Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

rpcaps or remote pcap over TLS support in Wireshark for Windows?


I noticed libpcap 1.10.0+ added support for TLS for rpcap. I didn't dig into the details but assume that is about the new "-S" option to enable TLS and the "rpcaps://" protocol, where the option is exposed when "it has been compiled in" (which seems to be about whether a compatible (open)SSL version is installed on the system when compiling?).

Furthermore, I see that Npcap, starting in v1.20 looks to be using some form of libpcap 1.10, v1.73+ seems to for sure use libpcap 1.10. Latest Wireshark 4.2.3 seems to bundle with Npcap 1.78, which I installed and tested with.

It sounds like from dependency standpoint, if Wireshark uses (or can use) dependency of Npcap which has dependency on libpcap, it should be able to make use of the TLS auth feature, at least from the GUI mode of remote pcap.

I tested it on a rpcapd server with the TLS enabled (running on macOS) and used Wireshark (on Windows) as the remote client, and saw it had issues trying to connect against the TLS. For simplicity, this was testing with null auth option, just TLS enabled, though I assume TLS is meant to work with the user auth case. I have some other issues in my test setup preventing using user auth for TLS mode on the macOS host, even when testing locally via localhost routing, but TLS worked locally with null auth on the Mac.

The GUI reported error of "Can't get list of interfaces: TLS is required by this server".

Just for kicks, tried same approach from CLI with Wireshark's dumpcap, although I know that's less likely or unlikely to be expected to be used or expected to work.

From the CLI route I see error of

The capture session could not be initiated on capture device "rpcap://host:port/interface-name". (TLS is required by this server)

and when I try to use rpcaps protocol instead, I get

The capture session could not be initiated on capture device "rpcaps://host:port/interface-name". (Error opening adapter: The filename, directory name, or volume label syntax is incorrect. (123)) Please check that you have the proper interface or pipe specified.

Will Wireshark on Windows ever have working TLS/rpcaps support to match rpcapd deployments that do support TLS? Or did I do my test setup incorrectly? (e.g. must use user auth / non null auth with TLS?)

FYI, I tested locally on Mac via localhost the TLS support/functionality using tcpdump (compiled with rpcap support in libpcap, the same version used to compile rpcapd), in null auth mode.