Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Devices in tshark versus dumpcap

From: Gisle Vanem <gisle.vanem@xxxxxxxxx>
Date: Sat, 29 Apr 2017 09:10:52 +0200

I'm on Win-10 and have now troubles sniffing on anything except
BlueTooth! This is the list of interfaces I expect to get:

dumpcap.exe -D
  1. \Device\NPF_{C25DD2C2-2E05-4337-A847-84EF6CAB86BF} (Bluetooth-nettverkstilkobling)
  2. \Device\NPF_{F92984E3-5D40-4AD9-B054-41288EAE699F} (Wi-Fi 2)
  3. \Device\NPF_{3A46ACA0-CBED-44BC-A239-6AEA3D0C451D} (Ethernet)
  4. \\.\airpcap00 (AirPcap USB wireless capture adapter nr. 00)

But with "tshark.exe -D", I only get:
  1. \Device\NPF_{C25DD2C2-2E05-4337-A847-84EF6CAB86BF} (Bluetooth-nettverkstilkobling)

I also tried with:
  set G_MESSAGES_DEBUG=all   << no effect
  tshark.exe -o console.log.level:252 -D

giving:
  Capture-Message: Capture Interface List ...
  (tshark.exe:8440): Capture-DEBUG: sync_interface_list_open
  Capture-INFO: sync_pipe_run_command() starts
  (tshark.exe:8440): Capture-DEBUG:   argv[0]: F:\mingw32\src\inet\Wireshark\dumpcap.exe
  (tshark.exe:8440): Capture-DEBUG:   argv[1]: -D
  (tshark.exe:8440): Capture-DEBUG:   argv[2]: -Z
  (tshark.exe:8440): Capture-DEBUG:   argv[3]: none
  (tshark.exe:8440): Capture-DEBUG: sync_pipe_open_command
  (tshark.exe:8440): Capture-DEBUG: read 21 indicator: S empty value
  (tshark.exe:8440): Capture-DEBUG: sync_pipe_wait_for_child: wait till child closed
  (tshark.exe:8440): Capture-DEBUG: sync_pipe_wait_for_child: capture child closed after 0.016s
  Capture-INFO: sync_pipe_run_command() ends, taking 0.328s, result=0
  Capture-Message: Loading External Capture Interface List ...
  1. \Device\NPF_{C25DD2C2-2E05-4337-A847-84EF6CAB86BF} (Bluetooth-nettverkstilkobling)

Note, this is with Wireshark compiled from Git by myself using MSVC-2015, 32-bit;
A version + build-method that has worked well for years. But recently it's been
misbehaving as shown above. Any hints?

The above "read 21 indicator: S empty value" for me indicates a problem in
the pipe I/O between tshark and dumpcap. No?


--
--gv