First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Connect to rpcapd service on Windows from Linux/OSX using tshark

I have an rpcapd service running on a Windows system. I can connect to the service and start a capture session using tshark from another Windows system, but when I try the same thing from a Linux or OSX system I get:

sudo tshark -p -w output.pcap -i "rpcap://<IP>:2002/\Device\NPF_{3C1CAC08-C702-4D89-96CB-1F2B845ACA1D}"    
shark: The capture session could not be initiated on interface 'rpcap://<IP>:2002/\Device\NPF_{3C1CAC08-C702-4D89-96CB-1F2B845ACA1D}' (No such device exists).
    Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.

The firewall is open and I can even use netcat to establish a connection on port 2002. Is this just not supported functionality or am I doing something wrong?

rich5's avatar
3
rich5
asked 2018-03-06 18:18:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Unless tshark, on the Linux and macOS systems, is built with a version of libpcap that includes rpcap support, you will not be able to connect to the rpcapd service with tshark.

The version of libpcap that ships with macOS and with most if not all Linux distributions does not include rpcap support. You would have to get the current master branch of libpcap, configure it with --enable-remote with autotools or -DENABLE_REMOTE=YES with CMake, build it, install it in /usr/local, and build Wireshark from source, in order to get a version of Wireshark or TShark that can do the remote capture.

Guy Harris's avatar
19.9k
Guy Harris
answered 2018-03-06 19:31:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That's very helpful. Thank you!

rich5's avatar rich5 (2018-03-06 19:43:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer