Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Capture from multiple remote machines

From: Patrick Klos <patrick@xxxxxxxx>
Date: Tue, 18 Nov 2014 18:09:54 -0500
On 11/16/2014 7:17 PM, Ozan T wrote:
Hi all,

I am working in a company that develops network softwares. We often need to capture from multiple servers in order to see if there is a packet loss, blocked packet, or the original packet altered etc. So, everytime we capture from source and destination, then compare captures manually. ( Generally, we are not allowed to access to switch or anything that stays between source and destination )

I have searched a bit but I think it is not possible to capture from multiple machines remotely with wireshark.

Why do you think that?

We really need this feature/tool ( Also, I discussed with some other people around me, many of them think that this feature may make things easier for them ) . One way or another we will have to develop it. If you think such a feature would be useful in wireshark, we would like to target wireshark rather than a seperate project.

Ofcourse, if this is possible with current wireshark, I would like to learn :) or if there is an ongoing project about that.

I just need an idea what you think about that feature in wireshark project, then we can plan/discuss things according to it.

Have you tried Wireshark's "remote capture" capability.� You'd need to install "rpcapd" (from here) to run on each remote system you want to capture from.� Then in Wireshark, configure and enable all the remote interfaces in Manage Interfaces under the Capture Options window.� I just tested capturing from 2 remote sources simultaneously, and it seemed to work fine.

Basic representation of feature after our initial look :

Connect remote machines via ssh/pipe/rpcap as o now possible for single machine
Capture and merge in real time

Depending on the load on the links you want to sniff, real-time may not be possible...

Give remote capture a try if you think it'll handle your situation?� Good luck!

Patrick Klos
Klos Technologies, Inc.
http://www.packetvault.com/