Ask Your Question
0

How to enable rpcap support in linux version

asked 2020-04-30 09:06:03 +0000

Oposum gravatar image

How do you enable rpcap support via external interfaces in wireshark on linux (e.g. Debian)? I was used to this on Windows, but can not find this in the linux version? I've compiled v3.2.3 from the source code on my own (https://ask.wireshark.org/question/99...) - do I have to set a special option before compiling?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-04-30 09:34:17 +0000

Guy Harris gravatar image

updated 2020-04-30 16:33:10 +0000

How do you enable rpcap support via external interfaces in wireshark on linux (e.g. Debian)?

That's not a function of Wireshark, it's a function of libpcap; if Wireshark is built with a version of libpcap that supports it, it'll support it, otherwise it won't.

By default, libpcap on UN*Xes is built without rpcap support, as it increases the "attack surface" of libpcap. The current version should be robust against a malicious server, but we (the libpcap developers) aren't at the point where we'd want to enable it by default yet. I don't know of any UN*X systems that ship libpcap and that have enabled remote support.

Therefore, you'll need to build libpcap from source (I'd recommend the latest version from www.tcpdump.org), install it, and then:

  1. remove the build directory you used to build Wireshark;
  2. re-create it, re-run CMake, and build it.

When you build libpcap from source:

  • if you're using autotools for the libpcap build, run the configure script with --enable-remote;
  • if you're using CMake for the libpcap build, run CMake with -DENABLE_REMOTE=YES

so that remote capture is enabled in libpcap.

edit flag offensive delete link more

Comments

Can you clarify:

By default, libpcap on UN*Xes is built without libpcap support, as it increases the "attack surface" of libpcap.

How do you build libpcap with out libpcap support?

Bob Jones gravatar imageBob Jones ( 2020-04-30 15:21:36 +0000 )edit

How do you build libpcap with out libpcap support?

Sorry, that should have been "without rpcap support"; I've updated the answer to fix that.

Guy Harris gravatar imageGuy Harris ( 2020-04-30 16:33:39 +0000 )edit

Thanks Guy, rpcap works now.

For the documentation, if someone else stumbles across this:

  1. remove wireshark/tshark and libpcap
  2. fetch the libpcap sources from, e.g. http://www.tcpdump.org/release/libpca...
  3. extract libpcap and go to the folder, execute ./configure --enable-remote followed by make and sudo checkinstall (to build a deb-package, which can be easily removed via dpkg later)
  4. fetch wireshark source, e.g. https://2.na.dl.wireshark.org/src/wir...
  5. extract wireshark and go to the folder, create subfolder "build", change directory to it and execute cmake ../ followed by make and sudo checkinstall
  6. start wireshark -> go to manage interfaces button -> remote interfaces tab -> add a rpcap source with the "+" button
Oposum gravatar imageOposum ( 2020-05-04 10:01:39 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-30 09:06:03 +0000

Seen: 114 times

Last updated: May 04