble capturi...

2 of 3

http://superuser.com/questions/315439/why-do-i-see-the-npf-driver-isnt-r...

SERVICE_START_NAME :

If it looks like this, you will need to start the service using sc start npf
so that it displays STATE : 4 RUNNING .
To start the service automatically in future, use sc config npf start= auto
(that space after the equals sign is important)
answered Feb 7 '14 at 9:29
user111412
31

Run "cmd.exe" as Administrator, and go

cd C:\Windows\system32

then
C:\Windows\system32>sc qc npf start= auto

To make sure type "sc qc npf", you will get the output:
C:\Windows\system32>sc qc npf
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: npf
TYPE
START_TYPE
ERROR_CONTROL
BINARY_PATH_NAME
LOAD_ORDER_GROUP
TAG
DISPLAY_NAME
DEPENDENCIES
SERVICE_START_NAME

:
:
:
:
:
:
:
:
:

1 KERNEL_DRIVER
2
AUTO_START
1
NORMAL
system32\drivers\npf.sys
0
NetGroup Packet Filter Driver

To make it back type:

C:\Windows\system32> sc qc npf start= demand

answered Jan 21 at 21:37

Darius Miliauskas
111

7/14/2015 8:55 AM

Why do I see "The NPF driver isn't running. You may have trouble capturi...

3 of 3

http://superuser.com/questions/315439/why-do-i-see-the-npf-driver-isnt-r...

RTI Protocol Analyzer with Wireshark uses the Windows Packet capture (WinPcap) driver
called NPF driver when it starts to capture live data. Loading the driver requires Administrator
privileges.
To cllear this error, you need to open the file called npf.sys which is located at
* C:\Windows\System32\Drivers\

in Windows 7. Follow the below guide to open the npf.sys file.

Firstly, make sure that you have installed winpcap, if you didn't install it, just go to its official site
and download it for installation: http://www.winpcap.org Next, find cmd.exe which is located at
* C:\Windows\System32

in Windows 7, right click and "Run as administrator". When it opened, input net start npf, then
the NPF driver is successfully opened. That is,the file npf.sys is opened. At last, restart
Wireshark, it will be OK now.
Note:
If you are using Linux or Ubuntu, after WinpCap is installed, use the common " >$ su
Administrator " to switch to the highest authority account, then input net start npf .
If you are using Windows XP, login with administrator account then open cmd, input net start
npf.
edited Dec 24 '14 at 9:09
Jan Doggen
2,228

13

answered Dec 24 '14 at 8:30

user401628

26

7/14/2015 8:55 AM