This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

GUI of dumpcap

0

Hello everyone, dumpcap works for the remote capturing. Does it provides any GUI? If so,how?

I want to know that if i run dumpcap and store the packets in a file,it only shows the number of captured packets. Can we get the any output like running wireshark from command prompt?

Thanks.

asked 30 Jul '12, 05:29

baila's gravatar image

baila
21101115
accept rate: 0%

edited 01 Aug '12, 03:54

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


3 Answers:

2

Dumpcap does not, and never will, provide a GUI. One of the reasons why dumpcap exists is that code to capture packets might have to run with special privileges, and we want as little code as possible running with those privileges.

GUIs for capturing would be provided by front-end GUI programs that run dumpcap. Currently, the only such front-end program is called "Wireshark".

answered 30 Jul '12, 11:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks a lot Guy Harris.

Is there any way to run "dumpcap" through "wireshark" from "command prompt" so that, we could see the same effect of running Remote capture from the GUI of wireshark?

(30 Jul '12, 23:10) baila

Yes - for example:

wireshark -i rpcap://x.x.x.x/\Device\NPF_{21E03ED5-DF15-4BA5-BEC0-22BBC44A8C23} -k -S
(31 Jul '12, 00:06) Guy Harris ♦♦

I have tried that command. But it gives the output like..

The capture session could not be initiated (Unknown error (pcap bug; actual error cause not reported)).

Please check that "rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}" is the proper interface.

Help can be found at:

   http://wiki.wireshark.org/WinPcap
   http://wiki.wireshark.org/CaptureSetup

But dumpcap is working fine with that same interface !!

(31 Jul '12, 21:52) baila

0

Take a look at tshark. It's distributed with Wireshark as the console version of it. It provides the same packet dissection functionality.

answered 30 Jul '12, 06:44

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

but tshark can't provide any remote packet capture options!! i want to know that does dumpcap can open GUI with the remote packet capture options!!

Please give details!

(30 Jul '12, 07:51) baila

0

but tshark can't provide any remote packet capture options!!

tshark does provide remote capturing, as it's just calling dumpcap.

tshark -n -i rpcap://x.x.x.x/\Device\NPF_{21E03ED5-DF15-4BA5-BEC0-22BBC44A8C23}

Where

  • x.x.x.x is the IP address of the machine that runs rpcapd
  • \Device\NPF_{21E03ED5-DF15-4BA5-BEC0-22BBC44A8C23} is the interface identifier (see my answer for your other question)

Wireshark works exactly in the same way.

wireshark -n -k -i rpcap://x.x.x.x/\Device\NPF_{21E03ED5-DF15-4BA5-BEC0-22BBC44A8C23}

Et voilà, "GUI of dumpcap" ;-)

Regards
Kurt

answered 30 Jul '12, 12:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt for your reply.

Here are the outputs of the proposed methods. Local - 192.168.0.60 Remote - 192.168.0.150

I have run tshark, wireshark and dumpcap one by one. And the results are like--

(30 Jul '12, 23:20) baila

(OSQA bug workaround)

C:\Program Files\Wireshark>tshark -n -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}
Capturing on rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}
tshark: The capture session could not be initiated (Unknown error (pcap bug; actual error cause not reported)).
Please check that "rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}" is the proper interface.

...

0 packets captured
(30 Jul '12, 23:20) baila

(OSQA bug workaround)

C:\Program Files\Wireshark>wireshark -n -k -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}
The capture session could not be initiated (Unknown error (pcap bug; actual error cause not reported)).
Please check that "rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}" is the proper interface.

Help can be found at:

   http://wiki.wireshark.org/WinPcap
   http://wiki.wireshark.org/CaptureSetup</code></pre></div><div id="comment-13154-info" class="comment-info"><span class="comment-age">(30 Jul '12, 23:21)</span> <span class="comment-user userinfo">baila</span></div></div><span id="13155"></span><div id="comment-13155" class="comment"><div id="post-13155-score" class="comment-score"></div><div class="comment-text"><p>(OSQA bug workaround)</p><pre><code>C:\Program Files\Wireshark&gt;dumpcap -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user

Capturing on rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} dumpcap: Unknown error (pcap bug; actual error cause not reported). File: C:\DOCUME~1\dynamic\LOCALS~1\Temp\wireshark_9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E_20120731114619_a03348 Packets captured: 122 Packets received/dropped on interface rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}: 0/0 (0.0%)

(30 Jul ‘12, 23:21) baila

The capture session could not be initiated (Unknown error (pcap bug; actual error cause not reported)).

tshark was not able to establish a connection to rpcapd. Reasons:

  • rpcapd is not running on 192.168.0.150
  • rpcapd is running on a different port as you expect. on 192.168.0.150: netstat -nab. Look for rpcapd (may need admin privileges)
  • Your Windows firewall on 192.168.0.150 blocks the request.
  • rpcapd requests authentication and you don’t provide it (dumpcap option -A). rpcapd will use the credentials of the user that started the daemon (Linux and Windows). You can run rpcapd with option -n to accept NULL authentication (no auth).
(30 Jul ‘12, 23:37) Kurt Knochner ♦

Is running “rpcapd” on the remote machine same as running the service “Remote Packet Capture Protocol v.0” ?

