2.3. Installing Wireshark under Windows

Windows installer names contain the platform and version. For example, Wireshark-win64-2.3.0.exe installs Wireshark 2.3.0 for 64-bit Windows. The Wireshark installer includes WinPcap which is required for packet capture.

Simply download the Wireshark installer from: https://www.wireshark.org/download.html and execute it. Official packages are signed by the Wireshark Foundation. You can choose to install several optional components and select the location of the installed package. The default settings are recommended for most users.

2.3.1. Installation Components

On the Choose Components page of the installer you can select from the following:

  • Wireshark - The network protocol analyzer that we all know and mostly love.
  • TShark - A command-line network protocol analyzer. If you haven’t tried it you should.
  • Wireshark 1 Legacy - The old (GTK+) user interface in case you need it.
  • Plugins & Extensions - Extras for the Wireshark and TShark dissection engines

    • Dissector Plugins - Plugins with some extended dissections.
    • Tree Statistics Plugins - Extended statistics.
    • Mate - Meta Analysis and Tracing Engine - User configurable extension(s) of the display filter engine, see https://wiki.wireshark.org/Mate for details.
    • SNMP MIBs - SNMP MIBs for a more detailed SNMP dissection.
  • Tools - Additional command line tools to work with capture files

    • Editcap - Reads a capture file and writes some or all of the packets into another capture file.
    • Text2Pcap - Reads in an ASCII hex dump and writes the data into a pcap capture file.
    • Reordercap - Reorders a capture file by timestamp.
    • Mergecap - Combines multiple saved capture files into a single output file.
    • Capinfos - Provides information on capture files.
    • Rawshark - Raw packet filter.
  • User’s Guide - Local installation of the User’s Guide. The Help buttons on most dialogs will require an internet connection to show help pages if the User’s Guide is not installed locally.

2.3.2. Additional Tasks

  • Start Menu Shortcuts - Add some start menu shortcuts.
  • Desktop Icon - Add a Wireshark icon to the desktop.
  • Quick Launch Icon - add a Wireshark icon to the Explorer quick launch toolbar.
  • Associate file extensions to Wireshark - Associate standard network trace files to Wireshark.

2.3.3. Install Location

By default Wireshark installs into %ProgramFiles%\Wireshark on 32-bit Windows and %ProgramFiles64%\Wireshark on 64-bit Windows. This expands to C:\Program Files\Wireshark on most systems.

2.3.4. Installing WinPcap

The Wireshark installer contains the latest WinPcap installer.

If you don’t have WinPcap installed you won’t be able to capture live network traffic but you will still be able to open saved capture files. By default the latest version of WinPcap will be installed. If you don’t wish to do this or if you wish to reinstall WinPcap you can check the Install WinPcap box as needed.

For more information about WinPcap see https://www.winpcap.org/ and https://wiki.wireshark.org/WinPcap.

2.3.5. Windows installer command line options

For special cases, there are some command line parameters available:

  • /S runs the installer or uninstaller silently with default values. The silent installer will not install WinPCap.
  • /desktopicon installation of the desktop icon, =yes - force installation, =no - don’t install, otherwise use default settings. This option can be useful for a silent installer.
  • /quicklaunchicon installation of the quick launch icon, =yes - force installation, =no - don’t install, otherwise use default settings.
  • /D sets the default installation directory ($INSTDIR), overriding InstallDir and InstallDirRegKey. It must be the last parameter used in the command line and must not contain any quotes even if the path contains spaces.
  • /NCRC disables the CRC check. We recommend against using this flag.


> Wireshark-win64-wireshark-2.0.5.exe /NCRC /S /desktopicon=yes /quicklaunchicon=no /D=C:\Program Files\Foo

Running the installer without any parameters shows the normal interactive installer.

2.3.6. Manual WinPcap Installation

As mentioned above, the Wireshark installer takes care of installing WinPcap. The following is only necessary if you want to use a different version than the one included in the Wireshark installer, e.g. because a new WinPcap version was released.

Additional WinPcap versions (including newer alpha or beta releases) can be downloaded from the main WinPcap site: https://www.winpcap.org/. The Installer for Windows supports modern Windows operating systems.

2.3.7. Update Wireshark

By default the offical Windows package will check for new versions and notify you when they are available. If you have the Check for updates preference disabled or if you run Wireshark in an isolated environment you should subcribe to the wireshark-announce mailing list. See Section 1.6.5, “Mailing Lists” for details on subscribing to this list.

New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is done the same way as installing it. Simply download and start the installer exe. A reboot is usually not required and all your personal settings remain unchanged.

2.3.8. Update WinPcap

New versions of WinPcap are less frequently available. You will find WinPcap update instructions the WinPcap web site at https://www.winpcap.org/. You may have to reboot your machine after installing a new WinPcap version.

2.3.9. Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the "Wireshark" entry to start the uninstallation procedure.

The Wireshark uninstaller provides several options for removal. The default is to remove the core components but keep your personal settings and WinPcap. WinPcap is left installed by default in case other programs need it.

2.3.10. Uninstall WinPcap

You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs and Features control panel. Remember that if you uninstall WinPcap you won’t be able to capture anything with Wireshark.