Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Capture from multiple remote machines

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ozan T <ozan.tcn@xxxxxxxxx>
Date: Wed, 19 Nov 2014 10:12:34 +0200
Hi Patrick ,

Thank you, it works!

Sorry, it is my mistake I thought rpcapd and "Remote Interfaces" wer just for Windows machines. Here , I see it works well on Linux and BSD also.


Thanks again.


Ozan.

On Wed, Nov 19, 2014 at 1:09 AM, Patrick Klos <patrick@xxxxxxxx> wrote:
On 11/16/2014 7:17 PM, Ozan T wrote:
Hi all,

I am working in a company that develops network softwares. We often need to capture from multiple servers in order to see if there is a packet loss, blocked packet, or the original packet altered etc. So, everytime we capture from source and destination, then compare captures manually. ( Generally, we are not allowed to access to switch or anything that stays between source and destination )

I have searched a bit but I think it is not possible to capture from multiple machines remotely with wireshark.

 Why do you think that?

We really need this feature/tool ( Also, I discussed with some other people around me, many of them think that this feature may make things easier for them ) . One way or another we will have to develop it. If you think such a feature would be useful in wireshark, we would like to target wireshark rather than a seperate project.

Ofcourse, if this is possible with current wireshark, I would like to learn :) or if there is an ongoing project about that.

I just need an idea what you think about that feature in wireshark project, then we can plan/discuss things according to it.

 Have you tried Wireshark's "remote capture" capability.  You'd need to install "rpcapd" (from here) to run on each remote system you want to capture from.  Then in Wireshark, configure and enable all the remote interfaces in Manage Interfaces under the Capture Options window.  I just tested capturing from 2 remote sources simultaneously, and it seemed to work fine.

Basic representation of feature after our initial look :

Connect remote machines via ssh/pipe/rpcap as o now possible for single machine
Capture and merge in real time

 Depending on the load on the links you want to sniff, real-time may not be possible...

Give remote capture a try if you think it'll handle your situation?  Good luck!

Patrick Klos
Klos Technologies, Inc.
http://www.packetvault.com/


Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube