Tuesday, October 4, 2011

Remote Packet Captures With Wireshark

Here's a Wireshark feature I just recently discovered. I don't know how long it's been available but I believe it's fairly new. It is listed as experimental in WinPcap so YMMV.

If you have ever needed to do a remote packet capture you know it can be painful. It usually requires that you to go to the remote system or switch. You probably have to configure a mirrored port or install a hub inline. If you are lucky, you can get someone at the remote end to do this for you. In either case, it seems like it takes longer than it should. With Wireshark 1.6.2 and WinPcap 4.1.2 you can make this a much simpler task. Use the simple diagram below as a guide. In this example, we want to capture packets from the remote host with IP address 172.16.10.50.



Start by installing WinPcap on the machine you would like to capture packets from. This is probably a good time to note that this only works on Windows. After WinPcap is installed, drop to a command prompt (elevated command prompt in Vista/7/2008/2008R2).  Change directories to C:\Program Files\WinPcap or C:\Program Files (x86)\WinPcap. Run "rpcapd.exe -s rpcapd.ini -l 172.16.5.20" and then press Ctrl+C. Remember, 172.16.5.20 is the Wireshark computer. This creates the rpcapd.ini file necessary to run as a service. Next open rpcpad.ini in notepad.

This next part may be a little controversial. In order to connect, you need to disable username/password authentication. According to winpcap.org, username/password authentication is possible however I have not been able to locate any documentation on how to configure it. I have also asked on the winpcap-users mailing list. If you know the answer to this, drop me a line. Once I have this problem solved, I will update this post to enforce authentication. For additional security, you should disable the rpcapd service or uninstall WinPcap when you are finished with your capture.

With that out of the way, go back to notepad. Change the line NullAuthPermit = NO to NullAuthPermit = YES. Close notepad and run "net start rpcapd" to start the "Remote Packet Capture Protocol v.0 (experimental)" service. We are now done with the remote system.



Go to your computer with Wireshark installed and open Wireshark. Click Capture->Options.


Click the drop down arrow next to Interface and choose Remote.


Enter 172.16.10.50 (your remote capture machine) and 2002 for the port. Choose Null Authentication and click OK.



Next, just click Start to begin your packet capture. Wireshark behaves exactly as if you were capturing packets locally. By default, Wireshark ignores the RPCAP traffic. You might want to a make a copy of your rpcapd.ini file. If you need to do more caputres in the future, you can install WinPcap, copy your rpcap.ini file to a host, and start the rpcapd service.

As always, feel free to leave comments below and drop me a note if you found this useful.