Monday, November 29, 2010

Wireshark: Remote Packet Capture, bit of Security

Wireshark/Ethereal is one of the best open source tools we have. I don't think there will be individuals working in Networking domain (especially into IDS/IPS, Firewalls etc.) and don't know Wireshark/tcpdump. Please I wanna see u guys/gals ;-)

There are many features available in Wireshark, we are going to focus on remote packet capture.

Need Wireshark Version 1.4.2 with the new WinPcap available inbuilt with it. Install this on bothe the machines, where you are going to take capture (client) and on the machine where we want to sniff the traffic(server). On Server we need to start "Remote Packet Capture Protocol v.0 (experimental)" service, which will open TCP Port 2002 on the Server.

Once the service is started, run wireshark on the Client machine. Goto Capture->Options. Clicking Options will pop up a window shown below.

In this window we can see Interface field on the top left corner which has drop down menu, from this menu select "Remote" option which will pop one more window asking for details like Host: (Enter IP Address), Port:, enter 2002 here.


For logging onto Server to take packet capture we need to successfully authenticate to server.

Under Authentication, opt for Password authentication, Null authentication is not supported which might throw below error.

Once the Authentication is successfull you can select one of the interfaces on the Server if there are multiple for sniffing.


Well, this is one of the awesome features Wireshark has given to its users. But the downside is, log in credentials traversing the network in clear text. Atleast they would have provided basic encryption/ encoding techniques to hide password.

Exposing all the interfaces of a multi homed Server, it's IP Addresses etc.

Hope this post and feature will be very helpful for you :-)

Following articles might be of your interest


  1. how if there is a proxy ?, i was try it, but... wireshark dont work, i dont know why ? i think there is proxy on there... thanks...

  2. what version of winpcap are u using.....??
    version shub b >= the versions which i mentioned in the blog!!

  3. Sorry, you FAIL Wireshark 1.2.2 has ABSOLUTELY NO REMOTE CAPTURE OPTIONS

  4. @Anonymous: wireshark version shud have updated winpcap also

  5. thanks a lot this was really helpful.

  6. You truly make it appear easy and your demonstration, even so
    are discovering this specific make any difference to be really
    the one thing i always feel I'd personally in no way understand. Seems like too elaborate and in depth personally. I’m taking a look forward on your own up coming blog site, I'll
    try to have the dangle of the usb ports!
    My web blog : comments