How can we capture packets of a remote system without installing wincap on the remote systems ? Is it possible to capture the packets ?
Yes if you're in the same L2 segment. Check wonderful and detailed tutorial from wireshark.
Related
I have captured some packets in Wireshark and need to replay those again in any way.
The Wireshark wiki Tools page lists many packet capture related tools, among them some tools that can replay packets such as Bit-Twist, PlayCap, Scapy, tcpreplay and several others.
I just had to do this on a Windows machine. Most all of the methods required a UNIX machine or cygwin. Colasoft Packet Player worked great without having dependencies on other software or drivers.
I am trying to capture the data packets from dpdk interface.
Using pdump+testpmd, able to capture the data packets.
However, if Wireshark is used with testpmd, the above fails.
Any suggestions highly appreciated. Thanks
Working on Ubuntu v 18+, DPDK v 19+ Wireshark v 3+
The solution is to use the pdump application. As others mentioned, once your DPDK application takes ownership of the network card, the kernel will not see the packets, and tcpdump hooks will not be triggered.
The documentation explains how to i) compile dpdk with support for pdump and pcap ii) enable your primary process - your application - to give packet information to a secondary process - the pdump sample application.
You can then use the generated pcap with wireshark.
As soon as you bind the physical interface from kernel to a DPDK driver (igb_uio, uio_pci_generic, vfio-pci) it becomes removed from kernel netdev for both Physical Function and Virtual Function. These NIC ports are accessible via UIO driver, and application like DPDK which has the PMD can probe and init the devices (with some exceptions).
If you want to use the port with Wireshark, unfortunately you have to bind it back to the kernel. You can also just capture packets to a .pcap file using DPDK and analyse it with Wireshark offline - if that fits your needs.
[EDIT-1] There are 2 ways to capture packets on UIO DPDK bind
make use of rte_pdump_init API in the primary (desired) DPDK application and use DPDK example dpdk-pdump to capture packets for RX or TX for desired queues.
Unbind the device from UIO and bind it back to kernel driver for netdev interface. start the DPDK rte_eal_init with special argument --vdev=net_pcap0,iface=[kernel nic interface instance]
Note: In option 2, one can run Wireshark and capture the packets too. But will lose out on performance and DPDK specific functionality.
When I enable Wireshark capture on my laptop, the application becomes slow because it captures all the packets. I am running about 100 Mbps of traffic with different packet sizes.
Let's say, I only need to capture rtp,sip packets and ignore the other UDP, TCP, DHCP etc.
How can I do it using Wireshark?
Note: I know the filter option to view only the packets I need, but the request is to only capture rtp packets
From the Wireshark SIP wiki page:
Capture Filter
You cannot directly filter SIP protocols while capturing. However, if you know the UDP or TCP or port used (see above), you can filter on that one.
For help with writing capture filters, refer to the pcap-filter man page.
I am able to capture only the packets routed through my NIC, but I want to sniff all the packets from other PC(s) connected to the same local wireless network. I am using Wireshark, but it cannot sniff the packets from the remote IP(s) connected to the same local network (created by a wireless router).
You haven't provided much detail about your capture setup - in particular what OS your capture PC is running or what hardware you have. The best advice I can give you to start with is to visit the Wireshark WLAN (IEEE 802.11) capture setup wiki page and carefully read its contents, particularly those sections that best relate to your system. At the very least, you will need to be able to place your wireless NIC into monitor mode, and the method by which you do that is OS dependent, so do visit that wiki page for more details.
If you happen to be running Windows and you are unable to place your NIC into monitor mode using Wireshark or you don't have an adaptor (such as an Airpcap adaptor) capable of capturing the traffic, or npcap doesn't work for you, then you might want to try other tools besides Wireshark, such as Microsoft's Network Monitor or their newer Message Analyzer capture tools.
Lastly, if nothing else works, then you might want to visit the Wireshark Tools wiki page to try to find other potential tools that might work for you in your particular capture environment.
You can use the Cain and Abel sniffing tool. It is very easy one. You can sniff packets by Cain and Abel and log them using WireShark.
You can download it from https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html
To explain what I would like to get, here's an example.
Let's say, we have a PC with one NIC. It has single IP address 172.16.0.1.
Using VLC, we start a udp stream to 172.16.0.1:1234, then launch another copy of VLC and connect to udp://#172.16.0.1:1234. Now we'll see our video streaming.
If you run sniffer, you will see packets from 172.16.0.1:some_random_port to 172.16.0.1:1234 on loopback. There's no trafic on our NIC.
What I want to do is to stream and receive udp in the same computer, like VLC does it. But the main problem is that pcap can only pcap_open() a real device, it can't work with loopback.
Is it possible to solve that problem?
P.S. I'm using Windows and WinPcap, unlike Linux version, it can send packets.
If you just want to send and receive UDP packets, I would suggest just using regular Winsock sockets, just as you'd use regular sockets on UN*X; using WinPcap requires that you re-implement IP and UDP, and won't let you send to another socket on the same machine under Windows (or on at least some versions of UN*X, either).
If you want to watch the traffic you're sending, unfortunately WinPcap won't help, as it relies on packets being sent out and received from NDIS (its driver plugs into NDIS), and that doesn't happen for packets sent from one socket on a machine to another socket on the same machine.
(Note, BTW, that libpcap can send packets on Linux and *BSD and Mac OS X and Solaris and Digital/Tru64 UNIX, for example, and has been able to do so for several years; older versions of libpcap didn't support it, but the versions available for the past few years can. However, as per my first paragraph, it would not make sense to use libpcap to send and receive regular UDP packets on those OSes, just as it makes no sense to use WinPcap for that purpose on Windows.)