This is a static archive of our old Q&A Site. Please post any new questions and answers at

remote capture


I currently have wireshark installed on my windowsXP box; I want to do a capture between a remote laptop and a remote file server on the same subnet. How can I set that up? thanks!

asked 19 Oct '10, 10:27

will_sj's gravatar image

accept rate: 0%

edited 19 Oct '10, 10:28

One Answer:


I think what you want to do is capture the traffic between the laptop and the file server with the help of your XP box, which would be a pretty standard setup. I wouldn't call that a remote capture, because for me that would imply doing a rcapd capture, which is a little more complicated.

What you have to do is to attach your XP box to the same switch either server or laptop (or both) are physically attached to, and then setup a monitoring (a.k.a SPAN) session to forward their packets towards the switch port your XP box is attached to. For this you will need a manageable switch and access to the CLI or Web front end where the monitoring settings can be configured. If you don't have that kind of switch you can try using a hub that you put inline, or go for a low cost switch tap sold by Dual-Comm.

answered 19 Oct '10, 15:43

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Okay thanks, this is doable as I use Cisco Catalyst switches. I have just one other question, the file server is at another location, it's on my WAN but a different subnet, I can access it just not physically. Would I be able to config the server in the SPAN session?

(20 Oct '10, 12:30) will_sj

Well... maybe. Usually you should be able to attach the capture box directly to the switch where you are doing the monitoring session, so you need physical access. There are some options like doing a remote span where the capture data will be transferred to your location via special transport VLAN, but that is problematic as you might lose packets and the times get distorted. I would advise against doing that. If the remote server is not accessable just capture the client, very often you can tell enough from that kind of trace anyway.

(20 Oct '10, 13:16) Jasper ♦♦

thanks for your help!

(21 Oct '10, 08:06) will_sj