Hello everyone, dumpcap works for the remote capturing. Does it provides any GUI? If so,how? I want to know that if i run dumpcap and store the packets in a file,it only shows the number of captured packets. Can we get the any output like running wireshark from command prompt? Thanks. asked 30 Jul '12, 05:29 baila edited 01 Aug '12, 03:54 Kurt Knochner ♦ |
3 Answers:
Dumpcap does not, and never will, provide a GUI. One of the reasons why dumpcap exists is that code to capture packets might have to run with special privileges, and we want as little code as possible running with those privileges. GUIs for capturing would be provided by front-end GUI programs that run dumpcap. Currently, the only such front-end program is called "Wireshark". answered 30 Jul '12, 11:11 Guy Harris ♦♦ |
Take a look at tshark. It's distributed with Wireshark as the console version of it. It provides the same packet dissection functionality. answered 30 Jul '12, 06:44 Jaap ♦ but tshark can't provide any remote packet capture options!! i want to know that does dumpcap can open GUI with the remote packet capture options!! Please give details! (30 Jul '12, 07:51) baila |
tshark does provide remote capturing, as it's just calling dumpcap.
Where
Wireshark works exactly in the same way.
Et voilà, "GUI of dumpcap" ;-) Regards answered 30 Jul '12, 12:18 Kurt Knochner ♦ Thanks Kurt for your reply. Here are the outputs of the proposed methods. Local - 192.168.0.60 Remote - 192.168.0.150 I have run tshark, wireshark and dumpcap one by one. And the results are like-- (30 Jul '12, 23:20) baila (OSQA bug workaround)
...
(30 Jul '12, 23:20) baila (OSQA bug workaround)
(30 Jul ‘12, 23:21) baila
tshark was not able to establish a connection to rpcapd. Reasons:
(30 Jul ‘12, 23:37) Kurt Knochner ♦ Is running “rpcapd” on the remote machine same as running the service “Remote Packet Capture Protocol v.0” ? If so, the “Remote Packet Capture Protocol v.0” service is already running on the remote machine! (30 Jul ‘12, 23:44) baila
Yes, see here: http://www.winpcap.org/docs/docs_40_2/html/group__remote.html What is the output of the following command on your machine
(31 Jul ‘12, 00:13) Kurt Knochner ♦ BTW: If you run rpcapd as service, it will run in the “SYSTEM context”. In that mode it does neither accept NULL authentication nor any other user/password (at least I believe so). If you want to run it as a service AND be able to capture data, you need to run it within the context of a user (service properties). Within Wireshark you can specify that username and password when you retrieve the interface list. To be able to capture in the user context, that user needs sufficient privileges. (31 Jul ‘12, 00:23) Kurt Knochner ♦ On Remote machine: 192.168.0.150
On Local machine: 192.168.0.60
(31 Jul ‘12, 00:24) baila I don’t know why the service is running on your client, but anyway.. It runs on you capture machine. So, it’s either the desktop/windows firewall blocking the rpcap connection or the authentication problem mentioned above. (31 Jul ‘12, 00:27) Kurt Knochner ♦ For
What if you try
instead? Those square brackets shouldn’t be necessary in a URL, and might be causing problems. (31 Jul ‘12, 00:58) Guy Harris ♦♦
I don’t see a benefit for them either, but interestingly wireshark/tshark/dumpcap all accept them and it’s not a problem for the DoS Box, even without quoting (verified). All these commands are equivalent in terms of the result:
I believe it's an authentication problem. On my test box, I do get the same "unspecific" error if authentication fails. (31 Jul '12, 01:20) Kurt Knochner ♦ Looking again at the syntax, I do see a benefit: IPv6 IPv6 addresses contain a colon (:) and thus it would be hard, to distinguish the the port identifier (:2002) from the IPv6 address. Not so, if you surround the address by brackets. (31 Jul '12, 01:24) Kurt Knochner ♦ What if you try dumpcap -i rpcap://192.168.0.150:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user instead? Those square brackets shouldn't be necessary in a URL, and might be causing problems. there is no problem with dumpcap. It works fine for both the commands with square brackets and without square brackets. But it shows its results in command prompt rather opening a GUI. Can we get the GUI by dumpcap? (31 Jul '12, 22:00) baila
baila, I feel like we repeat things a little bit... Please look at my answer above.
(31 Jul '12, 23:51) Kurt Knochner ♦ C:\Program Files\Wireshark>wireshark -n -k -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A U ser:user The execution of the mentioned command shows the help page of wireshark ( which comes by executing wireshark -h). The GUI of the Wireshark opens,that's all. (01 Aug '12, 02:16) baila There is no authentication option (-A) for Wireshark. That's kind of bad, as there is one for dumpcap. I guess the code of Wireshark needs to be extended for remote capturing with authentication to work. Please file a bug report at bugs.wireshark.org with a reference to this question. (01 Aug '12, 02:21) Kurt Knochner ♦ Well, that can be done!! (01 Aug '12, 02:37) baila good. Please do it. (01 Aug '12, 02:50) Kurt Knochner ♦ Submitted the bug - bug 7553 (01 Aug '12, 04:48) baila showing 5 of 20 show 15 more comments |
Thanks a lot Guy Harris.
Is there any way to run "dumpcap" through "wireshark" from "command prompt" so that, we could see the same effect of running Remote capture from the GUI of wireshark?
Yes - for example:
I have tried that command. But it gives the output like..
The capture session could not be initiated (Unknown error (pcap bug; actual error cause not reported)).
Please check that "rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}" is the proper interface.
Help can be found at:
But dumpcap is working fine with that same interface !!