Wireshark-users: Re: [Wireshark-users] remote capture framework
From: Max P <addax.ws@xxxxxxxxx>
Date: Thu, 13 May 2010 22:37:20 -0700
I had used rpcap for remote capture for long time few years ago. I even midify
Wireshark that days to have access to rpcap features from GUI. You can search for
"Experimental WireShark version with user interface list and remote capture (RPCAP) support"
in this mail list. I have links to my version there.
My answers based on that experience. I do not think much change in that area.


I have a whole bunch of hosts at various WAN sites that are used for
remote captures.  Right now, people log in to them remotely and kick
off tcpdump or wireshark on the host itself.  I'd like to get away
from that.  I'm willing to develop something myself, but prefer to not
reinvent the wheel.  rpcap looks like a step in the right direction.
But it seems to be a streaming solution, which is bad over a WAN;

Yes, rpcap daemon does not have cashing functionality. It'll sent packets as it captured.
Packet will be lost if you does not connected to rpcap daemon
 
it doesn't seem to have a mechanism to centrally list many supported
devices;

It's not clear what you mean but you can get list of available interfaces on remote
machine via rpcap
 
and it doesn't seem very cross-platform. 

It was cross platformed. I have link to compiled linux version in my old post.
Windows version always coming with WinPcap.

 
For our environment, might be better if people could
specify their packet filters and start captures on-demand.

As I remember rpcap supports user filters from Wireshark interface dialog.

Max