How to Stop WinPcap/Npcap Service After Wireshark Installation (Windows Network Monitoring)


3 views

When you install Wireshark on Windows, it bundles either WinPcap (legacy) or Npcap (modern) as the packet capture driver. Unlike typical Windows services, these don't appear with obvious names in Services Manager. Here's how to locate them:

# PowerShell command to find packet capture services
Get-Service | Where-Object {$_.DisplayName -like "*pcap*" -or $_.Name -like "*npf*"}

You should see either:

  • npf (Npcap Packet Filter Driver)
  • netgroup packet filter (legacy WinPcap)

From an elevated command prompt or PowerShell:

# For Npcap:
net stop npf

# For WinPcap:
net stop netgroup packet filter

To verify the status:

sc query npf | find "STATE"

To prevent automatic startup without uninstalling:

# Using PowerShell (admin rights required):
Set-Service -Name npf -StartupType Manual

# Alternative registry method:
reg add "HKLM\SYSTEM\CurrentControlSet\Services\npf" /v Start /t REG_DWORD /d 3 /f

If using Npcap (default in newer Wireshark versions), run:

"C:\Program Files\Npcap\npcap-config.exe" --stop-service

You can also edit NPF.conf in Npcap's installation directory to include:

AutoStartService=false

Remember that these services are required when:

  • Running Wireshark captures
  • Using packet capture in Python (e.g., scapy, pyshark)
  • Developing network monitoring tools

For developers working with raw sockets, here's a C# example that requires Npcap:

using SharpPcap;
using PacketDotNet;

var devices = CaptureDeviceList.Instance;
foreach (var dev in devices)
{
    Console.WriteLine($"{dev.Name} - {dev.Description}");
}




When Wireshark installs on Windows, it typically includes either WinPcap (older versions) or Npcap (newer versions) as its packet capture driver. Unlike regular Windows services, these don't appear in Services.msc with obvious names. Here's how to verify their presence:



# PowerShell command to check installed drivers
Get-WindowsDriver -Online | Where-Object {$_.Driver -like "*npcap*" -or $_.Driver -like "*wpcap*"}



You have several technical approaches to control the packet capture service:


:: Command Prompt (Admin)
net stop npf  # For Npcap
net stop npcap # For older WinPcap versions

# PowerShell alternative
Stop-Service -Name npf -Force



To prevent automatic startup without uninstalling:


reg add "HKLM\SYSTEM\CurrentControlSet\Services\npf" /v Start /t REG_DWORD /d 4 /f



For developers needing to manage this programmatically:


using System.ServiceProcess;

void TogglePacketCapture(bool enable)
{
    ServiceController sc = new ServiceController("npf");
    if (enable) 
    {
        sc.Start();
    }
    else
    {
        sc.Stop();
    }
}



If you prefer to completely remove the capture drivers:


:: Silent uninstall for Npcap
"C:\Program Files\Npcap\uninstall.exe" /S

:: For WinPcap
"C:\Program Files\WinPcap\uninstall.exe" /S



Be aware that stopping these services will:


    

  • Disable all packet capture functionality
    • 

  • Affect any application using libpcap/WinPcap API
    • 

  • Require admin privileges to modify
    •