Wireshark-dev: [Wireshark-dev] Problems with \Device\NPF_ prefix
From: Gisle Vanem <[email protected]>
Date: Thu, 11 Jan 2018 23:34:17 +0100
In my recently built Tshark/Wireshark etc., I've discovered
this longer works:
  tshark.exe -i \Device\NPF_{3A46ACA0-CBED-44BC-A239-6AEA3D0C451D}

It says:
  Capturing on '\Device\NPF_{3A46ACA0-CBED-44BC-A239-6AEA3D0C451D}'
  tshark: The capture session could not be initiated on interface '\Device\NPF_{3A46ACA0-CBED-44BC-A239-6AEA3D0C451D}'
  (Error opening adapter: Operasjonen er utført. (0)).  << == NO_ERROR !!??

But this works:
  tshark.exe -i {3A46ACA0-CBED-44BC-A239-6AEA3D0C451D}

(no "\Device" prefix) How come?

I also tried with:
  tshark.exe -o console.log.level:252 -i \Device\NPF_{3A46ACA0-CBED-44BC-A239-6AEA3D0C451D}

which splits out at the end some mysterious stuff:
  ...
  (tshark.exe:10360): Capture-DEBUG: argv[5]: 10360
  (tshark.exe:10360): Capture-DEBUG: read 14 ok indicator: E len: 402 msg: E

The 'msg: E' does show up with w/o the prefix?
A dumpcap/pipe reading problem?

Win-10, WinPcap 4.1.0.2980.

--
--gv