This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone, I am a new user of wireshark. I want to know that how can i capture packets from a remote computer using commands from my command prompt. I am using windows xp 32-bit and the latest version of wireshark. Please mention the solution for both of windows and linux environment running on the remote computer.

Thanks.

asked 26 Jul '12, 03:09

baila's gravatar image

baila
21101115
accept rate: 0%


this has been already answered: http://ask.wireshark.org/questions/12835/how-to-use-dumpcap-to-monitor-winpcap-on-a-remote-machine

Additionally you need to start the remote capture daemon, rpcapd: http://www.winpcap.org/docs/docs_40_2/html/group__remote.html

Regards
Kurt

permanent link

answered 26 Jul '12, 08:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks a lot. It really works. I found some posts regarding the remote packet capturing but those are by using the GUI of the wireshark, so i asked again for it.

This post is really helpful and works properly. Thanks Kurt. Thanks Wireshark. Happy Sniffing!!

(26 Jul '12, 21:44) baila

The previous part works successfully. but how i know the interface name of a remote computer? Please help!

(27 Jul '12, 02:28) baila

excute this command on the host that runs rpcapd:

dumpcap -D -M

(27 Jul '12, 02:35) Kurt Knochner ♦

It works. But it gives the Host interface names. How do I know the Remote interface id from Host machine?

Thanks.

(27 Jul '12, 05:59) baila

The prescribed command shows the output like:

C:\Program Files\Wireshark>dumpcap -D -M
1. \Device\NPF_{56E96C57-7487-4C70-98D8-53AA8A66A54D}   VMware Virtual Ethernet Adapter 192.168.198.1   network
2. \Device\NPF_{EEA77A8E-48C4-4CD1-8F42-8F6F89486989}   Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler)
    192.168.0.60    network
3. \Device\NPF_{7880CBCC-ABF2-4D70-AB44-66AF40FEA0FA}   VMware Virtual Ethernet Adapter 192.168.219.1   network

Here 192.168.0.60 is the ip of Host machine.

(27 Jul '12, 05:59) baila

good, then use one of the interfaces with dumpcap.

dumpcap -n -i rpcap://[192.168.0.60]/\Device\NPF_{EEA77A8E-48C4-4CD1-8F42-8F6F89486989} -w output.cap

(27 Jul '12, 06:02) Kurt Knochner ♦

Can anyone help me out!!

I need it badly!!

(30 Jul '12, 07:52) baila

what is missing? Is there any problem with my dumpcap cli example?

(30 Jul '12, 12:02) Kurt Knochner ♦

ooh,sorry,i missed the "show all" tab.

my question is, Is there any way to get the interface ID of the REMOTE machine from my LOCAL machine, using command prompt?

(30 Jul '12, 23:01) baila

I don't think that's possible. Why do you need that feature?

(30 Jul '12, 23:10) Kurt Knochner ♦

actually i want to do all the jobs from command prompt. In case of Remote capturing, the GUI of wireshark provides the details of the remote interfaces after entering the information about the remote machine, like ip,port no, username, password etc.

Can we get the same from command prompt, without using the GUI?

(30 Jul '12, 23:39) baila

it looks like the feature to retrieve the remote interface list is only implemented in Wireshark and not in tshark/dumpcap.

(31 Jul '12, 00:08) Kurt Knochner ♦

So, can "wireshark" command provide the Remote interface list ? So that we can apply dumpcap by using any of the interface from that list!

(31 Jul '12, 00:18) baila
1

So, can "wireshark" command provide the Remote interface list

I don't think so, as the code to get the interface list is only executed in the GUI dialog.

(31 Jul '12, 00:26) Kurt Knochner ♦

That means we can't get the remote interface list without using the GUI of Wireshark?

(31 Jul '12, 00:29) baila
1

yes.

However, you can write your own tool or extend dumpcap/tshark to do it. The code is there in the GUI dialog. Go ahead ;-)

(31 Jul '12, 00:31) Kurt Knochner ♦

Well, that is what i was thinking about!! :-)

(31 Jul '12, 21:40) baila
showing 5 of 17 show 12 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620

question asked: 26 Jul '12, 03:09

question was seen: 5,453 times

last updated: 31 Jul '12, 21:40

p​o​w​e​r​e​d by O​S​Q​A