Ask Your Question
0

rpcap interface protocol syntax for non-null authentication?

asked 2024-03-22 01:42:33 +0000

cuuld gravatar image

The Wireshark GUI supports rpcap for null authentication as well as username password authentication. I tested both to work. However, it's not clear to me how the underlying mechanism in the GUI route operates as the resulting interface string on remote host looks like "rpcap://host:port/interface-name" regardless of null authentication or authentication in place.

So does the GUI mode cache the authentication somehow and passes the authentication in some way over rpcap protocol whenever a capture is done with the given remote interface? I know per the wording and my trials that this appears to be kept per session in Wireshark, as you'd have to reconnect with authentication next time around to retrieve the remote interfaces if you exit and restart Wireshark. Where the GUI wording in the screen where you can add remote interfaces mentions "This version of Wireshark does not save remote settings".

The reason I ask about this is because I know on the CLI Wireshark, tshark, dumpcap have support for the remote interfaces by directly specifying the remote interface string value in the syntax mentioned above. And that works when using null authentication, but doesn't when authentication is supplied.

So is the current expectation that authenticated rpcap only works via the Wireshark GUI mode? Or is there a bug somewhere? Is this limitation because of a limitation or lack of documentation regarding the rpcap protocol for how you handle passing authentication over

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-22 06:35:40 +0000

Guy Harris gravatar image

updated 2024-03-22 18:25:45 +0000

However, it's not clear to me how the underlying mechanism in the GUI route operates as the resulting interface string on remote host looks like "rpcap://host:port/interface-name" regardless of null authentication or authentication in place.

The URL is parsed by libpcap, not by Wireshark/TShark/tcpdump/whatever. It does not have to contain a user name or password - and it's unwise to put the password in the URL on the command-line, especially if somebody else can see the command line you typed.

The rpcap protocol doesn't send the URL over the wire. The initial request from the client to the server is an authentication request that includes credentials, which begin with a credential type (null or username/password) with, for username/password, the username and password, as strings, following the credential type.

Wireshark's "Manage Interfaces" dialog allows you to specify the authentication type and, for username/password authentication, allows you to specify the username and password. TShark has no corresponding mechanism.

Is this limitation because of a limitation or lack of documentation regarding the rpcap protocol for how you handle passing authentication over

No, it's due to a lack of code in TShark to, for example, respond to an "authentication failed" reply from the server, if the reason is "null authentication not permitted", to prompt for a username and password. There's no such code in tcpdump, either.

(There's no documentation for the rpcap protocol at all. I have that as a project, but I have a lot of other things as projects as well, and, sadly, new project keep popping up. It needs to be written, because, at least at one point, there was a non-libpcap rpcap server that wasn't sending correct replies, which broke access from the libpcap client.)

edit flag offensive delete link more

Comments

Thanks for the clarification. I noticed that libpcap 1.11.0/master branch includes support for user auth in the rpcap URL even though that's not advised, and verified it works in custom compiled tcpdump and rpcapd from the latest libpcap source.

It's too bad the CLI tools don't have a mechanism like the Wireshark GUI to handle auth outside of the RPCAP URL.

cuuld gravatar imagecuuld ( 2024-03-23 22:02:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-22 01:42:33 +0000

Seen: 177 times

Last updated: Mar 22