Remote packet capturing is not working in Alibaba Cloud CentOS ECS
I have 2 CentOS instances created in Alibaba Cloud.
one of the them has entered the following command:
yum install glibc-static gcc flex
wget http://www.winpcap.org/install/bin/WpcapSrc_4_1_2.zip --no-check-certificate
unzip WpcapSrc_4_1_2.zip
cd winpcap/wpcap/libpcap/
chmod +x configure runlex.sh
CFLAGS=-static ./configure
make
cd rpcapd/
make
sudo ./rpcapd -4 -n -p 6666
The other one entered the following command to perform remote capturing from the first one:
./tshark -i rpcap://[Private IP of first ECS]:6666/eth0 -T ek -b interval:10 -w /wireshark/captured_pcap/xxxx_eth0.json
However, I have the following error after typing it:
Capturing on 'rpcap://[Private IP of first ECS]:6666/eth0'
tshark: The capture session could not be initiated on interface 'rpcap://[Private IP of first ECS]:6666/eth0' (No such device exists).
Please check that you have the proper interface or pipe specified.
0 packets captured
I have added a permit port 6666 ACL from the second ECS to first ECS, does anyone encountered the above issue before?
Alibaba Cloud Support said it is out of their service area so they will not have any support on that.
Thank you.
Can you test with the
Wireshark
gui?4.6. The “Manage Interfaces” Dialog Box
Adding a remote interface in the gui will contact the
rpcapd
server and request a list of interfaces.tshark -D
anddumpcap -D
don't have this ability to query.Have you looked for messages on the server console where the daemon was started?
Hi Chuckc,
I have posted something in the Answer part.
What is the version of Centos?
Are you sure the Centos system has an
eth0
interface?I'm testing on Centos 7 (get the same
free()
error when listing interface) and capture works fine onens192
.The CentOS of server side and client side are both version 7.9.2009.
I am sure there is eth0 here. When I run tshark -D and ifconfig:
I also tested on my own VM that is not hosted on Cloud. Everything looks normal. Alibaba Cloud said it does not block the traffic of Wireshark.