First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

rpcap interface protocol syntax for non-null authentication?

The Wireshark GUI supports rpcap for null authentication as well as username password authentication. I tested both to work. However, it's not clear to me how the underlying mechanism in the GUI route operates as the resulting interface string on remote host looks like "rpcap://host:port/interface-name" regardless of null authentication or authentication in place.

So does the GUI mode cache the authentication somehow and passes the authentication in some way over rpcap protocol whenever a capture is done with the given remote interface? I know per the wording and my trials that this appears to be kept per session in Wireshark, as you'd have to reconnect with authentication next time around to retrieve the remote interfaces if you exit and restart Wireshark. Where the GUI wording in the screen where you can add remote interfaces mentions "This version of Wireshark does not save remote settings".

The reason I ask about this is because I know on the CLI Wireshark, tshark, dumpcap have support for the remote interfaces by directly specifying the remote interface string value in the syntax mentioned above. And that works when using null authentication, but doesn't when authentication is supplied.

So is the current expectation that authenticated rpcap only works via the Wireshark GUI mode? Or is there a bug somewhere? Is this limitation because of a limitation or lack of documentation regarding the rpcap protocol for how you handle passing authentication over

cuuld's avatar
3
cuuld
asked 2024-03-22 01:42:33 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

However, it's not clear to me how the underlying mechanism in the GUI route operates as the resulting interface string on remote host looks like "rpcap://host:port/interface-name" regardless of null authentication or authentication in place.

The URL is parsed by libpcap, not by Wireshark/TShark/tcpdump/whatever. It does not have to contain a user name or password - and it's unwise to put the password in the URL on the command-line, especially if somebody else can see the command line you typed.

The rpcap protocol doesn't send the URL over the wire. The initial request from the client to the server is an authentication request that includes credentials, which begin with a credential type (null or username/password) with, for username/password, the username and password, as strings, following the credential type.

Wireshark's "Manage Interfaces" dialog allows you to specify the authentication type and, for username/password authentication, allows you to specify the username and password. TShark has no corresponding mechanism.

Is this limitation because of a limitation or lack of documentation regarding the rpcap protocol for how you handle passing authentication over

No, it's due to a lack of code in TShark to, for example, respond to an "authentication failed" reply from the server, if the reason is "null authentication not permitted", to prompt for a username and password. There's no such code in tcpdump, either.

(There's no documentation for the rpcap protocol at all. I have that as a project, but I have a lot of other things as projects as well, and, sadly, new project keep popping up. It needs to be written, because, at least at one point, there was a non-libpcap rpcap server that wasn't sending correct replies, which broke access from the libpcap client.)

Guy Harris's avatar
19.9k
Guy Harris
answered 2024-03-22 06:35:40 +0000, updated 2024-03-22 18:25:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the clarification. I noticed that libpcap 1.11.0/master branch includes support for user auth in the rpcap URL even though that's not advised, and verified it works in custom compiled tcpdump and rpcapd from the latest libpcap source.

It's too bad the CLI tools don't have a mechanism like the Wireshark GUI to handle auth outside of the RPCAP URL.

cuuld's avatar cuuld (2024-03-23 22:02:45 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer