I have two computers in my office on a local network so both using 192.168.x.x IPs. One is my work PC that has Wireshark installed and running fine (when I capture from the NICs in this machine) running Windows 7. The other is a headless CentOS machine, set up as a proxy, that I use for capturing data through a specific local network. I usually run tshark via PuTTY for what I need to do but my colleagues (on the same local network) would like the ability to add a remote interface to their local copy of Wireshark and capture the traffic going through this proxy. So far I have rpcapd running on the CentOS box and it appears to be set up properly. It doesn't give any errors on running, it just prints "Press CTRL + C to stop the server..." On my Windows 7 machine I am trying to add a remote interface. When I put in the address to the CentOS box and a un/pw combo Wireshark responds with: And in the PuTTY Window rpcapd responds with: I don't know what to try to get it to accept the user, or if the issue really is to do with the user. The un/pw combo I'm using works when I use it to connect over SSH so they are accepted by the CentOS machine. I tried to add the remote interface using the root/pw combo to see if there was any permissions I might have missed off the user I've been trying but got the same result. The port is open on iptables and I have tried disabling iptables to be sure it wasn't interfering. The machines can ping each other and they are communicating as rpcapd responds to the attempt to connect, so it would appear that everything is getting through fine. Does anyone have any suggestions of what I could try next? asked 16 Oct '14, 07:18  fooboo edited 16 Oct '14, 07:22 |
One Answer:
You can have a look at the communication between wireshark and rpcap with another wireshark. There you can see what the username is that is communicated to rpcap. Might help figure things out. Have a look at the sourcecode as well, via the WinPcap site. You'll find the user check in winpcap/wpcap/libpcap/rpcapd/daemon.c. It's failing in a call to getpwnam(). answered 17 Oct '14, 01:58  Jaap ♦ |
It's definitely sending the right un/pw (I did check with a 2nd wireshark instance), and that user definitely exists (I can SSH with that same un/pw pair) but the response is that it doesn't exist so I need to find out why a user that exists and can log in to the server is considered not to exist when I try to use remote capture. Is there a permission or group I need to add it to? Do I need to tell something somewhere that it's allowed so that it responds with does exist instead?