I’ve been puzzling over why Wireshark seems to lock up when launching on Windows 8.1 and dumpcap.exe sits in the background even after Wireshark is forced to close. Some experiments from the command line showed that any time dumpcap.exe tries to use some aspect of its capture behavior (including just listing interfaces), it locks up. Various tools suggested that it was waiting for some external event to allow it to close.
I finally learned from an Ask Wireshark post that it was due to WinPCAP not starting on demand. The solution is simple:
- Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start to value 0x03 (SERVICE_DEMAND_START).
- Enjoy packet capturing goodness.
I believe this is an issue with WinPCAP and not Wireshark. There’s an alternate solution of running Wireshark in Windows 7 compatibility mode, but I try not to run things in compatibility mode unless there’s really no other way to do it.