We operate a lab with a variety of equipment that we need to monitor. We have a few router ports setup to mirror different interfaces for different lab signaling scenarios into an Ubuntu Server VM and then stream that back to the corporate LAN.
We use Windows BAT files that execute plink to login to the remote server. The plink binary then runs tcpdump with -i and -w and then we pipe that to wireshark with -k -i and - to capture the traffic with a distinct BAT file per interface (each mirror interface receiver on the Ubuntu VM handles different flows we want to watch). It's worked great for years with Wireshark (1.8, 1.10, 1.12 and 2.0) but if we upgrade our Wireshark instance to 2.2.x we get an error dialog from the Wireshark GUI that says, "Unrecognized libpcap format or not libpcap data" and the BAT window says, "Unable to write to standard output: The pipe is being closed".
We haven't changed the Ubuntu system where the TCPDUMP command is running, the plink binary, or the Windows host OS.
asked 11 May '17, 08:34
edited 12 May '17, 00:08
Guy Harris ♦♦
showing 5 of 7 show 2 more comments
Just a quick status update... I updated my environment to 2.6.0rc0-6-gb8ad0997 and it is working again! Something must have changed between the 2.2 and 2.6 release candidate to address this but I'm happy again! :)
answered 11 Apr '18, 14:19
And if there is a preferred 'new' method of performing the same with Wireshark 2.2 I'm open to suggestions.
To be clear, the command we've been running is:
plink.exe -pw password [email protected] tcpdump -i enp4s0f1 -s 65535 -w - | wireshark -k -i -
Should I file a defect on this? If so, what would folks recommend I submit with the defect?
2.2 introduced the extcap feature which allows interface plugins, amongst which is the sshdump plugin which allows an ssh connection to a server to be configured and then a binary, e.g. tcpdump, to be run to capture traffic.
Extcap sshdump only allows one "interface" per UI session though, and (for Windows) has no method to use pageant keys so credentials must be provided each time.
By all means create an entry for this on the Wireshark Bugzilla giving as much info as possible.
Thanks Graham. The 2.2.7 for WinX64 doesn't appear to include an extcap binary however (is it limited to Linux at this time?). I have an extcap folder with a USBPcapCMD.exe but in the main directory only an extcap.html. I'll file the defect in Bugzilla and then downgrade to 2.0.13 to keep our day-to-day workflow operational.
There's no binary called
extcap, extcap is the name of an API. And USBPcapCMD.exe is just one of the binaries interfaced using that API. If an executable file is found in the appropriate folder, Wireshark executes it with a set of parameters and gets the list of interfaces as a response, then takes them one by one and determines their parameters etc., and then adds them to the list of interfaces available for capturing. When you start capture at one of them, it calls the binary with yet another set of parameters and expects the binary to send it the capture through a named pipe.
Thanks Sindy. I've tested it on Linux and it appears to work with some limitations relative to my old method however, more importantly (in our use case) there does not appear to be a SSH plugin that I can find via Google searches for the WinX64 version of Wireshark. I was hoping if one was not included that I could add one to the extcap directory and link things up.
I'm waiting on my Bugzilla account but will file a defect. I suspect the work that went in to making extcap work may have broken the old method some how (2.0 vs 2.2).
Loading a pcap file works for me on Linux:
</tmp/wireshark/test/captures/dhcp.pcap wireshark -k -i -(tested with latest 2.2 and master branch). As for the SSH "extcap plugin", there is supposed to be a sshdump.exe file included with Wireshark.