Ask Your Question

Revision history [back]

I'm not positive if this will help with your issue, but you might try specifying an interactive command line for the 'rpcapd' service executable directly. Locate this file on your installation (for 64-bit it will be under Program Files (x86)\WinPCAP) within a CMD prompt window (WIN+R, 'cmd', Enter):

cd \Program Files (x86)\WinPCAP
rpcapd -l -n

You can then try authenticating without credentials (as specified by -n) only from a remote system with the IPv4 address ( following the -l parameter. In the Wireshark "Capture Interfaces" (Ctrl+K), "Mange Interfaces..." button, "Remote Interfaces" tab, "+"-button, "Remote Interface" dialog box, select "Null authentication". This ought to provide a list of interfaces available on the WinPCAP host and ought to resemble the output of 'dumpcap -D -M' on that remote host. If this procedure doesn't work there is some connectivity problem between the two systems, perhaps due to a firewall or cabling issue.

I was able to build an RPCAP connection without issue on Windows 10 Pro 64-bit, with Wireshark 2.4.4 64-bit and WinPCAP 4.1.3 as the remote system, and Windows 7 Pro 64-bit as the system running Wireshark or Dumpcap (I used the -b and -p options for 'rpcapd' as well). I did not need to run 'rpcapd' with an Administrator-level account, a "Limited User Account" worked fine in my case.

Note that with this configuration I have found that it is necessary to specify a '-m count:1' option for 'dumpcap' to actually capture packets, or the same sampling option in the GUI for Wireshark (found in the dialog box via the button on the lower right of the same "Remote Interfaces" tab noted above). If the RPCAP sampling option is not set it seems that no packets are passed over the network to Wireshark or the command line tools.