This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RpCap 4.1.1 vs RpCap 4.1.2

0

We utilize RpCapd –n on a regular basis in our Hospital Enterprise network of 5000 desktops, 68 wiring closets and over 250 switches and routers. We have been installing WinPcap 4.1.1 due to its ability to be ‘silently’ installed, versus 4.1.2 which as we understand can NOT be silently installed.

We have not been able to remotely capture with Wireshark 1.4 on these remote devices after running a local batch file with PSExec to start RpCap –n on the remote device. We get an error that Wireshark cannot see any interfaces etc etc. When we install WinPcap 4.1.2 intrusively, RpCap and wireshark remote capture run perfectly.

We are curious to see if this is a known issue or are we doing something wrong. We have created an image with Wireshark 1.4 and WinPcap 4.1.2 on PCs dual attached to switches in our 68 disparate closets which allows us to remotely capture traffic through each of our closets and narrows time for locating areas of packet loss etc. We would really like to find a resolve for the remote silent install at the workstation level to further facilitate our investigations of application specific misbehaviors.

asked 09 Nov '10, 08:00

swglover's gravatar image

swglover
1223
accept rate: 0%

This may be better posted in the WinPcap mailing list: http://www.winpcap.org/contact.htm

(10 Nov '10, 07:17) Jaap ♦

Not really an answer from me, but I am interested in how you install rcapd silently. For a long time the only way I could figure out to make remote captures was by logging in with mstsc and install the complete wireshark suite. This meant the user had to log out, be warned he could log in again etc. Not very silent.

For more than a year now I am using the command line microsoft tool netcap. With psexec it is copied to the host and from there I run it. The capture files can be copied back to my own place and analysed with wireshark. Disadvantages are limited filter capacbilities and timestamps on packets are not great.

However, when needed I can make a snapshot trace on a remote host in about 5 minutes to see what is wrong and even remove all capture software. That is a great thing

(10 Nov '10, 11:27) easterman

One Answer:

0

We have been doing the silent install of WinPcap (the version downloaded directly from WinPcap website) remotely for some time. it installs in the "C:Program Files WinPcap" directory. then from my machine I run the following *.bat file:

psexec \%1 "%Programfiles% Winpcap rpcapd.exe" -n pause

The %1 pauses the batch file and allows me to enter the devices ip address.

The latest version of WinPcap for some reason no longer allows silent install, so we have to actually remote to the suspect machine to install it.

answered 11 Nov '10, 06:24

swglover's gravatar image

swglover
1223
accept rate: 0%

edited 11 Nov '10, 06:28