How to Install Wireshark on Windows Server

Wireshark is the de-facto packet analyzer used to investigate network problems on servers — anything from "is the request even reaching the box?" to "which side closed the TCP connection?". It is built on top of Npcap, a modern Windows packet-capture driver maintained by the Nmap project, and ships with both a GUI (Wireshark.exe) and a set of command-line tools (tshark, dumpcap, editcap, mergecap, capinfos).

This guide covers installing Wireshark on Windows Server 2016, 2019, 2022, and 2025, including:

the standard GUI install with Npcap,
a fully unattended/silent install for headless or fleet deployments,
installation on Server Core (no GUI), where you typically only want tshark/dumpcap,
permissions and the Npcap users group,
a first capture, useful filters, and recipes for common server-side investigations.

Prerequisites

Windows Server 2016, 2019, 2022, or 2025 (x64). Wireshark 4.x dropped support for older Windows Server releases.
Local Administrator rights to run the installer and install the Npcap driver.
~250 MB of free disk space for Wireshark + Npcap.
A network interface you control. Capturing on a NIC presented through a hypervisor (Hyper-V, ESXi, KVM virtio) works, but the promiscuous-mode behavior depends on the virtual switch — see "Troubleshooting" below.
Outbound HTTPS access to https://www.wireshark.org and https://npcap.com (or pre-staged installers if the server is offline).

If the server is locked down and you only need to capture traffic for offline analysis, you do not need to install the full Wireshark GUI — install just Npcap + dumpcap and copy the resulting .pcapng file off the box. See the Server Core section.

Choose the right installer

Wireshark publishes three Windows artifacts:

Installer	When to use
`Wireshark-x.y.z-x64.exe`	Standard GUI install on Windows Server with Desktop Experience. Bundles Npcap.
`Wireshark-x.y.z-x64.msi`	MSI variant. Use this when you need to deploy via Group Policy, SCCM/Intune, Chocolatey, or any unattended pipeline.
`WiresharkPortable64_x.y.z.paf.exe`	Portable build. Useful for incident-response USBs but does not install Npcap — capture will not work unless Npcap is already present.

Always pair the installer with the latest Npcap OEM/Free build from npcap.com. The bundled Npcap inside the Wireshark installer lags upstream by a release or two; for a production server, install the latest Npcap separately, then install Wireshark and uncheck the bundled Npcap during setup.

Method 1 — GUI install (Windows Server with Desktop Experience)

This is the path for an interactive install over RDP or the console.

1. Download

Open a browser on the server (or copy the file in via SMB / Copy-Item):

# Download the latest stable installer to C:\Installers
$ProgressPreference = "SilentlyContinue"  # avoids the slow PowerShell progress bar
New-Item -ItemType Directory -Force -Path C:\Installers | Out-Null
Invoke-WebRequest `
  -Uri "https://www.wireshark.org/download/win64/Wireshark-latest-x64.exe" `
  -OutFile "C:\Installers\Wireshark-x64.exe"

Verify the SHA-256 against the value published on the Wireshark download page:

Get-FileHash C:\Installers\Wireshark-x64.exe -Algorithm SHA256

2. Run the installer as Administrator

Either right-click → Run as administrator, or from an elevated PowerShell:

Start-Process -FilePath "C:\Installers\Wireshark-x64.exe" -Verb RunAs

Click through the wizard. The choices that matter on a server:

Components — keep Wireshark and TShark. The "USB capture" and "SSHdump" extras are rarely useful on a server; leave them unless you have a specific need.
Additional Tasks — "Associate trace files" is fine. The desktop shortcut is optional on a server.
Install Npcap — leave checked unless you already installed Npcap separately (see "Choose the right installer"). The Npcap sub-installer will launch after Wireshark finishes.

3. Npcap options

When the Npcap installer appears, the defaults are sensible for a server, but be deliberate:

Restrict Npcap driver's access to Administrators only — leave checked on a server. This prevents non-admin users from capturing traffic. Uncheck only if you intend to grant capture rights to a specific group via the Npcap local group.
Support raw 802.11 traffic (and monitor mode) for wireless adapters — irrelevant on most servers; leave unchecked.
Install Npcap in WinPcap API-compatible Mode — leave checked. Some older tools (e.g. legacy WinDump, certain monitoring agents) still expect the WinPcap API.
Support loopback traffic ("Npcap Loopback Adapter") — check this if you need to capture packets sent to 127.0.0.1 (e.g. an app talking to a local DB on the same host). Costs nothing if unused.

