Wireshark-users: Re: [Wireshark-users] remote capture framework

From: Max P <addax.ws@xxxxxxxxx>
Date: Fri, 14 May 2010 01:12:47 -0700
> Yes, rpcap daemon does not have cashing functionality. It'll sent
> packets as it captured.  Packet will be lost if you does not
> connected to rpcap daemon

I have servers at remote sites that have local interfaces that are
faster than the links to my (central) site.  Some sniffing sessions
will be faster than the link home can handle.  There are analagous
(but less severe) problems on the LAN.  So I need remote sniffers to
be able to cache the captures at native speed and spool them out at a
slower rate.

rpcap is open source. I do not think it's difficult to add simple caching to it.
I see advantage in rpcap for you to not invent communication protocol
between wireshark and remote site. But it's really the case only if you need
real time capture (of cause if it can be named "real time" for your WAN situation).

 
> > it doesn't seem to have a mechanism to centrally list many
> > supported devices;

> It's not clear what you mean but you can get list of available
> interfaces on remote machine via rpcap

I have a whole bunch of devices.  Before someone can list available
interfaces, they need to know which device to go to.  It would really
be nice to have a searchable list of all known devices and all known
interfaces to start with.  Although if necessary, that list could be
on a webpage somewhere rather than in wireshark.

This problem push me to modify Wireshark that days. I made it remember
my interfaces statically. So ones set they were available to use at any
start of Wireshark.

Max