Ask Your Question
0

Remote host capturing problem

asked 2018-01-19 17:23:41 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I have WinPCap installed and service started I have a local profile on the computer with Admin rights But when I try to remote capture I get 2 different error messages

1 Can't get list of interfaces: Unsername and password 2. Cant' get list of interfaces: on interfaces found! Libpcap/winpcap is properly installed and you have the right to access to the remote device.

Any assistance on this please.

edit retag flag offensive close merge delete

Comments

Please add more detail to your question, e.g. host OS, Wireshark version and remote host OS and Wireshark version.

grahamb gravatar imagegrahamb ( 2018-01-22 11:44:32 +0000 )edit

Host OS windows 7 64bit wireshark Ver 2.4.4 and the remote host OS windows 7 32 Bit 64 Bit.

unable to capture traffic remotely from a windows 7 32bit and 64 bit system. local install works fine. remotely can get the WinPcap service to install and start but can't get wireshark to connect remotely and capture the traffic for troubleshooting.

jeshanks1 gravatar imagejeshanks1 ( 2018-01-22 13:09:55 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-02-19 05:00:25 +0000

dpg2 gravatar image

I'm not positive if this will help with your issue, but you might try specifying an interactive command line for the 'rpcapd' service executable directly. Locate this file on your installation (for 64-bit it will be under Program Files (x86)\WinPCAP) within a CMD prompt window (WIN+R, 'cmd', Enter):

cd \Program Files (x86)\WinPCAP
rpcapd -l 1.2.3.4 -n

You can then try authenticating without credentials (as specified by -n) only from a remote system with the IPv4 address (1.2.3.4) following the -l parameter. In the Wireshark "Capture Interfaces" (Ctrl+K), "Mange Interfaces..." button, "Remote Interfaces" tab, "+"-button, "Remote Interface" dialog box, select "Null authentication". This ought to provide a list of interfaces available on the WinPCAP host and ought to resemble the output of 'dumpcap -D -M' on that remote host. If this procedure doesn't work there is some connectivity problem between the two systems, perhaps due to a firewall or cabling issue.

I was able to build an RPCAP connection without issue on Windows 10 Pro 64-bit, with Wireshark 2.4.4 64-bit and WinPCAP 4.1.3 as the remote system, and Windows 7 Pro 64-bit as the system running Wireshark or Dumpcap (I used the -b and -p options for 'rpcapd' as well). I did not need to run 'rpcapd' with an Administrator-level account, a "Limited User Account" worked fine in my case.

Note that with this configuration I have found that it is necessary to specify a '-m count:1' option for 'dumpcap' to actually capture packets, or the same sampling option in the GUI for Wireshark (found in the dialog box via the button on the lower right of the same "Remote Interfaces" tab noted above). If the RPCAP sampling option is not set it seems that no packets are passed over the network to Wireshark or the command line tools.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-01-19 17:23:41 +0000

Seen: 3,070 times

Last updated: Feb 19 '18