Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help us make this site better and participate in our user survey.

Latest Diaries

Wireshark 3.0.0 and Npcap: Some Remarks

Published: 2019-03-18
Last Updated: 2019-03-18 20:48:38 UTC
by Didier Stevens (Version: 1)
1 comment(s)

I received a couple of questions regarding Wireshark and Npcap.

First of all, it's not a requirement to install Npcap if you want to upgrade to Wireshark 3.

You can just deselect the toggle to install Npcap:

And then Wireshark 3 will use WinPcap (installed with prior versions of Wireshark).

If you go to Help / About Wireshark, you can see what capture library is currently used by Wireshark on Windows:

Actually, you don't even have to install a packet capture library on the Windows machine you install Wireshark on, as long as you don't have to capture packets with Wireshark on that machine.

WinPcap is no longer maintained, and that is reflected in the version that comes bundled with Wireshark 2:

It dates from 2013.

Johannes also remarked that the Npcap license allows free use of Npcap on up to 5 Windows machines. If you have more in your organisation, you need to obtain a commercial license:

The standard version is also limited to installation on five systems.

However, there is an exception for Wireshark (and Nmap)

Copies of Npcap do not count toward the five copy, five computer, or five user limitations imposed by this section if they are installed and used solely in conjunction with any of the following software:

o The Nmap Security Scanner, as distributed from

o The Wireshark network protocol analyzer, as distributed from

If you install Wireshark with Npcap, and you use Npcap exclusively with Wireshark and/or Nmap, then the standard license still applies even with more than 5 machines.


Didier Stevens
Senior handler
Microsoft MVP

Keywords: Npcap Wireshark
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Video: Maldoc Analysis: Excel 4.0 Macro
Mar 17th 2019
2 days ago by DidierStevens (0 comments)

Maldoc: Excel 4.0 Macros
Mar 16th 2019
2 days ago by DidierStevens (4 comments)

Binary Analysis with Jupyter and Radare2
Mar 15th 2019
4 days ago by Remco (0 comments)

Tip: Ghidra & ZIP Files
Mar 14th 2019
5 days ago by DidierStevens (0 comments)

Malspam pushes Emotet with Qakbot as the follow-up malware
Mar 13th 2019
6 days ago by Brad (0 comments)

Microsoft March 2019 Patch Tuesday
Mar 12th 2019
6 days ago by Renato (0 comments)

Test Diary
Mar 12th 2019
6 days ago by Johannes (1 comment)

View All Diaries →

Latest Discussions

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
1 month ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
1 month ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
1 month ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
2 months ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)