How to use Wireshark with TinyWall


I've received a curious error report from a couple of users, claiming that their network interfaces vanish in Wireshark when TinyWall is running. At first I was skeptical, because TinyWall does not block or intercept system calls related to network interface enumeration, and also because they claimed the problem does not go away even when TinyWall is set to its disabled mode.  However, after the 3rd report or so I started to get suspicious, and I set up a new VM to investigate the issue.

So, first my confession: I was wrong initially, and the issue does have to do something with the firewall. The good news is that, as usual, it is only a matter of creating the correct rules in TinyWall and everything works again. The only difference here is, due to the special way of how Wireshark works, it is possibly the least intuitive to set up. Which is why I'm writing this post to show you how to create the rules correctly (actually, it is just a single rule!).

Wireshark installs a kernel driver called "Npcap".  This is what allows Wireshark to do its magic, and is also the source of our problems. The following three properties of Npcap are what make rule creation for it more complicated than usual:

  • Because Npcap runs in the kernel, it can only be whitelisted together with the whole Windows kernel. In other words, you need to whitelist the kernel. Users probably didn't think of this, and kept trying at Wireshark processes or looking at installed services, but those are all the wrong places in this case.
  • Npcap obviously needs to work with a lot more protocols than just UDP and TCP.  So when whitelisting, the default rule properties just don't cut it. The rule has to be set to "No restrictions" in TinyWall manually.
  • Npcap needs to be whitelisted already during boot for it to work, so this means after settings in TinyWall have been made, the system must be rebooted. This is why it kept failing even after users disabled TinyWall.

Now, armed with our newfound knowledge, let's whitelist Npcap (required for Wireshark ) in TinyWall. The above three "gotchas" translate directly into the following three basic steps:

1. Create a new rule for the Windows kernel (called the "System" process in TinyWall).
2. Edit and set it to "No restrictions".
3. Reboot the computer.

Here are the same steps only more detailed from the UI perspective:

1. Open the Manage window of TinyWall, and go to the "Application Exceptions" tab.
2. Choose "Add application", and in the new window, "Select a process...".
3. Search for the "System" entry, and "Select" it.
4. Select "No restrictions", then click OK.
5. Click Apply in the Manage window.
6. Reboot the computer.

For all Wireshark functions to work, it might also be a good idea to whitelist its executable too.

Voilà, enjoy Wireshark while using TinyWall :)

By becoming a patron, you'll instantly unlock access to 1 exclusive post
By becoming a patron, you'll instantly unlock access to 1 exclusive post