This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pcap-ng and remote capture

1
1

So I want to run the WireShark GUI on my local Mac workstation, and remotely capture data from a couple of RHEL7 systems.

From the command line it works fine (using SSH port just to test that I'm capturing packets):
wireshark -k -i <(ssh testlnb1400 "/sbin/dumpcap -P -w - -i eth0 -f 'tcp port 22'")

But from the GUI, using the extcap dialog, it fails with 'capturing from a pipe doesn't support pcapng format'. I tried specifying the -P option to /sbin/dumpcap in the 'remote capture binary' field, it interprets the whole string as the binary name and dies with 'no such file or directory'.

I tried writing a simple wrapper script that prepends the command line arguments with a -P, but then something goes wrong with the filters.

I went to preferences and looked for relevant options. There's a capture.pcap_ng, I tried changing it to FALSE but still fails. I'm assuming that's for local captures, not remote.

I saw some posts about using dpkg to configure the wireshark RPM, but the remote collector is on RHEL and I don't have dpkg available.

So is there some way to either configure the GUI to correctly interpret default dumpcap output (pcap-ng), or to configure the default format output by dumpcap to be libpcap?

Thanks!

asked 30 Nov '16, 16:19

soppenlander's gravatar image

soppenlander
21123
accept rate: 0%

edited 10 Jan '17, 02:58

grahamb's gravatar image

grahamb ♦
19.8k330206

you may try n use this tool - https://app.mojopackets.com

(30 Nov '16, 23:38) himanshu097

Wireshark version?

(01 Dec '16, 03:01) grahamb ♦

Wireshark version is 2.2.2-0-g775fb08. The remote dumpcap version is 1.10.14-10 and the remote libpcap version is 1.5.3-8.

(01 Dec '16, 07:45) soppenlander

There have been some changes in this area, could you try one of the recent automated 2.3.0 builds?

(01 Dec '16, 08:18) grahamb ♦
1

I had gotten my existing 2.2.2 install working with /sbin/tcpdump through the GUI this morning.

I upgraded to 2.3.0-1581-g7fe45cc. Neither tcpdump nor dumpcap work through the GUI now. Dumpcap does still work with the above ssh/wireshark command line above.

(01 Dec '16, 08:46) soppenlander
1

I did have sshdump to tcpdump working a few weeks ago (on Windows), but it doesn't work for me now, looks like it's time to raise a bug at the Wireshark Bugzilla.

(01 Dec '16, 09:08) grahamb ♦

@grahamb I'm not finding the bug in Bugzilla. Is there one filed?

(18 Jan '17, 09:44) awiresharkuser

I tested last week with a locally built development version 2.3.0 from Windows to a Linux machine and it worked for me. Grab a 2.3.0 build from here.

(18 Jan '17, 10:23) grahamb ♦

Hmm, it seems that sshdump only works from the build directory. Creating an installer and using that on the host that runs my build VM doesn't work, I get a pipe error. More investigation (and a bug report) required.

(19 Jan '17, 04:03) grahamb ♦
showing 5 of 9 show 4 more comments