Ask Your Question
0

How to enable rpcap support in linux version

asked 2020-04-30 09:06:03 +0000

Oposum gravatar image

How do you enable rpcap support via external interfaces in wireshark on linux (e.g. Debian)? I was used to this on Windows, but can not find this in the linux version? I've compiled v3.2.3 from the source code on my own (https://ask.wireshark.org/question/99...) - do I have to set a special option before compiling?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-04-30 09:34:17 +0000

Guy Harris gravatar image

updated 2020-04-30 16:33:10 +0000

How do you enable rpcap support via external interfaces in wireshark on linux (e.g. Debian)?

That's not a function of Wireshark, it's a function of libpcap; if Wireshark is built with a version of libpcap that supports it, it'll support it, otherwise it won't.

By default, libpcap on UN*Xes is built without rpcap support, as it increases the "attack surface" of libpcap. The current version should be robust against a malicious server, but we (the libpcap developers) aren't at the point where we'd want to enable it by default yet. I don't know of any UN*X systems that ship libpcap and that have enabled remote support.

Therefore, you'll need to build libpcap from source (I'd recommend the latest version from www.tcpdump.org), install it, and then:

  1. remove the build directory you used to build Wireshark;
  2. re-create it, re-run CMake, and build it.

When you build libpcap from source:

  • if you're using autotools for the libpcap build, run the configure script with --enable-remote;
  • if you're using CMake for the libpcap build, run CMake with -DENABLE_REMOTE=YES

so that remote capture is enabled in libpcap.

edit flag offensive delete link more

Comments

Can you clarify:

By default, libpcap on UN*Xes is built without libpcap support, as it increases the "attack surface" of libpcap.

How do you build libpcap with out libpcap support?

Bob Jones gravatar imageBob Jones ( 2020-04-30 15:21:36 +0000 )edit

How do you build libpcap with out libpcap support?

Sorry, that should have been "without rpcap support"; I've updated the answer to fix that.

Guy Harris gravatar imageGuy Harris ( 2020-04-30 16:33:39 +0000 )edit

Thanks Guy, rpcap works now.

For the documentation, if someone else stumbles across this:

  1. remove wireshark/tshark and libpcap
  2. fetch the libpcap sources from, e.g. http://www.tcpdump.org/release/libpca...
  3. extract libpcap and go to the folder, execute ./configure --enable-remote followed by make and sudo checkinstall (to build a deb-package, which can be easily removed via dpkg later)
  4. fetch wireshark source, e.g. https://2.na.dl.wireshark.org/src/wir...
  5. extract wireshark and go to the folder, create subfolder "build", change directory to it and execute cmake ../ followed by make and sudo checkinstall
  6. start wireshark -> go to manage interfaces button -> remote interfaces tab -> add a rpcap source with the "+" button
Oposum gravatar imageOposum ( 2020-05-04 10:01:39 +0000 )edit

Is it possible for tshark or dumpcap to get the --enable-remote status from libpcap so that it could be displayed in the -v outputs?

Chuckc gravatar imageChuckc ( 2022-01-17 03:56:41 +0000 )edit

Is it possible for tshark or dumpcap to get the --enable-remote status from libpcap so that it could be displayed in the -v outputs?

There's no API to get that.

Note also that "remote" is not inherently limited to rpcap. At some point there may be an API that returns a list of all the remote capture schemes supported by the libpcap being used, which could be used by tcpdump/*shark in the --version output.

The closest thing we could do would be to report that libpcap has remote capture support if HAVE_PCAP_OPEN is #defined; unless some supplier either forces pcap_open() to be included even if remote capture support isn't configured in or forces it not to be included if remote capture support is configured in, that should work, and there's not much benefit to doing the former, and doing the latter won't let you do ...(more)

Guy Harris gravatar imageGuy Harris ( 2022-01-17 06:47:35 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-04-30 09:06:03 +0000

Seen: 2,223 times

Last updated: May 04 '20

Related questions

Help to set up a "pass through bridge" sniffer

build wireshark on linux can't find Qt includes

windows missing horizontal scrollbar

Sniffing (forwarded) wifi packets using promiscuous mode

Save packet data as hex string

How do you do an offline install in RHEL7.

Problem with GeoIP

How to install wireshark 2.6.2 in linux

Where and can I download wireshark on linux

GeoIP with Tshark in linux without GUI