This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to use dumpcap to monitor winpcap on a remote machine

0

I've been using wireshark to monitor a remote interface on a pc that is having an intermittent problem that we believe to be network related. The problem is, wireshark crashes on my win7 machine every 15 minutes or so after consuming more than a gig of RAM.

I read that wireshark actually uses dumpcap to retrieve the packet info from winpcap. Unfortunately, to my knowledge, the documentation for dumpcap doesn't explain how to use dumpcap in this manner. So I viewed the dumpcap using ProcessThreadsView to see how wireshark was accomplishing this. What i found is that it was using several undocumented switches to get the info from the remote interface and then relay that back to wireshark.

Here are the steps I took to make this work.

  1. set up winpcap on the remote machine. Be sure to start the service once it is installed.
  2. run wireshark on the local machine.
  3. go to interfaces and add a remote interface pointing to the remote machine. I had to use an account that was local to the machine, NOT a domain account as winpcap seems to want to use the local machine to validate the credentials.
  4. Note the device name/GUID for the remote interface and jot that down - you will need it later
  5. Close wireshark!
  6. From a command line, enter the following - of course swapping out the pertinent info for the IP of the remote machine, remote interface ID, username, and password

"C:\Program Files\Wireshark\dumpcap" -n -i rpcap://[10.0.0.xxx]/\Device\NPF_{8ED1D2B6-2FB7-41F7-A211-75D29414FFFF} -f "not tcp port 3389" -A username:password -w C:\Sniff\sniff_log

Note that in the documentation for dumpcap there is no mention of the -A switch to specify the UN/PW which will be necessary if your winpcap requires authorization. Happy sniffing!

asked 18 Jul '12, 11:57

eyancey's gravatar image

eyancey
1111
accept rate: 0%

edited 19 Jul '12, 10:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237