This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have two computers in my office on a local network so both using 192.168.x.x IPs. One is my work PC that has Wireshark installed and running fine (when I capture from the NICs in this machine) running Windows 7. The other is a headless CentOS machine, set up as a proxy, that I use for capturing data through a specific local network. I usually run tshark via PuTTY for what I need to do but my colleagues (on the same local network) would like the ability to add a remote interface to their local copy of Wireshark and capture the traffic going through this proxy.

So far I have rpcapd running on the CentOS box and it appears to be set up properly. It doesn't give any errors on running, it just prints "Press CTRL + C to stop the server..."

On my Windows 7 machine I am trying to add a remote interface. When I put in the address to the CentOS box and a un/pw combo Wireshark responds with:

Can't get list of interfaces: Authentication failed: no such user

And in the PuTTY Window rpcapd responds with:

I'm exiting from the child loop The other host terminated the connection. Child terminated

I don't know what to try to get it to accept the user, or if the issue really is to do with the user.

The un/pw combo I'm using works when I use it to connect over SSH so they are accepted by the CentOS machine.

I tried to add the remote interface using the root/pw combo to see if there was any permissions I might have missed off the user I've been trying but got the same result.

The port is open on iptables and I have tried disabling iptables to be sure it wasn't interfering.

The machines can ping each other and they are communicating as rpcapd responds to the attempt to connect, so it would appear that everything is getting through fine.

Does anyone have any suggestions of what I could try next?

asked 16 Oct '14, 07:18

fooboo's gravatar image

fooboo
11113
accept rate: 0%

edited 16 Oct '14, 07:22


You can have a look at the communication between wireshark and rpcap with another wireshark. There you can see what the username is that is communicated to rpcap. Might help figure things out.

Have a look at the sourcecode as well, via the WinPcap site. You'll find the user check in winpcap/wpcap/libpcap/rpcapd/daemon.c. It's failing in a call to getpwnam().

permanent link

answered 17 Oct '14, 01:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

It's definitely sending the right un/pw (I did check with a 2nd wireshark instance), and that user definitely exists (I can SSH with that same un/pw pair) but the response is that it doesn't exist so I need to find out why a user that exists and can log in to the server is considered not to exist when I try to use remote capture. Is there a permission or group I need to add it to? Do I need to tell something somewhere that it's allowed so that it responds with does exist instead?

(17 Oct '14, 04:00) fooboo
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×15
×15

question asked: 16 Oct '14, 07:18

question was seen: 3,168 times

last updated: 17 Oct '14, 08:40

p​o​w​e​r​e​d by O​S​Q​A