This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to set up tshark to do a remote capture on Linux. I compiled git head tshark against winpcap 4.1.3 (which involved disabling -Werror) and I can now run tshark -i rpcap://10.70.255.193/wifi0. But when I do, it connects to the rpcapd, passes anon auth, sends an rpcap open request and gets a reply, but never sends an rpcap start capture command, so I get no packets. Should this work or am I ending up in unsupported territory?

I'm thinking the problem is somewhere in caputils/ and differences between pcap 0.8 and winpcap, but I can't work out where.

asked 16 Jun '16, 19:09

TRS-80's gravatar image

TRS-80
21226
accept rate: 0%

By "on Linux" do you mean "I've compiled the libpcap source from WinPcap on Linux to make a version of libpcap with remote capture support, and compiled TShark with that version of libpcap", so that the host running TShark is a Linux machine, not just the remote machine with the rpcap daemon (which is presumably a Linux, given the interface name wifi0)?

(16 Jun '16, 23:01) Guy Harris ♦♦

That is precisely correct. The remote machine is an enterprise wireless access point running rpcapd, so I can't just ssh in and run dumpcap.

(16 Jun '16, 23:09) TRS-80

Then you're definitely in unsupported territory.

There might be, for example, an issue with the UN*X-socket code in WinPcap's remote-capture code, so that your libpcap-built-with-WinPcap's-remote-capture-code doesn't work right (there are wrappers to cover up the differences between UN*X Berkeley sockets APIs and the Winsock variants of those APIs, and there might be some code rot in the UN*X-socket side).

The Wireshark code also hasn't been rigorously tested with a pcap on UN*X with pcap_open(), either.

permanent link

answered 17 Jun '16, 02:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

It looks like it used to work: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2809 but I tried doing that (just adding --with-remote-pcap to configure, the LD_PRELOAD WinPcap's libpcap) and it fails in the same fashion.

(25 Jul '16, 22:12) TRS-80
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×154
×72

question asked: 16 Jun '16, 19:09

question was seen: 2,480 times

last updated: 25 Jul '16, 22:12

p​o​w​e​r​e​d by O​S​Q​A