Wireshark – Please turn off promiscuous mode for this device

Recently received the following error while trying to do a packet capture on windows.

There are two solutions to this problem

  1. Disable promiscuous mode for the adapter
  2. Update Npcap

Disable Promiscuous mode

“Please turn off promiscuous mode for this device”

You can turn on promiscuous mode by going to Capture -> Options

Uncheck promiscuous

And click Start

Update Npcap

If you need promiscuous mode on, then look at installing a newer version of Npcap

https://npcap.com/dist/

Restart Wireshark, and Start a capture.

https://ask.wireshark.org/question/30138/please-turn-off-promiscuous-mode-for-this-device/

Wireshark Filtering

Filter to show DHCP packets

You can find detailed info here. https://wiki.wireshark.org/DHCP

But you should be able to filter out the DHCP request with either

dhcp

or

bootp
Filter DHCP request

Filter by IP Address

ip.addr == 192.168.1.1

Filter by Mac Address

eth.dst == 01:00:5e:7f:ff:fa

Better way to Filter

Wireshark has a robust set of options for filtering items.

From the Packet Details pane you can select any piece of information you want to filter, right click -> Apply As Filter -> Selected

You can also copy it and then past it in the filter bar. Right click -> Copy -> As Filter

Copy As Filter

How to stream Mikrotik Packet Sniffer to Wireshark

Setup Packet Sniffer on Mikrotik

Go to Tools -> Packet Sniffer

Mikrotik Packet Sniffer Settings

Configure the Streaming options. Set the Server IP address to the computer you are running Wireshark on

Configure IP address to stream to.

Configure the Filter settings. Unless you want to stream everything from the router to your computer.

Set filter options

Configure Wireshark

Make sure the TZSP is enabled in the “Enabled Protocols” Window. Either by going to “Analyze -> Enabled Protocols” or “Ctrl + Shift + E”

Enable TZSP protocol

Run Wireshark.

Wireshark

Helpful links

https://wiki.mikrotik.com/wiki/Ethereal/Wireshark