Ask Your Question
0

rpcaps or remote pcap over TLS support in Wireshark for Windows?

asked 2024-03-23 22:41:48 +0000

cuuld gravatar image

Hi,

I noticed libpcap 1.10.0+ added support for TLS for rpcap. I didn't dig into the details but assume that is about the new "-S" option to enable TLS and the "rpcaps://" protocol, where the option is exposed when "it has been compiled in" (which seems to be about whether a compatible (open)SSL version is installed on the system when compiling?).

Furthermore, I see that Npcap, starting in v1.20 looks to be using some form of libpcap 1.10, v1.73+ seems to for sure use libpcap 1.10. Latest Wireshark 4.2.3 seems to bundle with Npcap 1.78, which I installed and tested with.

It sounds like from dependency standpoint, if Wireshark uses (or can use) dependency of Npcap which has dependency on libpcap, it should be able to make use of the TLS auth feature, at least from the GUI mode of remote pcap.

I tested it on a rpcapd server with the TLS enabled (running on macOS) and used Wireshark (on Windows) as the remote client, and saw it had issues trying to connect against the TLS. For simplicity, this was testing with null auth option, just TLS enabled, though I assume TLS is meant to work with the user auth case. I have some other issues in my test setup preventing using user auth for TLS mode on the macOS host, even when testing locally via localhost routing, but TLS worked locally with null auth on the Mac.

The GUI reported error of "Can't get list of interfaces: TLS is required by this server".

Just for kicks, tried same approach from CLI with Wireshark's dumpcap, although I know that's less likely or unlikely to be expected to be used or expected to work.

From the CLI route I see error of

The capture session could not be initiated on capture device "rpcap://host:port/interface-name". (TLS is required by this server)

and when I try to use rpcaps protocol instead, I get

The capture session could not be initiated on capture device "rpcaps://host:port/interface-name". (Error opening adapter: The filename, directory name, or volume label syntax is incorrect. (123)) Please check that you have the proper interface or pipe specified.

Will Wireshark on Windows ever have working TLS/rpcaps support to match rpcapd deployments that do support TLS? Or did I do my test setup incorrectly? (e.g. must use user auth / non null auth with TLS?)

FYI, I tested locally on Mac via localhost the TLS support/functionality using tcpdump (compiled with rpcap support in libpcap, the same version used to compile rpcapd), in null auth mode.

edit retag flag offensive close merge delete

Comments

Not sure if this is related to Npcap dependency supporting SSL/TLS, so filed this to confirm: https://github.com/nmap/npcap/issues/721

cuuld gravatar imagecuuld ( 2024-03-24 22:29:40 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-24 23:04:49 +0000

Guy Harris gravatar image

Will Wireshark on Windows ever have working TLS/rpcaps support to match rpcapd deployments that do support TLS?

If either 1) somebody adds support for some native Windows TLS API to the socket code in sockutils.c (in addition to the existing OpenSSL/LibreSSL support), and that's picked up in a future version of Npcap, or 2) the Npcap people bundle an OpenSSL/LibreSSL library with Npcap, then, yes.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-23 22:41:48 +0000

Seen: 186 times

Last updated: Mar 24