Table of Contents
There are many packet capture methods, such as local, remote, network (Tap, SPAN) and so on. We will discover how to capture packets remotely in this article.
Remote packet capture on a Windows operating system
Remote capturing on a Windows OS requires WinPcap tool installation. WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers. This library also contains the Windows version of the well-known libpcap Unix API. Thanks to its set of features, WinPcap has been the packet capture and filtering engine for many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these networking tools, like Wireshark, Nmap, Snort, and ntop are known and used throughout the networking community.
Step-1: WinPcap comes with the older Wireshark versions in default. If you do not have it, download it from here (https://www.winpcap.org/default.htm) and install it on the remote machine. After installation, it will create a "service", which is called "Remote Packet Capture Protocol v.0 (experimental)".
Step-2: The service created by WinPcap supports two authentication methods; null (anonymous) and user credential based authentication. I assume you already have a user account on the remote machine, if not, create a new user on it.
Step-3: Open "Start" menu and search for "Services", then click the top result to open the console. Find "Remote Packet Capture Protocol v.0 (experimental)" service from the right pane.
Step-4: Double click on the service, the Properties window will open.
Step-5: Select "Log On" tab, then "This account" radio button. Enter your credentials and click on "Apply" button.
Step-6: Select "General" tab, and then click "Start" button to start the service. Click on the "OK" to finish. At this point, the service is up and running.
Step-7: I will start a continuous ping from the remote server (192.168.1.150) to another server (192.168.1.42) with the command below. In the next step, we will capture ping packets (ICMP) from a remote host.
C:\Users\Administrator>ping 192.168.1.42 -t Pinging 192.168.1.42 with 32 bytes of data: Reply from 192.168.1.42: bytes=32 time<1ms TTL=64 Reply from 192.168.1.42: bytes=32 time<1ms TTL=64 Reply from 192.168.1.42: bytes=32 time<1ms TTL=64 Reply from 192.168.1.42: bytes=32 time<1ms TTL=64 Reply from 192.168.1.42: bytes=32 time<1ms TTL=64 Reply from 192.168.1.42: bytes=32 time<1ms TTL=64
Step-7: There will be no further configuration on the remote host. Launch Wireshark on the local machine and navigate to Capture → Options
Step-8: Instead of selecting a local interface from the list, click on "Manage Interfaces". A window containing "Local Interfaces", "Pipes" and "Remote Interfaces" tabs appears.
Step-9: Open "Remote Interfaces" tab and click "+" button to add remote host information. The WinPcap service runs on the port number 2002. Fill the all fields and click "OK". Wireshark will connect to the remote host and pull the remote interfaces information.
I have two interfaces on the remote host. My output is below.
Click "OK" to finish adding the remote interfaces.
Step-9: Select one of the remote interfaces and click "Start" button to start remote capturing on the interface.
Step-10: From this moment, you are seeing the packets on the remote host.
Step-11: Wireshark uses a protocol called Remote Packet Capture Protocol (RPCAP) to create a remote session. Before transferring the packets from the remote host to the local host, authentication mechanism kicks in and then the local host sends parameters like what interfaces and what filter to use.
After establishing the session, the remote host creates a new TCP connection with different source and destination ports to transfer packets. Following Wireshark output shows the protocol stack.
Remote packet capture on Linux (Kali)
Wireshark is not shipped with SSHdump tool that make you enable to capture packet on a remote Linux distro. I have Wireshark-win64-3.0.3 version and I will remove it and reinstall to demonstrate the capture.
Step-1: Start Wireshark installation/reinstallation process.
Step-2: Expand the "Tools" tree in the "Choose Components" window.
Step-3: Select "SSHdump" from the tool list and click "Next".
Step-4: Finish the installation.
Step-5: Launch Wireshark and you will see some new tools such as "Cisco remote capture" and "SSH remote capture".
Step-6: Click "SSH remote capture" and following window opens. Select "Server" tab and type the remote server IP address and SSH port.
Step-7: Select "Authentication" tab and enter the user credential. Since Wireshark runs "tcpdump -U -i 'eth0' -w - ''" command, it requires root privileges.
Step-8: Select "Capture" tab and enter the remote interface. The form lets you enter the command to be run. You can use "sudo" on the remote machine when you are not root. Even remote capture filter can be specified here.
Step-9: Select "Debug" tab and check "Run in debug mode", then name a file to store all the debug logs. When there is a problem, we can take a look at the log file to understand the problem. The file is located in Wireshark base directory.
Step-10: Click "Start" button to starting remote capture. Unfortunately, I got the error below which says my Wireshark does not support cipher suits remote host negotiating.
You can see the same logs in the debug file as well. My output is below.
Step-11: There are two methods to fix this problem. First option is to modify the parameter on the remote host, while second option is to install a newer Wireshark version. I will go with the second solution and install Wireshark-win64-3.6.2.
Step-12: After installation, it worked without any trouble. I pinged the remote machine from another host. The output is below.
Up to this point, we used two different platforms (Windows and Linux) to capture remote packets. I already explained how things go when remote machine is a Windows. It uses a different method to capture from Linux. First Wireshark uses SSHdump tool to connect the host. After that it makes the host run "tcpdump" tool with some parameters. Tcpdump listens the interface and captures the packets. Then, the packets are transferred through the SSH session.
Capturing packets on a local machine may not be the best method when you need to troubleshoot in real time. It takes more time capturing the packets on the remote machine and transferring them to another machine for analyzing with tools like Wireshark. Beside that not all machines have Wireshark installed. Remote packet capturing can be useful for such cases. Linux based machines require an SSH connection and tcpdump tool, while Windows operation system only need WinPcap library installed for remote packet capturing.