4. Verify the install

Open a fresh PowerShell window (so it picks up the new PATH) and run:

& "C:\Program Files\Wireshark\Wireshark.exe" --version
& "C:\Program Files\Wireshark\tshark.exe" --version
& "C:\Program Files\Wireshark\dumpcap.exe" -D

dumpcap -D lists every interface visible to the capture driver — if it returns interfaces, Npcap is loaded correctly.

Method 2 — Silent / unattended install

Use this for fleet deployment, automation pipelines, or when RDP'ing into the server just to click Next is not an option.

Wireshark MSI (recommended for unattended)

# 1. Download the latest MSI
$ProgressPreference = "SilentlyContinue"
Invoke-WebRequest `
  -Uri "https://www.wireshark.org/download/win64/Wireshark-latest-x64.msi" `
  -OutFile "C:\Installers\Wireshark-x64.msi"

# 2. Install silently, no UI, log to file
Start-Process msiexec.exe -Wait -ArgumentList @(
  "/i", "C:\Installers\Wireshark-x64.msi",
  "/qn",                              # no UI
  "/norestart",
  "/L*v", "C:\Installers\wireshark-install.log"
)

The MSI does not install Npcap — install it separately first.

Npcap silent install

The Npcap installer is an NSIS executable. The relevant silent flags:

# Download the latest Npcap installer manually from https://npcap.com/#download
# (the URL is versioned, e.g. npcap-1.79.exe)
$Npcap = "C:\Installers\npcap-1.79.exe"

Start-Process -FilePath $Npcap -Wait -ArgumentList @(
  "/S",                       # silent
  "/winpcap_mode=yes",        # WinPcap API compat
  "/admin_only=yes",          # restrict capture to Administrators
  "/loopback_support=yes",    # Npcap Loopback Adapter
  "/dot11_support=no"         # no Wi-Fi monitor mode on servers
)

A reboot is not normally required, but if dumpcap -D shows no interfaces afterwards, reboot once.

Verify silently

& "C:\Program Files\Wireshark\dumpcap.exe" -v
& "C:\Program Files\Wireshark\dumpcap.exe" -D

Chocolatey one-liner (if Chocolatey is already on the box)

choco install wireshark -y
choco install npcap -y

Choco handles the Npcap install for you, but you give up control of the Npcap flags above. Acceptable for dev/test boxes; prefer the explicit MSI + Npcap path for production.

Method 3 — Server Core (no GUI)

Server Core has no desktop, so the Wireshark GUI will not run there. What you can run is dumpcap for capturing and tshark for decoding — both are command-line and behave like tcpdump.

The cleanest pattern for Server Core:

Install Npcap silently (see above).
Install Wireshark from the MSI silently. The MSI installs tshark.exe, dumpcap.exe, editcap.exe, etc., even though the GUI binary cannot launch.
Use dumpcap to capture, copy the .pcapng to your workstation, and open it in Wireshark there.

# Capture on interface index 1, write to file, stop after 60 seconds
& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 `
    -w C:\Captures\out.pcapng `
    -a duration:60

# Same, but only TCP traffic to/from a specific host (BPF capture filter)
& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 `
    -f "host 10.0.0.5 and tcp" `
    -w C:\Captures\out.pcapng

Why dumpcap and not tshark for the capture itself? dumpcap is the dedicated capture engine — tshark actually shells out to it under the hood. For long captures on a busy NIC, dumpcap drops fewer packets because it does not also try to decode them.

Permissions and the `Npcap` users group

By default (with admin_only=yes) only members of the local Administrators group can capture. To let a specific service account or a Windows user capture without granting full admin:

Re-run the Npcap installer with admin_only=no. This creates a local group called Npcap.

Add the user:

Add-LocalGroupMember -Group "Npcap" -Member "DOMAIN\service-account"

Have the user log out and back in for the group membership to take effect.

For most production servers, leave it Administrators-only — packet captures contain credentials, cookies, and PII, and you do not want broad capture rights on a host that handles real traffic.

Listing interfaces

Before capturing, find the interface you want to listen on:

& "C:\Program Files\Wireshark\dumpcap.exe" -D

Typical output on a Windows Server:

1. \Device\NPF_{12345678-...} (Ethernet0)
2. \Device\NPF_{ABCDEF00-...} (Ethernet1)
3. \Device\NPF_Loopback (Adapter for loopback traffic capture)

Use the index (1, 2, …) with -i, not the long device path — much easier to type.

A first capture

GUI:

Launch Wireshark as Administrator (right-click → Run as administrator). Without elevation, the interface list will be empty.
Double-click the interface you want.
Press the red square to stop, then File → Save As… to write a .pcapng.

