This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We operate a lab with a variety of equipment that we need to monitor. We have a few router ports setup to mirror different interfaces for different lab signaling scenarios into an Ubuntu Server VM and then stream that back to the corporate LAN.

We use Windows BAT files that execute plink to login to the remote server. The plink binary then runs tcpdump with -i and -w and then we pipe that to wireshark with -k -i and - to capture the traffic with a distinct BAT file per interface (each mirror interface receiver on the Ubuntu VM handles different flows we want to watch). It's worked great for years with Wireshark (1.8, 1.10, 1.12 and 2.0) but if we upgrade our Wireshark instance to 2.2.x we get an error dialog from the Wireshark GUI that says, "Unrecognized libpcap format or not libpcap data" and the BAT window says, "Unable to write to standard output: The pipe is being closed".

We haven't changed the Ubuntu system where the TCPDUMP command is running, the plink binary, or the Windows host OS.
If we uninstall Wireshark 2.2.x and go back to the latest Wireshark 2.0 it starts working again If we re-upgrade from 2.0.x to 2.2.x again it fails again.

Any thoughts?

asked 11 May '17, 08:34

dbAtAffirmed's gravatar image

dbAtAffirmed
6113
accept rate: 0%

edited 12 May '17, 00:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195

And if there is a preferred 'new' method of performing the same with Wireshark 2.2 I'm open to suggestions.

To be clear, the command we've been running is:

plink.exe -pw password [email protected] tcpdump -i enp4s0f1 -s 65535 -w - | wireshark -k -i -

(11 May '17, 10:23) dbAtAffirmed

Should I file a defect on this? If so, what would folks recommend I submit with the defect?

(13 Jun '17, 06:24) dbAtAffirmed

2.2 introduced the extcap feature which allows interface plugins, amongst which is the sshdump plugin which allows an ssh connection to a server to be configured and then a binary, e.g. tcpdump, to be run to capture traffic.

Extcap sshdump only allows one "interface" per UI session though, and (for Windows) has no method to use pageant keys so credentials must be provided each time.

By all means create an entry for this on the Wireshark Bugzilla giving as much info as possible.

(13 Jun '17, 06:56) grahamb ♦

Thanks Graham. The 2.2.7 for WinX64 doesn't appear to include an extcap binary however (is it limited to Linux at this time?). I have an extcap folder with a USBPcapCMD.exe but in the main directory only an extcap.html. I'll file the defect in Bugzilla and then downgrade to 2.0.13 to keep our day-to-day workflow operational.

(20 Jun '17, 07:37) dbAtAffirmed

There's no binary called extcap, extcap is the name of an API. And USBPcapCMD.exe is just one of the binaries interfaced using that API. If an executable file is found in the appropriate folder, Wireshark executes it with a set of parameters and gets the list of interfaces as a response, then takes them one by one and determines their parameters etc., and then adds them to the list of interfaces available for capturing. When you start capture at one of them, it calls the binary with yet another set of parameters and expects the binary to send it the capture through a named pipe.

(20 Jun '17, 08:37) sindy

Thanks Sindy. I've tested it on Linux and it appears to work with some limitations relative to my old method however, more importantly (in our use case) there does not appear to be a SSH plugin that I can find via Google searches for the WinX64 version of Wireshark. I was hoping if one was not included that I could add one to the extcap directory and link things up.

I'm waiting on my Bugzilla account but will file a defect. I suspect the work that went in to making extcap work may have broken the old method some how (2.0 vs 2.2).

(20 Jun '17, 11:48) dbAtAffirmed

Loading a pcap file works for me on Linux: </tmp/wireshark/test/captures/dhcp.pcap wireshark -k -i - (tested with latest 2.2 and master branch). As for the SSH "extcap plugin", there is supposed to be a sshdump.exe file included with Wireshark.

(20 Jun '17, 19:17) Lekensteyn
showing 5 of 7 show 2 more comments

Just a quick status update... I updated my environment to 2.6.0rc0-6-gb8ad0997 and it is working again! Something must have changed between the 2.2 and 2.6 release candidate to address this but I'm happy again! :)

permanent link

answered 11 Apr, 14:19

dbAtAffirmed's gravatar image

dbAtAffirmed
6113
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×97
×37
×26

question asked: 11 May '17, 08:34

question was seen: 1,504 times

last updated: 11 Apr, 14:19

p​o​w​e​r​e​d by O​S​Q​A