Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

rpcap interface protocol syntax for non-null authentication?

The Wireshark GUI supports rpcap for null authentication as well as username password authentication. I tested both to work. However, it's not clear to me how the underlying mechanism in the GUI route operates as the resulting interface string on remote host looks like "rpcap://host:port/interface-name" regardless of null authentication or authentication in place.

So does the GUI mode cache the authentication somehow and passes the authentication in some way over rpcap protocol whenever a capture is done with the given remote interface? I know per the wording and my trials that this appears to be kept per session in Wireshark, as you'd have to reconnect with authentication next time around to retrieve the remote interfaces if you exit and restart Wireshark. Where the GUI wording in the screen where you can add remote interfaces mentions "This version of Wireshark does not save remote settings".

The reason I ask about this is because I know on the CLI Wireshark, tshark, dumpcap have support for the remote interfaces by directly specifying the remote interface string value in the syntax mentioned above. And that works when using null authentication, but doesn't when authentication is supplied.

So is the current expectation that authenticated rpcap only works via the Wireshark GUI mode? Or is there a bug somewhere? Is this limitation because of a limitation or lack of documentation regarding the rpcap protocol for how you handle passing authentication over