Use wireshark to capture packets remotely in Windows

Source: Internet
Author: User

Due to the need to debug the differences between the pc Server printing film and the direct printing film on the device, R & D requires me to capture packets to analyze the differences between the two, but soon faced a problem, I didn't have the permission to change the vswitch, and they didn't configure the port image on the vswitch. So I had to find a small HUB and eliminate the HUB for more than 10 years, this almost forgotten network device is a shared network that may easily cause network accidents. Many sites are not allowed to use it, but it is a good tool for network packet capture... I searched every corner and couldn't find a small hub. As a result, my colleagues in Beijing sent me a courier. Unfortunately, EMS once again carried forward the Boss Style of state-owned enterprises for four days, I waited until the flowers thanked me, And my express delivery had not arrived yet. I had to find another way...

When I asked in the QQ group, someone suggested that I try to capture packets remotely. So I used Baidu and found that wireshark started to support remote packet capture in versions starting from 1.2, so let's test wireshark's remote packet capture... First, make sure that WinPcap is installed on the remote machine where we need to be captured. Try to find the latest version and follow the default installation path. On the remote end, go to the command line mode and switch to the winpcap path: C: \ Program Files \ WinPcap, run rpcapd-h,You can see the usage of each parameter. The usage of the parameter is listed below:
 
  1. C:\Program Files\WinPcap>rpcapd.exe -h 
  2. USAGE:
  3. Rpcapd [-B <address>] [-p <port>] [-6] [-l
  4. [-N] [-v] [-d] [-s <file>] [-f <file>]
  5. -B <address>: the address to bind to (either numeric or literal ).
  6. Default: it binds to all local IPv4 addresses
  7. -P <port>: the port to bind to. Default: it binds to port 2002
  8. -4: use only IPv4 (default both IPv4 and IPv6 waiting sockets are used)
  9. -L
  10. To connect to this server (if more than one, list them one per line ).
  11. We suggest to use literal names (instead of numeric ones) in order
  12. Avoid problems with different address families
  13. -N: permit NULL authentication (usually used with '-l ')
  14. -A
  15. In case 'Port' is omitted, the default port (2003) is used
  16. -V: run in active mode only (default: if '-a' is specified, it accepts
  17. Passive connections as well
  18. -D: run in daemon mode (UNIX only) or as a service (Win32 only)
  19. Warning (Win32): this switch is provided automatically when the service
  20. Is started from the control panel
  21. -S <file>: save the current configuration to file
  22. -F <file>: load the current configuration from file; all the switches
  23. Specified from the command line are ignored
  24. -H: print this help screen
After reading the parameter meanings, we need three common ones: -L remote connection to the local machine is allowed. The secondary parameter is required. -D allows the rpcapd service to run in daemon mode. This parameter is required. -N this parameter is added so that the user name and password are not required for remote connection packet capture.The preceding parameters are added for running on the remote end during packet capture, Rpcapd-lndYes, but the strange thing is that when I use netstat to check the port running on the machine, I didn't find port 2002 open. It was strange, but no matter how many ports are there, I have done it here. Then we open wireshark on the local machine and go to the menu: Capture --- Options.

Click"Add Remote Interface", The window for adding a remote interface is displayed:

 

We enter the remote IP address in the host, which is port 2002. If you do not know, you can see the service port number from the rcapd parameter,If you do not add the-n parameter to the remote service, enter the user name and password,Click "OK". The final page should be like this:

 

The above shows three NICs, because I have two NICs on the remote end and one on the local machine, so there are three NICs. I want to hook up the NIC to capture packets, click the start button below to start packet capture...

Haha, the configuration of packet capture is basically here, and the last one is attached to the end of the packet capture:

 




This article is from the blog "Are you a passer-by or a huoyuanjia"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.