This week I’ve been tasked to set up an automated Wireshark capture for a Windows Server 2008 R2 application server. I began by reading the documentation for Wireshark’s TShark tool which runs from the command line. I quickly came across the -D option which prints out all network interface controllers (NICs) on which TShark can capture. I decided to run the -D option on my test Windows server. I entered the command, ran it, and received the printed output. It returned one line, I assumed for the only installed network interface – Local Area Connection an Intel Pro/1000 MT. However, the command output a string of Device\NPF_{GUID} format that I have not come across yet. GUID stands for a globally unique identifier which are used by system drivers and other components for identification. The output also included the Friendly Name (Local Area Connection).
I wanted to verify the interface TShark was recognizing was the same interface installed on the server by matching the Device\NPF_ string with one of the NIC’s properties. I began by looking at the NIC’s Network Connection Properties. Under the Details tab I reviewed every property starting with Device description down the list to Class co-installers, but I did not find the term NPF_ or the GUID in any of the properties.
I thought to myself, “How could I be sure that if I am running a capture, that I am reading from the correct network device?”. I needed to find out where in Windows TShark was reading this Device\NPF_{GUID} data from.
A post on the ask.wireshark.org forums pointed me to review the Interface Details within WireShark (Capture > Interfaces… > Details). Defined for the Interface characteristic was the Device\NPF_{GUID} for my NIC ( Intel Pro/1000 MT). Now I was sure it was the same interface I had installed on the server. However the question remained, where were Wireshark and TShark reading this NPF_{GUID} information from?
After a brief but intense Google session I came across a blog post by Scott MacGregor which pointed me to the Registry – BINGO (where else would you find cryptic strings composed of numbers and letters? Duh.). Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\ subkey was another subkey matching the exact GUID within the Device\NPF_{GUID} for my NIC in the TShark output!
MacGregor’s post stated the Device\NPF_ term was appended to the NIC’s GUID found in the registry. So my last question was what does NPF stand for?
One more Google session later: NPF is a driver (Npf.sys) which stands for NetGroup Packet Filter driver. It turns out NPF is a vital part of the Windows Packet Capture (WinPcap) process. This is how winpcap.org puts it: “NPF is the WinPcap component that does the hard work, processing the packets that transit on the network and exporting capture, injection and analysis capabilities to user-level.”
Ladies and gentlemen, that resolves the curious case of the NPF_{GUID} network interface string. Thanks for reading.
