How to Enable Remote Packet Capture with Wireshark


#1

As of Firmware 6.3, Peplink devices can send packet information to an external client, where it can be analyzed by Wireshark.
To enable this feature, please follow these steps:

1) Download Wireshark and Netcat

Please follow the links to download the programs:

Wireshark Packet Analyzer

Netcat

2) Enter Netcat Command

Once Wireshark has been installed, navigate to the command prompt and adapt the following command to your installation.

C:\nc\nc.exe -l -p 12345 | “C:\Program Files\Wireshark\wireshark.exe” -ki –

At this point, Wireshark will open and begin waiting for the packet trace

3) Enable Remote Capture on the Peplink Router

Login to your device’s Web UI.

Access your device’s support page. This can be done by entering the following on your address bar:

http:// ip address of your router/cgi-bin/MANGA/support.cgi

Once you have entered the support page, this screen will appear:

Check the checkbox next to Remote Capture and enter the IP address and port number of the external client that will receive the information.
The port number must be matched with the port which defined in NetCat command as above.

Finally, click the Start button. The following message will confirm success:

At this point, Wireshark still might not show any activity. One possible reason is that the local firewall is blocking it. In that case, you will need to turn off the firewall to use this feature:

At this point, The Wireshark program on your client should begin receiving packet information:


Traffic from SIP phone that shows up on bandwidth history but not on any Active Sessions or User List
VoIP disconnected after ~2 hrs 45 minutes
DHCP address issue
Port Forwarding or NAT Mapping on Balance 30
Add ability to do filtered packet capture on support.cgi
#2

This is cool. Thank you for sharing!


#3

Just in case anyone wants to use a mac to do this remote capture… I finally spent some time and figured out a way.

You will need two terminal windows open. One to create the FIFO pipe and start the netcat listener. The other to start Wireshark.

Terminal 1
mkfifo /path/to/packetbuffer
chmod 777 /path/to/packetbuffer (*this step may not be required)
sudo nc -l 12345 > /path/to/packetbuffer

Terminal 2
wireshark -k -i /path/to/packetbuffer

Wireshark should open up. Start the remote capture on the peplink device.

Happy capturing!


#4

Hello,

Can someone help on how to capture the WAN interface traffic using wireshark on a watchgaurd(XTM) device.

Thanking you.


#5

You can capture the Peplink WAN traffic in the usual way (support.cgi page).
You can also grab a PCAP from the watchguard
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/system_status/stats_diagnostics_tasks_web.html


#6

Thanks very much for the swift response.

Please one more thing. what filter can I do to capture only one particular SOURCE IP

e.g -i eth0 … to filter for a particular source IP.

I am very grateful.


#7

Filtering the IPs at point of capture is hard. Its much easier to do it in wireshark when you are analysing the capture…


#8

I am not ale to get the wireshark to monitor the watchgaurd eth0 interface.

Thanks very much.


#9

I recommend to check with watchgaurd.


#10

Thanks all for the very useful contributions.

I was able to carry out the packet filter on watchgaurd using -i eth0 src IP

It worked fine.


#11

I got this going, very helpful. Is there any way to capture traffic that has in vlans? It only seems to capture untagged traffic on the LAN interface.


#12

@Lucas_Kane the capture should contain untagged and tagged traffic from all VLANs (untagged and tagged).
I just tested this to see if that had changed, but I can confirm my capture contained traffic from several VLANs.
I ran network capture from the router itself instead of a remote packet capture. Can you try that as well?


#13

On the router itself i see all vlans. But it seems that is limited to 20MB to capture and only gets me about 10 seconds of traffic. Is the remote capture limited to the vlan that the remote machine resides in?


#14

Hi Lucas,
I would need to test that, but it does seem to be the case (maybe someone elsehas tried this before and can give an answer).
If the remote machine resides on a VLAN with inter-VLAN routing disabled I can see the logic that the capture is restricted to capture traffic for that VLAN only.
Out of interest, is inter-VLAN routing enabled in the network you have tested this with?


#15

I type that command and the box goes away and wireshark doesn’t open up… am I missing something. Also can this be done off site completely and point to a WAN address?


#16

You need to make sure netcat directory & Wireshark directory are correctly defined in-order the command given work as expected.

Below are my test case and it work as expected:

Run command:


C:\WINDOWS\system32>C:\Users\Sitloongs\Desktop\nc111nt\nc.exe -l -p 12345 | “C:\Program Files (x86)\Wireshark\wireshark.exe” -ki-

Wireshark directory:

Netcat directory:

If still can’t work, make sure you disabled all security blocking tools for your PC, it can be blocked by those tools.

Sending packet captured results via Internet/WAN directly is not recommended as it’s insecure.