If so, the “Remote Packet Capture Protocol v.0” service is already running on the remote machine!

(30 Jul ‘12, 23:44) baila

Is running “rpcapd” on the remote machine same as running the service “Remote Packet Capture Protocol v.0” ?

Yes, see here: http://www.winpcap.org/docs/docs_40_2/html/group__remote.html

What is the output of the following command on your machine

netstat -nab | find “2002” (needs admin privileges)

(31 Jul ‘12, 00:13) Kurt Knochner ♦

BTW: If you run rpcapd as service, it will run in the “SYSTEM context”. In that mode it does neither accept NULL authentication nor any other user/password (at least I believe so). If you want to run it as a service AND be able to capture data, you need to run it within the context of a user (service properties). Within Wireshark you can specify that username and password when you retrieve the interface list. To be able to capture in the user context, that user needs sufficient privileges.

(31 Jul ‘12, 00:23) Kurt Knochner ♦

On Remote machine: 192.168.0.150

C:\Documents and Settings\User>netstat -nab | find "2002"
TCP    0.0.0.0:2002           0.0.0.0:0              LISTENING       2480

On Local machine: 192.168.0.60

C:\Program Files\Wireshark>netstat -nab | find "2002"
TCP    0.0.0.0:2002           0.0.0.0:0              LISTENING       1704
(31 Jul ‘12, 00:24) baila

I don’t know why the service is running on your client, but anyway.. It runs on you capture machine. So, it’s either the desktop/windows firewall blocking the rpcap connection or the authentication problem mentioned above.

(31 Jul ‘12, 00:27) Kurt Knochner ♦

For

C:\Program Files\Wireshark>dumpcap -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user
Capturing on rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E}
dumpcap: Unknown error (pcap bug; actual error cause not reported).

What if you try

dumpcap -i rpcap://192.168.0.150:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user

instead? Those square brackets shouldn’t be necessary in a URL, and might be causing problems.

(31 Jul ‘12, 00:58) Guy Harris ♦♦

Those square brackets shouldn’t be necessary in a URL

I don’t see a benefit for them either, but interestingly wireshark/tshark/dumpcap all accept them and it’s not a problem for the DoS Box, even without quoting (verified). All these commands are equivalent in terms of the result:

dumpcap -n -i rpcap://x.x.x.x/\Device\NPF_{21E03ED5-DF15-4BA5BEC0-22BBC44A8C23}
dumpcap -n -i rpcap://x.x.x.x:2002/\Device\NPF_{21E03ED5-DF15-4BA5BEC0-22BBC44A8C23}

dumpcap -n -i rpcap://[x.x.x.x]/\Device\NPF_{21E03ED5-DF15-4BA5BEC0-22BBC44A8C23}
dumpcap -n -i rpcap://[x.x.x.x]:2002/\Device\NPF_{21E03ED5-DF15-4BA5BEC0-22BBC44A8C23}

I believe it's an authentication problem. On my test box, I do get the same "unspecific" error if authentication fails.

(31 Jul '12, 01:20) Kurt Knochner ♦

Looking again at the syntax, I do see a benefit: IPv6

IPv6 addresses contain a colon (:) and thus it would be hard, to distinguish the the port identifier (:2002) from the IPv6 address. Not so, if you surround the address by brackets.

(31 Jul '12, 01:24) Kurt Knochner ♦

What if you try

dumpcap -i rpcap://192.168.0.150:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user

instead? Those square brackets shouldn't be necessary in a URL, and might be causing problems.

there is no problem with dumpcap. It works fine for both the commands with square brackets and without square brackets. But it shows its results in command prompt rather opening a GUI. Can we get the GUI by dumpcap?

(31 Jul '12, 22:00) baila

Can we get the GUI by dumpcap?

baila, I feel like we repeat things a little bit... Please look at my answer above.

wireshark -n -k -i rpcap://192.168.0.150:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A User:user

(31 Jul '12, 23:51) Kurt Knochner ♦

C:\Program Files\Wireshark>wireshark -n -k -i rpcap://[192.168.0.150]:2002/\Device\NPF_{9AAF414D-D72C-45C8-8BF3-796C8BBC2E7E} -A U ser:user

The execution of the mentioned command shows the help page of wireshark ( which comes by executing wireshark -h). The GUI of the Wireshark opens,that's all.

(01 Aug '12, 02:16) baila

There is no authentication option (-A) for Wireshark. That's kind of bad, as there is one for dumpcap. I guess the code of Wireshark needs to be extended for remote capturing with authentication to work. Please file a bug report at bugs.wireshark.org with a reference to this question.

(01 Aug '12, 02:21) Kurt Knochner ♦

Well, that can be done!!

(01 Aug '12, 02:37) baila

good. Please do it.

(01 Aug '12, 02:50) Kurt Knochner ♦

Submitted the bug - bug 7553

(01 Aug '12, 04:48) baila
showing 5 of 20 show 15 more comments