3

Platform :- Fedora 13 32-bit machine

RemoteMachine$ ./rpcapd -n

ClientMachine$ tshark -w "filename" -i "any interface name"

As soon as capture starts without any capture filter, thousands of packets get captured. Rpcapd binds to 2002 port by default and while establishing the connection it sends a randomly chosen port number to the client for further communication. Both client and server machines exchange tcp packets through randomly chosen ports. So, I cannot even specify the capture filter to block this rpcap related tcp traffic.

Wireshark & tshark for Windows have an option "Do not capture own Rpcap Traffic" in Remote Settings in Edit Interface Dialog box. But there is no such option in tshark for linux.

It will be also better if anyone can tell me how wireshark blocks rpcap traffic....

Pankaj Goyal
  • 131
  • 3
  • Curious. Does `dumpcap` show the same symptoms? – rickhg12hs Nov 14 '13 at 13:46
  • Have you tried a ssh tunnel rather than rpcapd? – rickhg12hs Dec 10 '13 at 16:35
  • Yes, Dumpcap also behaves in similar manner. Moreover when we enter tshark in command prompt, it forks a child and exec dumpcap with the specified flags. I haven't used SSH tunnel yet. Can you tell me how to use it? – Pankaj Goyal Dec 10 '13 at 17:45
  • See [Wireshark: Remote Capture](http://wiki.wireshark.org/CaptureSetup/Pipes#Remote_Capture) or [How To Monitor Packets From A Remote Interface In Real Time](http://blog.notreally.org/2007/01/24/how-to-monitor-packets-from-a-remote-interface/). – rickhg12hs Dec 11 '13 at 09:05

1 Answers1

0

Use a display filter that blocks the RPCAP protocol, not the port nor IP address.

I have no data to try, but how does this work?

$ tshark -R 'not rpcap' and_then_the_rest_of_your_command
rickhg12hs
  • 394
  • 2
  • 9
  • Can you plz tell me how to block RPCAP protocol ??? – Pankaj Goyal Nov 13 '13 at 07:41
  • It's working fine to block RPCAP but RPCAP is present in those packets only which are used for initiating and closing the process. All other communication takes place over simple TCP Protocol. – Pankaj Goyal Dec 10 '13 at 10:18