Re: Capturing network traffic using wireshark remotely

[Forthofer Russ <Russ.Forthofer () ssfhs org>]

Remote capture is  a really cool, recent feature, but probably not applicable here.  It would allow you to run rpcapd 
on Machine1 (or 2), and then run Wireshark on Machine3 - using Machine1's interfaces as the capture points.   If you 
don't already have Winpcap installed on Machine1, you would need to do that.  Then you would need to start rpcapd.  
Based on your statement that you don't want to change/install anything, this is probably not the way to go.

The only way to do this non-intrusively (AFAIK) is to span (mirror) the port on the switch.  You could also install a 
network tap at one of the devices (Machine1 or 2), but this would require a momentary network interruption.

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of sean bzd
Sent: Thursday, January 28, 2010 3:22 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] Capturing network traffic using wireshark remotely

Folks,
Need some advice/help here.

We have a scenario:

3 Windows machines all connected to the same Cisco Switch.
Machine1 and Machine2 are exchanging some data that need to be captured. Ideally, I could install wireshark on either 
Machine1 or Machine2 and capture all the traffic being exchanged between the two. But since these are production 
machines, we don't want to change/install anything on these 2 machines. Is there a way I can install wireshark on 
Machine3 and capture the traffic between Machine1 and Machine2? I know I can do port mirroring on the Cisco switch and 
capture it from Machine3. But, question is can I get the capture without doing port mirroring? I see that the capture 
Options dialog box in wireshark has an option for Local Vs. Remote interface? What is it used for? Has anyone used this 
before?

Thanks for your help.
Sean.


The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient 
to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure 
under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, 
you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the 
intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe