Use wireshark to capture packets remotely in Windows

Due to the need to debug the differences between the pc Server printing film and the direct printing film on the device, R & D requires me to capture packets to analyze the differences between the two, but soon faced a problem, I didn't have the permission to change the vswitch, and they didn't configure the port image on the vswitch. So I had to find a small HUB and eliminate the HUB for more than 10 years, this almost forgotten network device is a shared network that may easily cause network accidents. Many sites are not allowed to use it, but it is a good tool for network packet capture... I searched every corner and couldn't find a small hub. As a result, my colleagues in Beijing sent me a courier. Unfortunately, EMS once again carried forward the Boss Style of state-owned enterprises for four days, I waited until the flowers thanked me, And my express delivery had not arrived yet. I had to find another way...

When I asked in the QQ group, someone suggested that I try to capture packets remotely. So I used Baidu and found that wireshark started to support remote packet capture in versions starting from 1.2, so let's test wireshark's remote packet capture... First, make sure that WinPcap is installed on the remote machine where we need to be captured. Try to find the latest version and follow the default installation path. On the remote end, go to the command line mode and switch to the winpcap path: C: \ Program Files \ WinPcap, run rpcapd-h,You can see the usage of each parameter. The usage of the parameter is listed below:

1. C:\Program Files\WinPcap>rpcapd.exe -h 

2. USAGE:
3. Rpcapd [-B <address>] [-p <port>] [-6] [-l
4. [-N] [-v] [-d] [-s <file>] [-f <file>]
5. -B <address>: the address to bind to (either numeric or literal ).
6. Default: it binds to all local IPv4 addresses
7. -P <port>: the port to bind to. Default: it binds to port 2002
8. -4: use only IPv4 (default both IPv4 and IPv6 waiting sockets are used)
9. -L
10. To connect to this server (if more than one, list them one per line ).
11. We suggest to use literal names (instead of numeric ones) in order
12. Avoid problems with different address families
13. -N: permit NULL authentication (usually used with '-l ')
14. -A
15. In case 'Port' is omitted, the default port (2003) is used
16. -V: run in active mode only (default: if '-a' is specified, it accepts
17. Passive connections as well
18. -D: run in daemon mode (UNIX only) or as a service (Win32 only)
19. Warning (Win32): this switch is provided automatically when the service
20. Is started from the control panel
21. -S <file>: save the current configuration to file
22. -F <file>: load the current configuration from file; all the switches
23. Specified from the command line are ignored
24. -H: print this help screen

After reading the parameter meanings, we need three common ones: -L remote connection to the local machine is allowed. The secondary parameter is required. -D allows the rpcapd service to run in daemon mode. This parameter is required. -N this parameter is added so that the user name and password are not required for remote connection packet capture.The preceding parameters are added for running on the remote end during packet capture, Rpcapd-lndYes, but the strange thing is that when I use netstat to check the port running on the machine, I didn't find port 2002 open. It was strange, but no matter how many ports are there, I have done it here. Then we open wireshark on the local machine and go to the menu: Capture --- Options.

Click"Add Remote Interface", The window for adding a remote interface is displayed:

 

We enter the remote IP address in the host, which is port 2002. If you do not know, you can see the service port number from the rcapd parameter,If you do not add the-n parameter to the remote service, enter the user name and password,Click "OK". The final page should be like this:

 

The above shows three NICs, because I have two NICs on the remote end and one on the local machine, so there are three NICs. I want to hook up the NIC to capture packets, click the start button below to start packet capture...

Haha, the configuration of packet capture is basically here, and the last one is attached to the end of the packet capture:

 

This article is from the blog "Are you a passer-by or a huoyuanjia"