This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote Capture in Windows XP

1

I'm using Wireshark 1.4.4 and the remote system is installed with WinPcap rpcapd version (4.1.2). rpcapd.exe -n is running in the remote pc and the corresponding service is ON too. Many options I tried to do a 'remote capture' from Wireshark as below, but nothing seems to be working fine.

Interface: Remote & tried the below options rpcap://IPADDRESS/DeviceNPF_{INTERFACE INFORMATION} rpcap://IPADDRESS//DeviceNPF_{INTERFACE INFORMATION} - another try ://IPADDRESS//DeviceNPF_{INTERFACE INFORMATION} - another try & many more tries.

In the pop-up window for Host information I tried both the IP & Hostname information with 2002 port & without that also. I have admin rights as well, I'm getting the error "Can't get the list of interfaces: Logon failure - unknown username/pwd (I'm using the domain admin pwd and not local admin- hope this will work). I'm able to telnet to 2002 port on the destination pc. Could any of you provide some clue to make this work? Should I try some other version of WinpCap or Wireshark? Any known issues in capturing remotely?

asked 05 Mar '11, 04:27

joes77's gravatar image

joes77
16113
accept rate: 0%

edited 05 Mar '11, 04:30

4 Answers:

2

Here's a setup that I use, which you might try (Instructions are based on Windows XP Professional SP3 using Wireshark 1.4.2, and WinPcap 4.1.2):

On the machine running the remote packet capture daemon:

  1. Create a local user account for remote capture authentication: Start -> Control Panel -> User Accounts -> Create a new account -> Advanced -> Advanced -> Users (right-click) -> New User -> [Fill in details] -> Create.
  2. Configure rpacpd as a service: Start -> Administrator Tools -> Services -> Remote Packet Capture Protocol v.0 (experimental) (right-click) -> Properties -> Log On -> This account -> [Fill in the account details from step 1] -> OK.
  3. Start rpcapd as a service: Start -> Administrator Tools -> Services -> Remote Packet Capture Protocol v.0 (experimental) (right-click) -> Start.

On the machine running Wireshark:

  1. Configure the capture options: Capture -> Options -> Interface -> Remote -> [Fill in details]* -> OK.
  2. Choose the remote interface: On the capture options window, the remote interfaces are in the drop-down list in the upper right corner. Pick the one you need.
  3. Choose the remainder of your capture options, including remote settings, as needed, then choose Start.

*NOTES:

  • The Host is filled in as the remote IP address only, with no rpacp:// prefix or anything else.
  • It is not necessary to fill out the port unless you have changed it on the remote machine from the default of 2002.
  • Choose Password Authentication, then fill in the remote username and password credentials.

For more information on WinPcap remote packet capturing, try here.

answered 07 Mar '11, 19:21

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

0

Did you try this:
rpcap://IPADDRESS/\Device\NPF_{INTERFACE INFORMATION}

BTW
I'm running Wireshark version 1.5.0 and WinPcap version 4.1.2.

answered 05 Mar '11, 07:44

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 05 Mar '11, 07:50

0

...the error "Can't get the list of interfaces: Logon failure - unknown username/pwd (I'm using the domain admin pwd and not local admin- hope this will work).

Sound like a clue, doesn't it?

answered 05 Mar '11, 08:07

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Hey Guys, It worked. Wireshark 1.4.4 & rpcap 4.1.0.2001. Not sure why it did not work before, I ran the Wireshark as Admin from a normal user account before. this time i logged in as Admin. May be because of this. Thanks anyways for your help

answered 20 Mar '11, 22:35

joes77's gravatar image

joes77
16113
accept rate: 0%

edited 20 Mar '11, 22:36