Command line:

# Capture everything on interface 1 for 30 seconds, save to file
& "C:\Program Files\Wireshark\dumpcap.exe" -i 1 -a duration:30 -w C:\Captures\first.pcapng

# Live decode (one line per packet) — useful for quick triage
& "C:\Program Files\Wireshark\tshark.exe" -i 1 -n

-n disables name resolution. Always use it during capture — DNS lookups will turn a fast trace into a slow, noisy one.

Capture filters vs display filters (the bit that confuses everyone)

Wireshark has two filter languages, and they are not the same:

	Capture filter	Display filter
When applied	At capture time, in the kernel/driver	After capture, in Wireshark/tshark
Syntax	BPF (same as `tcpdump`)	Wireshark's own (`ip.addr == 1.2.3.4`)
GUI box	"Capture filter" on the start screen	The green search bar at the top
CLI flag	`-f "..."` (`dumpcap`/`tshark`)	`-Y "..."` (`tshark`)

Rule of thumb: use a capture filter to keep the trace small (recommended on busy servers); use a display filter to slice and dice an already-captured trace.

Useful capture filters (BPF)

host 10.0.0.5                       # any traffic to/from 10.0.0.5
src host 10.0.0.5                   # only from 10.0.0.5
dst host 10.0.0.5                   # only to 10.0.0.5
port 443                            # any traffic on TCP/UDP 443
tcp port 443                        # TCP only
portrange 8000-8100
net 10.0.0.0/24
icmp                                # pings
not host 10.0.0.99                  # exclude a noisy host
tcp port 5432 and not host 10.0.0.99

Useful display filters

ip.addr == 10.0.0.5
tcp.port == 443
http.request.method == "POST"
tls.handshake.type == 1             # ClientHello
dns.qry.name contains "example.com"
tcp.flags.reset == 1                # only TCP RSTs
tcp.analysis.retransmission         # only retransmits

Saving and reading captures

Modern Wireshark writes .pcapng by default — a richer format than the classic .pcap. Most tools read both. If you need to share with an old tool that only understands .pcap:

& "C:\Program Files\Wireshark\editcap.exe" -F pcap C:\Captures\in.pcapng C:\Captures\out.pcap

Rotating long captures

For long-running diagnostics, rotate so you do not fill the disk:

# Rotate every 60 seconds, keep at most 10 files
& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 -w C:\Captures\cap.pcapng `
    -b duration:60 -b files:10

# Rotate by size — every 100 MB, keep 5 files
& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 -w C:\Captures\cap.pcapng `
    -b filesize:102400 -b files:5

filesize is in kilobytes (102400 = 100 MB). The -b files:N ring overwrites the oldest file when the cap is hit, so disk usage stays bounded.

Practical recipes for Windows Server

Is the server actually seeing the request?

& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 -f "host 198.51.100.7 and tcp port 443" -w C:\Captures\smoke.pcapng -a duration:30

Open in Wireshark. If you see SYNs but no SYN/ACK, the Windows Firewall, the load balancer in front, or the listening service is dropping the connection.

Confirm a service is bound and accepting

# Capture only TCP SYNs to port 1433 (SQL Server) — no payload, just connection attempts
& "C:\Program Files\Wireshark\tshark.exe" -i 1 -n -f "tcp port 1433 and tcp[tcpflags] & tcp-syn != 0"

Diagnose RDP disconnects

& "C:\Program Files\Wireshark\dumpcap.exe" `
    -i 1 -f "tcp port 3389" -w C:\Captures\rdp.pcapng -b duration:300 -b files:6

Then in Wireshark, apply tcp.flags.reset == 1 as a display filter to see who is sending the RST.

Watch a TLS handshake

Capture filter narrows the trace; display filter pulls out the handshake messages:

# 1. Capture
& "C:\Program Files\Wireshark\dumpcap.exe" -i 1 -f "host api.example.com and tcp port 443" -w C:\Captures\tls.pcapng

# 2. Decode just the handshake
& "C:\Program Files\Wireshark\tshark.exe" -r C:\Captures\tls.pcapng -Y "tls.handshake.type == 1 or tls.handshake.type == 2"

Capture DNS queries from the server

& "C:\Program Files\Wireshark\tshark.exe" -i 1 -n -f "port 53"

Loopback traffic (app talking to local SQL/Redis)

You must have installed Npcap with the loopback adapter enabled. Then:

& "C:\Program Files\Wireshark\dumpcap.exe" -D
# Find the "Adapter for loopback traffic capture" — say it's index 5
& "C:\Program Files\Wireshark\dumpcap.exe" -i 5 -f "tcp port 1433" -w C:\Captures\local-sql.pcapng

Hunt connection resets

& "C:\Program Files\Wireshark\dumpcap.exe" -i 1 -f "tcp[tcpflags] & tcp-rst != 0" -w C:\Captures\rsts.pcapng -a duration:60

Then in Wireshark add tcp.flags.reset == 1 and look at the source IP — that is who is closing the connection abruptly.

