This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark 1.8 installed on mac os x 10.7 don’t find “add remote interface”

0

alt text

asked 11 Jul '12, 23:23

bigkun's gravatar image

bigkun
6114
accept rate: 0%

edited 12 Jul '12, 06:36

One Answer:

0

I believe some libpcap functions, needed for remote capturing, are not available on Mac OS X.

See here http://anonsvn.wireshark.org/wireshark/trunk/acinclude.m4

    if test $ac_cv_func_pcap_open = "yes" -a \
            $ac_cv_func_pcap_findalldevs_ex = "yes" -a \
            $ac_cv_func_pcap_createsrcstr = "yes" ; then
        AC_DEFINE(HAVE_PCAP_REMOTE, 1,
            [Define to 1 if you have WinPcap remote capturing support and prefer to use these new API features.])
    fi

Looks like pcap_createsrcstr() is not available on Mac OS X. Thus HAVE_PCAP_REMOTE is not set and that's the reason why that feature is not built into the Mac OS X binary.

UPDATE: You can implement another "remote capturing" method, by using pipes and ssh on Mac OS X.

http://wiki.wireshark.org/CaptureSetup/Pipes

Search for "Remote Capture".

Regards
Kurt

answered 12 Jul '12, 08:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Jul '12, 08:35

@Kurt I typed

$ mkfifo /tmp/sharkfin
$ wireshark -k -i /tmp/sharkfin &
$ ssh [email protected] "dumpcap -w - not port 22" > /tmp/sharkfin

(192.168.0.142 is my remote host)

it not work!

and tip that: alt text

(13 Jul '12, 00:07) bigkun
1

please run the following command and check if everything works fine:

ssh [email protected] "dumpcap -w - not port 22" \> /tmp/output.cap

output.cap is just a regular file, not a pipe!

After a 30 seconds stop the ssh command (CTRL-C) and then open that file with 'more'. If it contains error messages, that's the reason why it does not work. If it looks like binary data, try to open it in Wireshark.

Report back the results.

If the capture file containes pcap data, you can modify the command and use this instead of a file system based pipe.

ssh [email protected] 'dumpcap -w - -f "not port 22"' | wireshark -k -i -

UPDATE/SOLUTION: The problem is your dumpcap command. You need to specify the capture filter with -f (as done above), otherwise the last - (after -w) will terminate the CLI parameters in bash and dumpcap prints an error message.

dumpcap: Invalid argument: port

(13 Jul '12, 17:19) Kurt Knochner ♦

it works well, thanks!

(15 Jul '12, 18:43) bigkun