[Winpcap-users] pcap_findalldevs returns empty list on Vista

Gerald Combs gerald at wireshark.org
Tue Sep 30 19:19:35 GMT 2008 

NPF.sys is a service, and is controlled like any other service on the system. As
Carlo says, it must be started in order to capture packets, which requires
administrator privileges. This wasn't a big deal before Vista, but on Vista
itself it's a hassle.

We get around the problem in Wireshark using the installer. If we're running on
Vista, the installer by default writes the value "2" (SERVICE_AUTO_START) to
HKLM\SYSTEM\CurrentControlSet\Services\NPF\Start. It doesn't interact with
NPF.sys or any other part of Winpcap directly.

There are a number of ways to control NPF.sys, and many of them are described at
http://wiki.wireshark.org/CaptureSetup/CapturePrivileges. You can also use the
Service API: http://msdn.microsoft.com/en-us/library/ms686315(VS.85).aspx

Carlo Medas wrote:
> Dear John,
> 
> Packet capturing feature requires administration privileges. If
> Wireshark installs the service, it's a worksaround for that need.
> 
> In other case if you want to run your application, you must start it
> with administration privileges; e.g. by right clicking on it and then
> selecting "Run as administrator".
> 
> Br,
> 
> \Carlo Medas
> 
> On Tue, Sep 30, 2008 at 8:29 PM, John Bruder <johnb at sisconet.com
> <mailto:johnb at sisconet.com>> wrote:
> 
>     My application runs fine with Winpcap 4.0.2 on Windows 2000 and XP,
>     but fails on Vista because "pcap_findalldevs" returns an empty list.
> 
>     However, if I install Wireshark on Vista, and check the box to have
>     it "start the Winpcap NPF service", the "pcap_findalldevs" function
>     in my application works. If I reinstall Wireshark and do NOT check
>     the box to "start the Winpcap NPF service", pcap_findalldevs fails
>     again.
> 
>     I do not want to require Wireshark to use my application, but the
>     Winpcap documentation does not explain how to "start the Winpcap NPF
>     service".
> 
>     -- 
>     John Bruder
>     SISCO, Inc.
>     6605 19 1/2 Mile Road
>     Sterling Heights, MI 48314
>     Phone: 586-254-0020,  Ext. 121
> 
> 
>     _______________________________________________
>     Winpcap-users mailing list
>     Winpcap-users at winpcap.org <mailto:Winpcap-users at winpcap.org>
>     https://www.winpcap.org/mailman/listinfo/winpcap-users
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list