Operational tips

Run elevated, always. Without Administrator rights (or Npcap group membership), the interface list will be empty and you will think Wireshark is broken.
Always include a capture filter on a production NIC. An unfiltered capture on a busy 1 GbE adapter will drop packets and pile CPU on the host.
Always include -n in tshark invocations to skip name resolution. DNS lookups during capture turn a focused trace into a slow one.
Mind the disk. -w plus a busy NIC fills disks quickly. Use -b filesize: / -b duration: / -b files: for ring captures.
Treat .pcapng files as production secrets. They contain real payloads — credentials, cookies, session tokens, PII. Store them somewhere access-controlled and delete when the investigation is done.
Capture on the server, analyze on your laptop. The Windows Server GUI is fine, but Wireshark's UI is much snappier on a workstation. Capture to disk, copy off, open locally.
Use dumpcap for the capture, tshark/Wireshark for the analysis. dumpcap is the dedicated capture engine and drops fewer packets under load.
One filter per terminal. When debugging two flows at once, run two dumpcap instances with different filters rather than one giant filter — easier to reason about.

Troubleshooting

The interface list is empty in Wireshark. You did not run as Administrator, or Npcap is not installed/loaded. Check dumpcap -D from an elevated prompt; if that returns nothing, reinstall Npcap and reboot once.
Couldn't run dumpcap … because of permissions error. The user is not in the Npcap group (or the Npcap install was set to Administrators-only). Either add the user with Add-LocalGroupMember -Group "Npcap" -Member … and have them re-login, or run Wireshark elevated.
No interfaces found on a Hyper-V VM, even as Administrator. Hyper-V's external switch can hide adapters from Npcap. Either capture on the host's vSwitch via Hyper-V's port mirroring, or set the VM NIC's MAC address spoofing to Enabled in Hyper-V Manager so promiscuous-mode capture works inside the guest.
Captures show only your own traffic, never anyone else's, on a physical NIC. You are connected to a switch (not a hub) and the port is not in promiscuous/mirror mode. That is normal switched-network behavior — ask your network team to mirror the relevant port to the server's NIC, or capture on the upstream device.
Old Windows Server (2012 R2 or earlier). Wireshark 4.x will not install. You either need to upgrade the OS or install an older Wireshark 3.6 LTS build (no longer receiving security fixes — a bad idea on production).
The NPF driver isn't running (legacy WinPcap message). Some legacy app is calling the old WinPcap API. Re-run the Npcap installer with the WinPcap API-compatible Mode option enabled.
Wireshark crashes or hangs at startup. Almost always a stale/incompatible Npcap. Uninstall Npcap from Settings → Apps, reinstall the latest build from npcap.com, then start Wireshark again.
Capture packets are truncated. Snaplen is too small. In the GUI: Capture → Options → uncheck "Limit each packet to". On the CLI: pass -s 0 to dumpcap/tshark.
dumpcap reports dropped packets at the end of a capture. The NIC is too fast for live decoding. Switch to a pure dumpcap -w file.pcapng capture (no live decode) and analyze offline.

Uninstalling

# GUI
appwiz.cpl
# Remove "Wireshark x.y.z" and "Npcap x.y" separately

# Or via PowerShell (PackageManagement)
Get-Package -Name "Wireshark*" | Uninstall-Package
Get-Package -Name "Npcap*"     | Uninstall-Package

Npcap is a separate product from Wireshark — uninstall it explicitly if you want it gone, otherwise the driver stays loaded.

Summary

For most Windows Server installs, the reliable recipe is:

Install the latest Npcap silently with admin_only=yes, winpcap_mode=yes, and (if you need it) loopback_support=yes.
Install Wireshark from the MSI silently with msiexec /i … /qn /norestart.
Verify with dumpcap -D from an elevated PowerShell.
Capture with dumpcap -i <n> -f "<bpf filter>" -w C:\Captures\out.pcapng.
Copy the .pcapng to your workstation and analyze it in the Wireshark GUI.

That covers everything from a one-off troubleshooting session over RDP to a fleet-wide unattended deployment, and works the same on Server Core (where you simply skip the GUI and live in dumpcap + tshark).