Steps to perform Remote Packet Capture with Wireshark


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

There are many packet capture methods, such as local, remote, network (Tap, SPAN) and so on. We will discover how to capture packets remotely in this article.

 

Remote packet capture on a Windows operating system

Remote capturing on a Windows OS requires WinPcap tool installation. WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers. This library also contains the Windows version of the well-known libpcap Unix API. Thanks to its set of features, WinPcap has been the packet capture and filtering engine for many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these networking tools, like Wireshark, Nmap, Snort, and ntop are known and used throughout the networking community.

 

Step-1: WinPcap comes with the older Wireshark versions in default. If you do not have it, download it from here (https://www.winpcap.org/default.htm) and install it on the remote machine. After installation, it will create a "service", which is called "Remote Packet Capture Protocol v.0 (experimental)".

Step-2: The service created by WinPcap supports two authentication methods; null (anonymous) and user credential based authentication. I assume you already have a user account on the remote machine, if not, create a new user on it.

Step-3: Open "Start" menu and search for "Services", then click the top result to open the console. Find "Remote Packet Capture Protocol v.0 (experimental)" service from the right pane.

Steps to perform Remote Packet Capture with Wireshark

 

Step-4: Double click on the service, the Properties window will open.

Step-5: Select "Log On" tab, then "This account" radio button. Enter your credentials and click on "Apply" button.

Steps to perform Remote Packet Capture with Wireshark

 

Step-6: Select "General" tab, and then click "Start" button to start the service. Click on the "OK" to finish. At this point, the service is up and running.

Steps to perform Remote Packet Capture with Wireshark

 

Step-7: I will start a continuous ping from the remote server (192.168.1.150) to another server (192.168.1.42) with the command below.  In the next step, we will capture ping packets (ICMP) from a remote host.

C:\Users\Administrator>ping 192.168.1.42 -t
Pinging 192.168.1.42 with 32 bytes of data:
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Reply from 192.168.1.42: bytes=32 time<1ms TTL=64

Step-7: There will be no further configuration on the remote host. Launch Wireshark on the local machine and navigate to Capture → Options

Steps to perform Remote Packet Capture with Wireshark

 

Step-8: Instead of selecting a local interface from the list, click on "Manage Interfaces". A window containing "Local Interfaces", "Pipes" and "Remote Interfaces" tabs appears.

Steps to perform Remote Packet Capture with Wireshark

 

Step-9: Open "Remote Interfaces" tab and click "+" button to add remote host information. The WinPcap service runs on the port number 2002. Fill the all fields and click "OK". Wireshark will connect to the remote host and pull the remote interfaces information.

Steps to perform Remote Packet Capture with Wireshark

 

I have two interfaces on the remote host. My output is below.

Steps to perform Remote Packet Capture with Wireshark

 

Click "OK" to finish adding the remote interfaces.

Step-9: Select one of the remote interfaces and click "Start" button to start remote capturing on the interface.

Steps to perform Remote Packet Capture with Wireshark

 

Step-10: From this moment, you are seeing the packets on the remote host.

Steps to perform Remote Packet Capture with Wireshark

 

 

 

Step-11:  Wireshark uses a protocol called Remote Packet Capture Protocol (RPCAP) to create a remote session. Before transferring the packets from the remote host to the local host, authentication mechanism kicks in and then the local host sends parameters like what interfaces and what filter to use.

Steps to perform Remote Packet Capture with Wireshark

 

After establishing the session, the remote host creates a new TCP connection with different source and destination ports to transfer packets. Following Wireshark output shows the protocol stack.

Steps to perform Remote Packet Capture with Wireshark

 

Remote packet capture on Linux (Kali)

Wireshark is not shipped with SSHdump tool that make you enable to capture packet on a remote Linux distro. I have Wireshark-win64-3.0.3 version and I will remove it and reinstall to demonstrate the capture.

Step-1: Start Wireshark installation/reinstallation process.

Step-2: Expand the "Tools" tree in the "Choose Components" window.

Steps to perform Remote Packet Capture with Wireshark

 

Step-3: Select "SSHdump" from the tool list and click "Next".

Steps to perform Remote Packet Capture with Wireshark

 

Step-4: Finish the installation.

Step-5: Launch Wireshark and you will see some new tools such as "Cisco remote capture" and "SSH remote capture".

Steps to perform Remote Packet Capture with Wireshark

 

Step-6: Click "SSH remote capture" and following window opens. Select "Server" tab and type the remote server IP address and SSH port.

Steps to perform Remote Packet Capture with Wireshark

 

Step-7: Select "Authentication" tab and enter the user credential. Since Wireshark runs "tcpdump -U -i 'eth0'  -w -  ''" command,  it requires  root privileges.

Steps to perform Remote Packet Capture with Wireshark

 

Step-8: Select "Capture" tab and enter the remote interface. The form lets you enter the command to be run. You can use "sudo" on the remote machine when you are not root. Even remote capture filter can be specified here.

Steps to perform Remote Packet Capture with Wireshark

 

Step-9: Select "Debug" tab and check "Run in debug mode", then name a file to store all the debug logs. When there is a problem, we can take a look at the log file to understand the problem. The file is located in Wireshark base directory.

Steps to perform Remote Packet Capture with Wireshark

 

Step-10:  Click "Start" button to starting remote capture. Unfortunately, I got the error below which says my Wireshark does not support cipher suits remote host negotiating.

Steps to perform Remote Packet Capture with Wireshark

 

You can see the same logs in the debug file as well. My output is below.

Steps to perform Remote Packet Capture with Wireshark

 

Step-11:  There are two methods to fix this problem. First option is to modify the parameter on the remote host, while second option is to install a newer Wireshark version.  I will go with the second solution and install Wireshark-win64-3.6.2.

Step-12:  After installation, it worked without any trouble. I pinged the remote machine from another host. The output is below.

Steps to perform Remote Packet Capture with Wireshark

 

Up to this point, we used two different platforms (Windows and Linux) to capture remote packets. I already explained how things go when remote machine is a Windows. It uses a different method to capture from Linux. First Wireshark uses SSHdump tool to connect the host. After that it makes the host run "tcpdump" tool with some parameters. Tcpdump listens the interface and captures the packets. Then, the packets are transferred through the SSH session.

 

Final thoughts

Capturing packets on a local machine may not be the best method when you need to troubleshoot in real time. It takes more time capturing the packets on the remote machine and transferring them to another machine for analyzing with tools like Wireshark. Beside that not all machines have Wireshark installed. Remote packet capturing can be useful for such cases.  Linux based machines require an SSH connection and tcpdump tool, while Windows operation system only need WinPcap library installed for remote packet capturing.

 

References

https://www.winpcap.org/default.htm

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

4 thoughts on “Steps to perform Remote Packet Capture with Wireshark”

  1. If I’m not mistaken, for the user authentication example given here for remote packet capture service on Windows, keep in mind the user information given is not encrypted and sent over the network in plain text. For encryption you’d need TLS support which was recently added to libpcap but not yet available to use with Npcap and hence Wireshark on Windows as well. The TLS support is only for *nix platforms, including macOS.

    Perhaps it is either because of this security concern, or the simplicity of null authentication that most examples online elsewhere about remote packet capture on Wireshark present the null authentication option being used.

    Reply

Leave a Comment