Re: remote capture framework

[Max P <addax.ws () gmail com>]

I had used rpcap for remote capture for long time few years ago. I even
midify
Wireshark that days to have access to rpcap features from GUI. You can
search for
"Experimental WireShark version with user interface list and remote capture
(RPCAP) support"
in this mail list. I have links to my version there.
My answers based on that experience. I do not think much change in that
area.


I have a whole bunch of hosts at various WAN sites that are used for
> remote captures.  Right now, people log in to them remotely and kick
> off tcpdump or wireshark on the host itself.  I'd like to get away
> from that.  I'm willing to develop something myself, but prefer to not
> reinvent the wheel.  rpcap looks like a step in the right direction.
> But it seems to be a streaming solution, which is bad over a WAN;


Yes, rpcap daemon does not have cashing functionality. It'll sent packets as
it captured.
Packet will be lost if you does not connected to rpcap daemon


> it doesn't seem to have a mechanism to centrally list many supported
> devices;


It's not clear what you mean but you can get list of available interfaces on
remote
machine via rpcap


> and it doesn't seem very cross-platform.


It was cross platformed. I have link to compiled linux version in my old
post.
Windows version always coming with WinPcap.


> For our environment, might be better if people could
> specify their packet filters and start captures on-demand.


As I remember rpcap supports user filters from Wireshark interface dialog.

Max

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe