Rpcapd for Linux : Remote sniffing with ethereal/wireshark
rpcapd is a deamon that captures traffic on a host, and is able to send it to a remote network sniffer, as ethereal.
It's included with recent winpcap releases, so running it on windows is very easy : it's located in C:\program files\winpcap
It's more tricky for linux : rpcapd should compile and work under linux, but I had to remove parts of windows-related code that prevented correct compilation.
Remote linux sniffer :
- Download rpcapd.gz for linux, statically compiled for linux/i386
- Gunzip and run as root : ./rpcapd -n
Local Windows ethereal :
- Install winpcap 4.0
- Install Wireshark 0.99
- Go to "Capture Options" and specify remote host : rpcap://remotehost/remoteif
- Start sniffing
It's a always good idea to use a capture filter to exclude traffic between local and remote host.
Example with windows 192.168.50.25 remotely sniffing from linux 192.168.50.38: