Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Secured way of using Wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 15 Jun 2010 21:58:46 -0700
On Jun 15, 2010, at 9:51 PM, Nagendrababu Maseedu wrote:

> There is an option to set the remote interface in the wireshark. If my understanding is correct, any wireshark user can start capturing packets from a remote machine using this option in wireshark. Am I right?

Only if

	1) the remote machine is running the service

and either

	2a) that service doesn't require any authentication

or

	2b) the user has whatever credentials (password or whatever) are necessary to access the service.

If 2a) is true, you've probably misconfigured the server, or you don't care whether arbitrary users can capture arbitrary data.

> My suggestions for this issue are....
> 1. Disable/Remove the selection of “Remote” interface in the drop down thus allowing the user to only capture packets form/to his/her Local machine.

That would prevent users *using Wireshark* from doing that.

It wouldn't prevent a user from doing that with some *other* program that uses a version of libpcap/WinPcap that supports remote packet capture.

> 2. Disable the check box “Capture packets in promiscuous mode”.

See previous comment.

> 3. In worst case, individual developers must make sure that there is no service “Remote Packet Capture Protocol” running on their local box.

If you don't want people capturing packets using your machine, either

	1) don't run that service

or

	2) run it in a mode where they need a password to access it.

> If yes, how to disable these options (on Windows XP box)?

The only way to do 1. or 2. is to download the source to Wireshark, modify it not to support remote capture or promiscuous-mode capture, and make sure everybody on your network is using that version.