This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Manually enter remote capture line

0

In old versions of Wireshark (running on Win32 and Win64), I could open the capture options and type (or paste) rpcap://ip.address/br0 to capture from a remote linux device, which was fast and convenient.

In new versions, there's a remote capture tab which tries to query the remote endpoint for the list of addresses, and takes forever. The rpcapd installed on my Linux system may be too old to support this query at all. Is there any way to go back to the old entry method? A configuration file where I can enter the interface? A command line option to use when spawning Wireshark?

(I still want to use the GUI for browsing through captures and setting filters, but I suppose doing a capture from the command-line and opening the capture dump with the GUI version would be an acceptable workaround)

And seriously, is any user who's unable to deal with the URL-style connection going to be able to make any sense out of a packet decode? Combined with the loss of the history, the new UI for remote interface selection is a net negative in usability.

asked 26 Jul '13, 16:34

Ben%20Voigt's gravatar image

Ben Voigt
1111
accept rate: 0%

In fact there is a command-line option for pre-entering an interface, and it handles remote interfaces just fine.

wireshark -i rpcap://ip.address/br0

You can even make a shortcut. How much quicker is that than using the add remote interface dialog?

(26 Jul '13, 17:22) Ben Voigt

One Answer:

0

Both browsing and adding a remote interface have their justification.

  • Browsing: It's necessary for remote capturing on Windows, as you will have to give the UUID of the interface, which is not that easy to remember as br0 ;-)
  • Adding the Interface: Fast and easy for Linux. However, the remote capturing feature is mainly for Windows, as that's a WinPcap feature. WinPcap also provides a rpcapd for Linux. However, there was almost no work on the code for some time, hence there are some bugs regarding authentication, browsing, etc. see the following discussions (and the long list of comments):

http://ask.wireshark.org/questions/13217/remote-packet-capture-on-remote-linux-machine
http://ask.wireshark.org/questions/16521/linux-remote-interface

If you want the old behavior back (adding a remote interface manually), please file an enhancement request at https://bugs.wireshark.org.

Regards
Kurt

answered 27 Jul '13, 00:23

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Well, the command-line options is a perfectly good way of providing it, since it still works with the entire graphical interface and can even be saved in a shortcut.

The only remaining problem is that the capture options dialog gets really confused when an interface has been passed on the command line, and throws up error dialogs (however, starting the capture works fine). I'll file a bug for this.

(27 Jul '13, 07:30) Ben Voigt