On Jun 15, 2010, at 9:51 PM, Nagendrababu Maseedu wrote:
> There is an option to set the remote interface in the wireshark. If my understanding is correct, any wireshark user can start capturing packets from a remote machine using this option in wireshark. Am I right?
Only if
1) the remote machine is running the service
and either
2a) that service doesn't require any authentication
or
2b) the user has whatever credentials (password or whatever) are necessary to access the service.
If 2a) is true, you've probably misconfigured the server, or you don't care whether arbitrary users can capture arbitrary data.
> My suggestions for this issue are....
> 1. Disable/Remove the selection of “Remote” interface in the drop down thus allowing the user to only capture packets form/to his/her Local machine.
That would prevent users *using Wireshark* from doing that.
It wouldn't prevent a user from doing that with some *other* program that uses a version of libpcap/WinPcap that supports remote packet capture.
> 2. Disable the check box “Capture packets in promiscuous mode”.
See previous comment.
> 3. In worst case, individual developers must make sure that there is no service “Remote Packet Capture Protocol” running on their local box.
If you don't want people capturing packets using your machine, either
1) don't run that service
or
2) run it in a mode where they need a password to access it.
> If yes, how to disable these options (on Windows XP box)?
The only way to do 1. or 2. is to download the source to Wireshark, modify it not to support remote capture or promiscuous-mode capture, and make sure everybody on your network is using that version.
