 | 1 | initial version |
I don't have remote interfaces options on my Wireshark installed on a MAC book
It's not an "option" in the sense of something you can select when you install Wireshark or something you can turn on or off in the preferences.
It's a feature provided by libpcap, and the version of libpcap that comes with macOS, most if not all Linux distributions, most if not all of the *BSDs, Solaris, and AIX doesn't have that feature enabled, which means that programs using libpcap, such as Wireshark, don't offer it.
As far as I know, the only versions of libpcap that include it are the versions in WinPcap and Npcap for Windows.
It's not enabled by default on UN*Xes because there is a security risk involved with communicating with possibly-untrusted hosts and because code that uses libpcap may run with elevated privileges to allow it to capture on local machines. It's enabled by default in WinPcap because that's where it was first implemented, and it's enabled by default in Npcap because it's a replacement for WinPcap.
(I spent some time a while ago checking the code to make sure it didn't have the usual sort of buffer overflow etc. issues that cause the most obvious problems, but I'm not sure it's time to enable it by default.)
So, if you want to capture on a remote machine using the rpcap mechanism, you'd have to rebuild libpcap from source with remote capture enabled, install it, and then rebuild Wireshark from source. The resulting WIreshark should be able to do remote captures.
Another possibility is to use the sshdump extcap mechanism, which uses the ssh protocol to run tcpdump or dumpcap on a remote machine and have it send the capture to the machine running Wireshark.
