Ulf Lamping wrote:
You just need the Windows interface name, in your case:
\Device\NPF_{C46A8FBD-5D89-453A-8A37-EE35CF2AA7CE}
should work.
Note also that both Tethereal and WinDump will, when run with the "-D" 
flag, list the available interfaces along with numbers; you can use the 
number in place of the long ugly Windows interface name.  (That also 
works in newer versions of Tethereal and tcpdump on at least some 
versions of UN*X, but UN*X interface names aren't long ugly names with 
GUIDs in them, so that feature isn't as useful.)
Please note that Ethereal/Tethereal is not the best way to do such
things (e.g. it keeps conversation related information which will grow
memory consumption).
Tethereal, if you're capturing to a file with "-w", and not requesting 
that dissection also be done (i.e., if you *didn't* specify "-S"), 
shouldn't do any dissection, so it shouldn't keep conversation-related 
information, so it shouldn't leak memory.
You might try windump (which uses the same file
format) for that purpose instead.
To save the capture in a form Ethereal or Tethereal can read, use "-w".
Note also that WinDump, like tcpdump, defaults to a snapshot length of 
68 bytes (if not built with IPv6 support) or 96 bytes (if built with 
IPv6 support), so you'll only get the first 68 or 96 bytes of packet 
data, by default.  You'd need to specify "-s 0" (or, on older versions 
of WinDump/tcpdump, "-s 65535") to get the entire packet.