Ask Your Question

Connect to rpcapd service on Windows from Linux/OSX using tshark

asked 2018-03-06 18:18:09 +0000

rich5 gravatar image

I have an rpcapd service running on a Windows system. I can connect to the service and start a capture session using tshark from another Windows system, but when I try the same thing from a Linux or OSX system I get:

sudo tshark -p -w output.pcap -i "rpcap://<IP>:2002/\Device\NPF_{3C1CAC08-C702-4D89-96CB-1F2B845ACA1D}"    
shark: The capture session could not be initiated on interface 'rpcap://<IP>:2002/\Device\NPF_{3C1CAC08-C702-4D89-96CB-1F2B845ACA1D}' (No such device exists).
    Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

The firewall is open and I can even use netcat to establish a connection on port 2002. Is this just not supported functionality or am I doing something wrong?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-03-06 19:31:52 +0000

Guy Harris gravatar image

Unless tshark, on the Linux and macOS systems, is built with a version of libpcap that includes rpcap support, you will not be able to connect to the rpcapd service with tshark.

The version of libpcap that ships with macOS and with most if not all Linux distributions does not include rpcap support. You would have to get the current master branch of libpcap, configure it with --enable-remote with autotools or -DENABLE_REMOTE=YES with CMake, build it, install it in /usr/local, and build Wireshark from source, in order to get a version of Wireshark or TShark that can do the remote capture.

edit flag offensive delete link more


That's very helpful. Thank you!

rich5 gravatar imagerich5 ( 2018-03-06 19:43:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-03-06 18:18:09 +0000

Seen: 32 times

Last updated: Mar 06