Microsoft – Network Monitor ( v3.4) – Error – “Unable to start a capture. Please make sure that you have a selected network adapter bound to the Netmon driver”

Background

In a recent post we spoke of trying to validate that we were actually experiencing Network Firewall issues.  The tool we were trying to use is “Microsoft Baseline Configuration Analyzer 2.0”.

 

Microsoft’s Network Monitor version 3.4 (NM3)

We were able to validate that the error is actually Network Firewall by using WireShark.

While we were at it, we wanted to get one other regular Joe day to day tool installed and configured on our new laptop.

And, that tool is Microsoft’s Network Monitor.  The current version is 3.4.

 

Error

We experienced an error upon launching Microsoft’s NM3 and attempting to start a capture.

Image

unabletostartacapture-makesureyouhaveaselectednetworkadapterboundtothenetmondriver

Textual 

Unable to start a capture.  Please make sure that you have a selected network adapter bound to the Netmon driver. 

 

 

Trouble Shooting

 

Wire Shark

As disclosed we installed Wire Shark just a few interlude earlier, and as they are both Network diagnostic tools that intercept network traffic sought to disable the Network Filtering components of Wire Shark.

 

Winpcap

 

Wireshark relies on Winpcap to capture Network Traffic.

During install, we asked for it to be started during system’s boot.

Controlling WinPcap

BTW, it is a driver and not a service.

And, so stopping and disabling it is just not as easy as accessing MS Windows service applet ( services.msc ).

The device name is npf.

Command line

Let us query the status and control the device by launching a command console and invoking the sc tool.

Query
Command Syntax

sc query npf

Output

sc-query-npf

 

 

Stop

We can stop the device by passing along the stop argument.

Command Syntax

sc stop npf

Output

sc-stop-npf

 

Stop

An, we can change it from autostart to demand start, by changing the start state to demand.

Command Syntax

sc config npf start= demand

Output

sc-config-npf-manual

Conclusion

Even though the steps completed successfully, no help.

Logout of the computer and restarted a couple of times no help.

 

 

NMCap

Took to the Internet and was asked to access the command line and use NMCap to display the Network Interfaces available to Network Monitor ( NM).

Syntax


NMCap /displaynetworks

 

Output

displaynetworks

 

Explanation

Nothing bounded.

 

Reviewed Installation Logfiles

On MS Windows 7, the installation log files are located in “C:\users\<username>\AppData\Local\Temp“.

And, so for me the installation log folder is “C:\users\dadeniji\AppData\Local\Temp”.

The file name is NetmonInstall.log

NetmonInstall.log

Opened up the log file and performed a text search for drivers, inf, etc.

And, here is what we have.


MSI (s) (CC:48) [18:55:07:778]: Executing op: SetTargetFolder(Folder=C:\WINDOWS\system32\drivers\)
MSI (s) (CC:48) [18:55:07:778]: Executing op: SetSourceFolder(Folder=1\windir\System32\drivers\)
MSI (s) (CC:48) [18:55:07:778]: Executing op: RegisterSharedComponentProvider(,,File=Nm3Sys,Component={7AF7C751-45C8-4D60-9568-B1B80EB7AF45},ComponentVersion=3.4.2350.0,ProductCode={8C5B5A11-CBF8-451B-B201-77FAB0D0B77D},ProductVersion=3.4.2350,PatchSize=0,PatchAttributes=0,PatchSequence=0,SharedComponent=0,IsFullFile=0)
MSI (s) (CC:48) [18:55:07:778]: Executing op: FileCopy(SourceName=nm3.sys,SourceCabKey=Nm3Sys,DestName=nm3.sys,Attributes=512,FileSize=46392,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,Version=3.4.2350.0,Language=1033,InstallMode=59244544,,,,,,,)
MSI (s) (CC:48) [18:55:07:793]: File: C:\WINDOWS\system32\drivers\nm3.sys;	Overwrite;	Won't patch;	Existing file is of an equal version
MSI (s) (CC:48) [18:55:07:793]: Source for file 'Nm3Sys' is compressed
InstallFiles: File: nm3.sys,  Directory: C:\WINDOWS\system32\drivers\,  Size: 46392
MSI (s) (CC:48) [18:55:07:793]: Re-applying security from existing file.
MSI (s) (CC:48) [18:55:07:793]: Verifying accessibility of file: nm3.sys
MSI (s) (CC:48) [18:55:07:840]: Executing op: SetTargetFolder(Folder=C:\WINDOWS\inf\)
MSI (s) (CC:48) [18:55:07:840]: Executing op: SetSourceFolder(Folder=1\windir\inf\)
MSI (s) (CC:48) [18:55:07:840]: Executing op: FileCopy(SourceName=netnm3.inf,SourceCabKey=Netnm3Inf,DestName=netnm3.inf,Attributes=512,FileSize=3061,PerTick=65536,,VerifyMedia=1,,,,,CheckCRC=0,,,InstallMode=59244544,HashOptions=0,HashPart1=55295664,HashPart2=-289695056,HashPart3=-1565366832,HashPart4=1802260368,,)
MSI (s) (CC:48) [18:55:07:840]: File: C:\WINDOWS\inf\netnm3.inf;	Overwrite;	Won't patch;	Existing file is unversioned and unmodified - hash matches source file
MSI (s) (CC:48) [18:55:07:840]: Source for file 'Netnm3Inf' is compressed
InstallFiles: File: netnm3.inf,  Directory: C:\WINDOWS\inf\,  Size: 3061
MSI (s) (CC:48) [18:55:07:840]: Re-applying security from existing file.
MSI (s) (CC:48) [18:55:07:840]: Verifying accessibility of file: netnm3.inf

