Wireshark-users: Re: [Wireshark-users] remote capture framework
Date: Fri, 14 May 2010 02:25:42 -0400
On Thu, May 13, 2010 at 10:37:20PM -0700, Max P wrote:

> I had used rpcap for remote capture for long time few years ago. I
> even midify Wireshark that days to have access to rpcap features
> from GUI.

Cool.  :)

> Yes, rpcap daemon does not have cashing functionality. It'll sent
> packets as it captured.  Packet will be lost if you does not
> connected to rpcap daemon

I have servers at remote sites that have local interfaces that are
faster than the links to my (central) site.  Some sniffing sessions
will be faster than the link home can handle.  There are analagous
(but less severe) problems on the LAN.  So I need remote sniffers to
be able to cache the captures at native speed and spool them out at a
slower rate.

> > it doesn't seem to have a mechanism to centrally list many
> > supported devices;

> It's not clear what you mean but you can get list of available
> interfaces on remote machine via rpcap

I have a whole bunch of devices.  Before someone can list available
interfaces, they need to know which device to go to.  It would really
be nice to have a searchable list of all known devices and all known
interfaces to start with.  Although if necessary, that list could be
on a webpage somewhere rather than in wireshark.

> It was cross platformed. I have link to compiled linux version in my
> old post.

> As I remember rpcap supports user filters from Wireshark interface
> dialog.

Cool, thanks.  :)

So far, it looks like my options are rpcap, which will start on-demand
and use user filters but doesn't have remote caching, and a dumpcap
init script, which will cache remotely but won't start on demand or
use user filters.

- Morty