This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote pcap capture with tshark on Linux

0

I'm trying to set up tshark to do a remote capture on Linux. I compiled git head tshark against winpcap 4.1.3 (which involved disabling -Werror) and I can now run tshark -i rpcap://10.70.255.193/wifi0. But when I do, it connects to the rpcapd, passes anon auth, sends an rpcap open request and gets a reply, but never sends an rpcap start capture command, so I get no packets. Should this work or am I ending up in unsupported territory?

I'm thinking the problem is somewhere in caputils/ and differences between pcap 0.8 and winpcap, but I can't work out where.

asked 16 Jun '16, 19:09

TRS-80's gravatar image

TRS-80
21226
accept rate: 0%

By "on Linux" do you mean "I've compiled the libpcap source from WinPcap on Linux to make a version of libpcap with remote capture support, and compiled TShark with that version of libpcap", so that the host running TShark is a Linux machine, not just the remote machine with the rpcap daemon (which is presumably a Linux, given the interface name wifi0)?

(16 Jun '16, 23:01) Guy Harris ♦♦

That is precisely correct. The remote machine is an enterprise wireless access point running rpcapd, so I can't just ssh in and run dumpcap.

(16 Jun '16, 23:09) TRS-80

One Answer:

1

Then you're definitely in unsupported territory.

There might be, for example, an issue with the UN*X-socket code in WinPcap's remote-capture code, so that your libpcap-built-with-WinPcap's-remote-capture-code doesn't work right (there are wrappers to cover up the differences between UN*X Berkeley sockets APIs and the Winsock variants of those APIs, and there might be some code rot in the UN*X-socket side).

The Wireshark code also hasn't been rigorously tested with a pcap on UN*X with pcap_open(), either.

answered 17 Jun '16, 02:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

It looks like it used to work: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2809 but I tried doing that (just adding --with-remote-pcap to configure, the LD_PRELOAD WinPcap's libpcap) and it fails in the same fashion.

(25 Jul '16, 22:12) TRS-80