2.3. Installing Wireshark under Windows

The official Windows packages can be downloaded from the Wireshark main page or the download page. Installer names contain the platform and version. For example, Wireshark-win64-4.1.0.exe installs Wireshark 4.1.0 for 64-bit Windows. The Wireshark installer includes Npcap which is required for packet capture. Windows packages automatically update. See Section 2.8, “Updating Wireshark” for details.

Simply download the Wireshark installer from https://www.wireshark.org/download.html and execute it. Official packages are signed by Sysdig, Inc.. You can choose to install several optional components and select the location of the installed package. The default settings are recommended for most users.

2.3.1. Installation Components

On the Choose Components page of the installer you can select from the following:

  • Wireshark - The network protocol analyzer that we all know and mostly love.
  • TShark - A command-line network protocol analyzer. If you haven’t tried it you should.
  • Plugins & Extensions - Extras for the Wireshark and TShark dissection engines

    • Codec Plugins - Additional codec support.
    • Configuration Profiles - Additional configuration profiles.
    • Dissector Plugins - Additional protocol dissectors.
    • File Type Plugins - capture file support - Extend wiretap support for capture file types. (e.g. usbdump)
    • Mate - Meta Analysis and Tracing Engine - User configurable extension(s) of the display filter engine, see Chapter 12, MATE for details.
    • SNMP MIBs - SNMP MIBs for a more detailed SNMP dissection.
    • TRANSUM - performance analysis - Plugin to calculate Response Time Element (RTE) statistics.
    • Tree Statistics Plugin - Extended statistics. (see stats_tree in WSDG; Packet Lengths in WSUG)
  • Tools - Additional command line tools to work with capture files and troubleshoot

    • Capinfos - Print information about capture files.
    • Captype - Print the type(format) of capture files.
    • DFTest - Show display filter byte-code, for debugging dfilter routines.
    • Editcap - Copy packets to a new file, optionally trimming packets, omitting them, or saving to a different format.
    • Mergecap - Combine multiple saved capture files into a single output file.
    • MMDBResolve - MaxMind Database resolution tool - read IPv4 and IPv6 addresses and print their IP geolocation information.
    • Randpkt - Create a pcap trace file full of random packets. (randpkt produces very bad packets)
    • Rawshark - Dump and analyze raw pcap data.
    • Reordercap - Copy packets to a new file, sorted by time.
    • Text2Pcap - Generate a capture file from an ASCII hexdump of packets.
  • External Capture (extcap) - External Capture Interfaces

    • Androiddump - Provide capture interfaces from Android devices.
    • Etwdump - Provide an interface to read Event Tracing for Windows (ETW) event trace (ETL).
    • Randpktdump - Provide an interface to the random packet generator. (see also randpkt)
    • Sshdump, Ciscodump, and Wifidump - Provide remote capture through SSH. (tcpdump, Cisco EPC, wifi)
    • UDPdump - Provide capture interface to receive UDP packets streamed from network devices.
  • Documentation - Local installation of the User’s Guide and FAQ. The Help buttons on most dialogs will require an internet connection to show help pages if the User’s Guide is not installed locally.

2.3.2. Additional Tasks

  • Wireshark Start Menu Item - Add a shortcut to the start menu.
  • Wireshark Desktop Icon - Add a Wireshark icon to the desktop.
  • Associate trace file extensions with Wireshark - Associate standard network trace files to Wireshark.

2.3.3. Install Location

By default Wireshark installs into %ProgramFiles%\Wireshark on 32-bit Windows and %ProgramFiles64%\Wireshark on 64-bit Windows. This expands to C:\Program Files\Wireshark on most systems.

2.3.4. Installing Npcap

The Wireshark installer contains the latest Npcap installer.

If you don’t have Npcap installed you won’t be able to capture live network traffic but you will still be able to open saved capture files. By default the latest version of Npcap will be installed. If you don’t wish to do this or if you wish to reinstall Npcap you can check the Install Npcap box as needed.

For more information about Npcap see https://npcap.com/ and https://gitlab.com/wireshark/wireshark/wikis/Npcap.

2.3.5. Windows installer command line options

For special cases, there are some command line parameters available:

  • /S runs the installer or uninstaller silently with default values. The silent installer will not install Npcap.
  • /desktopicon installation of the desktop icon, =yes - force installation, =no - don’t install, otherwise use default settings. This option can be useful for a silent installer.
  • /quicklaunchicon installation of the quick launch icon, =yes - force installation, =no - don’t install, otherwise use default settings.
  • /D sets the default installation directory ($INSTDIR), overriding InstallDir and InstallDirRegKey. It must be the last parameter used in the command line and must not contain any quotes even if the path contains spaces.
  • /NCRC disables the CRC check. We recommend against using this flag.
  • /EXTRACOMPONENTS comma separated list of optional components to install. The following extcap binaries are supported.

    • androiddump - Provide interfaces to capture from Android devices
    • ciscodump - Provide interfaces to capture from a remote Cisco router through SSH
    • randpktdump - Provide an interface to generate random captures using randpkt
    • sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary
    • udpdump - Provide a UDP receiver that gets packets from network devices

Example:

> Wireshark-win64-wireshark-2.0.5.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo

> Wireshark-win64-3.3.0.exe /S /EXTRACOMPONENTS=sshdump,udpdump

Running the installer without any parameters shows the normal interactive installer.

2.3.6. Manual Npcap Installation

As mentioned above, the Wireshark installer also installs Npcap. If you prefer to install Npcap manually or want to use a different version than the one included in the Wireshark installer, you can download Npcap from the main Npcap site at https://npcap.com/.

2.3.7. Update Npcap

Wireshark updates may also include a new version of Npcap. Manual Npcap updates instructions can be found on the Npcap web site at https://npcap.com/. You may have to reboot your machine after installing a new Npcap version.

2.3.8. Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the “Wireshark” entry to start the uninstallation procedure.

The Wireshark uninstaller provides several options for removal. The default is to remove the core components but keep your personal settings and Npcap. Npcap is kept in case other programs need it.

2.3.9. Uninstall Npcap

You can uninstall Npcap independently of Wireshark using the Npcap entry in the Programs and Features control panel. Remember that if you uninstall Npcap you won’t be able to capture anything with Wireshark.