 

Explanation

Nothing eventful.

 

Network Adapter

Next in line was to access “Control Panel”\Network Connection\”Adapter Settings“, and see if our adapter is showing up or is marked malfunctioning.

@ 6:23 PM

At 6:23 PM here are the clients, drivers, and protocols listed for our main network adapter.

networkadapter

Explanation

  1. Clients
    • Clients for Microsoft Network
  2. Driver
    • Virtual PC Network Filter Driver
  3. Protocol
    • TCP/IP
      • v4
      • v6

Tried disabling the “Virtual PC Network Filter Driver” thinking that the “Virtual PC” network sharing might be impacting us.

But, no help.

 

Manual Install

Next is manual install.

Knowing that if we at least have access to the actual network monitoring driver, we can try manually adding it.

Extract Install File

NM34-x64.exe

Here is a small DOS Batch file to extract the various components of NM34-x64.exe


set "appFolder=C:\downloads\Microsoft\NetworkMonitor\v3.4"
set "appName=NM34_x64.exe"
set "appFullName=%appFolder%\%appName%"

set "extractTarget=C:\downloads\Microsoft\NetworkMonitor\v3.4\extractTarget"

%appFullName% /T:%extractTarget%  /C

netmon.msi

One of the files that is bundled with NM34_x64.exe is netmon.msi.

Here we use msiexec to extract files from netmon.msi


set "appFolder=C:\downloads\Microsoft\NetworkMonitor\v3.4\extractTarget"
set "appName=netmon.msi"
set "appFullName=%appFolder%\%appName%"

set "targetPath=C:\downloads\Microsoft\NetworkMonitor\v3.4\extractTarget\netmon_files\"

msiexec /a %appFullName% /qb TARGETDIR=%targetPath%

Extracted Files

Let us list the extracted files…

Script


dir C:\downloads\Microsoft\NetworkMonitor\v3.4\extractTarget\netmon_files\windir /s /B

Output

listfiles

 

Install

Access “Control Panel” \ “Network and Internet” \ “Network Connections” and follow the screen shots below to attempt manual installation

Select Network Feature Type

  1. From the “type of Network feature”
    • Choose Service

selectnetworkfeaturetype

Select Network Service

The “Select Network Service” is empty upon initial display

selectnetworkservice-0954am

INF Folder

Click the “have disk” button, and navigate to your INF Folder

BTW, that folder has a lone file and it’s name is netnm3.inf

inffolder

 

Install From Disk – Copy manufacturer’s file from ….

installfromdisk-1004am

 

 

Error Message

We received an error message that proved useful…

Image

filterscurrentlyinstalledonthesystemhavereachedtheirlimit

Textual

Filters currently installed on the system have reached the limit.

 

 

Remediation

Took the error message to the Internet and was asked to look in the registry and find the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network” key.

MaxNumFilters

And, seek out the MaxNumFilters key.

Get MaxNumFilters

GUI

maxnumberoffilters

Command Line


 set "_key=HKLM\SYSTEM\CurrentControlSet\Control\Network\"
 reg query %_key% /v MaxNumFilters /t REG_DWORD

 

Set MaxNumFilters higher

Here we set MaxNumberFilters to 15.

Command Line


 set "_key=HKLM\SYSTEM\CurrentControlSet\Control\Network\"
 set "_maxNumFilters=15"
 
 reg add %_key% /v MaxNumFilters /t REG_DWORD /d %_maxNumFilters% /f

 

Output

addkey

 

Retry Manual Installation

install-thedriverisnotdigitallysigned

connection-microsoftnetworkmonitor3driver

Microsoft Network Monitor 3 Driver is now showing up.

 

Verification

NMCap

NMCap /displaynetworks

Code

NMCap /displaynetworks

 

Output

displaynetworks

Explanation

Our network adapter is now showing up.

 

References

  1. Filters currently installed on the system have reached the limit
    • QBIK – Network filter limit reached error
      Link
    • Overcoming a Network Filter limit on a Windows 7 DEV box
      Link

 

One thought on “Microsoft – Network Monitor ( v3.4) – Error – “Unable to start a capture. Please make sure that you have a selected network adapter bound to the Netmon driver”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s