Packet Capture services shows stop within the Enforce User Interface (UI) and the following items indicate that the NPF driver isn't runnin

• When the monitor server is rebooted, the monitor does not begin capturing traffic
• Once the monitor is recycled within the console, it then begins capturing traffic but no packets are seen
• In Enforce Console, the Network Monitor status shows "Unknown"
• Error code 1008 Packet Capture is down
        

Window OS

Applies to Network Monitor for Windows only

NPF driver is not properly loaded within Windows likely due to incorrect, missing or outdated Wincap version

Verify proper version of WinPcap that needs to be installed for the version of DLP. 

1. Open Windows Programs and Features/Add or Remove Programs
2. Remove current version of WinPcap if unknown
3. install latest version of WinPcap provided for the DLP version in use.
   1. WinPcap executable file is included with the DLP Platform installer within the Third_Party folder and is for Windows only.
   2. For more details please see the DLP installation guide for your version on Symantec Data Loss Prevention Help Center
4. Recycle Symantec DLP services

Npcap and WinPCAP are third party software applications used within the Symantec DLP solution to perform network packet capturing on traffic sent from either a SPAN or TAP, for additional information, please visit 

• http://www.winpcap.org/
• http://nmap.org/npcap/