Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Guy Harris]

On Nov 12, 2017, at 5:38 AM, Richard Sharpe  wrote:

> It looks like libpcap-1.8.1 also has remote capture functionality,

It has some remote capture functionality, but I'm not sure what state it was 
in; I've done a *lot* of work on it (including testing the server on various 
UN*Xes and Windows, and testing the client on various UN*Xes) subsequently, and 
that work is only in the master branch.

> using pcap_opensource_remote et-al and it seems to be enabled by
> default.

It's not enabled by default - it's only enabled if HAVE_REMOTE is defined, and 
there's no --enable-remote support in the configure file.  CMakeLists.txt 1) 
only sets it on Windows and 2) isn't guaranteed to work on UN*X.  The work I've 
done to fix those issues is only in the master branch.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 10:25 AM, Guy Harris  wrote:
> On Nov 11, 2017, at 9:55 AM, Richard Sharpe  
> wrote:
>
>> Hmmm, the problem really seems to be that my dev environment fails to
>> find pcap_open so it cannot support rpcap.
>>
>> That is, both HAVE_PCAP_OPEN and HAVE_PCAP_REMOTE are not defined, but
>> HAVE_PCAP_REMOTE is not defined because HAVE_PCAP_OPEN is not defined.
>>
>> Now to see if a more recent version of libpcap that 1.5.3 has what I need.
>
> I infer from "libpcap" that this isn't WinPcap and thus this isn't Windows.
>
> Until recently, rpcap support was not a standard part of libpcap.
>
> The tip of the libpcap master branch (1.9.0-PRE-GIT) does include libpcap 
> support, but it's not configured in by default on UN*X, as I haven't audited 
> the code to make sure it has no buffer overflow risks or other security 
> issues.  If you configure it with autotools, you have to configure with 
> --enable-remote; if you configure it with CMake, you have to configure it 
> with -DENABLE_REMOTE=YES.  (Yes, CMake; I added CMake support to have 
> something that handles building both on UN*X and on Windows.  I also plan to 
> add CMake support to tcpdump at some point.)

It looks like libpcap-1.8.1 also has remote capture functionality,
using pcap_opensource_remote et-al and it seems to be enabled by
default.

Is that the case?

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 11:38 AM, Richard Sharpe
 wrote:
> On Sat, Nov 11, 2017 at 11:11 AM, Guy Harris  wrote:
>> On Nov 11, 2017, at 11:06 AM, Richard Sharpe  
>> wrote:
>>
>>> Sure. The immediate problem though is that acinclude.m4 assumes that
>>> checking for pcap_open is sufficient and required to enable
>>> HAVE_PCAP_REMOTE.
>>
>> If you don't have pcap_open(), you probably don't have remote support, which 
>> is why it's required.
>>
>> I suppose it isn't "sufficient" in the sense that one could, in principle, 
>> build a version of libpcap that has pcap_open() but that only supports local 
>> capture, but that's rather unlikely.
>>
>>> Having hacked my way around that, it is clear from the resulting build
>>> failures that a more recent version of libpcap is required :-(
>>
>> That's the universe's way of telling you that perhaps, sometimes, you should 
>> trust that autotools knows what it's doing, and not try to hack around it. 
>> :-)
>
> Well, I am trying to figure out the simplest required things to get
> this working on Linux ...
>
> Now that I have the latest version of libpcap from the repo built and
> installed, I seem to have library issues, but I can figure those out
> ...

Building the latest version of libpcap with --enable-remote seems to
make things work.

Wireshark 2.5.xxx brings up the remote capture interface stuff and
tries to connect to the device I nominated, which gave back a
connection refused ... since nothing is listening on the port I
nominated ...

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 11:11 AM, Guy Harris  wrote:
> On Nov 11, 2017, at 11:06 AM, Richard Sharpe  
> wrote:
>
>> Sure. The immediate problem though is that acinclude.m4 assumes that
>> checking for pcap_open is sufficient and required to enable
>> HAVE_PCAP_REMOTE.
>
> If you don't have pcap_open(), you probably don't have remote support, which 
> is why it's required.
>
> I suppose it isn't "sufficient" in the sense that one could, in principle, 
> build a version of libpcap that has pcap_open() but that only supports local 
> capture, but that's rather unlikely.
>
>> Having hacked my way around that, it is clear from the resulting build
>> failures that a more recent version of libpcap is required :-(
>
> That's the universe's way of telling you that perhaps, sometimes, you should 
> trust that autotools knows what it's doing, and not try to hack around it. :-)

Well, I am trying to figure out the simplest required things to get
this working on Linux ...

Now that I have the latest version of libpcap from the repo built and
installed, I seem to have library issues, but I can figure those out
...

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Guy Harris]

On Nov 11, 2017, at 11:06 AM, Richard Sharpe  
wrote:

> Sure. The immediate problem though is that acinclude.m4 assumes that
> checking for pcap_open is sufficient and required to enable
> HAVE_PCAP_REMOTE.

If you don't have pcap_open(), you probably don't have remote support, which is 
why it's required.

I suppose it isn't "sufficient" in the sense that one could, in principle, 
build a version of libpcap that has pcap_open() but that only supports local 
capture, but that's rather unlikely.

> Having hacked my way around that, it is clear from the resulting build
> failures that a more recent version of libpcap is required :-(

That's the universe's way of telling you that perhaps, sometimes, you should 
trust that autotools knows what it's doing, and not try to hack around it. :-)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 10:52 AM, Guy Harris  wrote:
> On Nov 11, 2017, at 10:45 AM, Richard Sharpe  
> wrote:
>
>> I notice that the latest libpcap git repo calls pcap_open_rpcap from
>> pcap_open_live ... but I did not check if that is available in 1.5.3
>> that I have on my dev VM ...
>
> pcap_open_rpcap() itself is probably not available in the 1.5.3 you have; 
> it's part of the remote capture support, and that simply wasn't present *at 
> all* in libpcap until recently.  You'll *have* to build a newer libpcap, and 
> use that, on your development VM if you want to do remote captures.

Looks that way based on the results from below.

>> Anyway, assuming that those things work (for some value of "work") the
>> real problem is that the test in Wireshark's acinclude.m4 only checks
>> for pcap_open and not pcap_open_live ...
>
> Because libpcap has *always* had pcap_open_live() - if you have libpcap at 
> all, you have pcap_open_live().

Sure. The immediate problem though is that acinclude.m4 assumes that
checking for pcap_open is sufficient and required to enable
HAVE_PCAP_REMOTE.

Having hacked my way around that, it is clear from the resulting build
failures that a more recent version of libpcap is required :-(

>> However, my first interest is in getting the GTK stuff to show up and
>> that is controller by HAVE_PCAP_REMOTE ..
>
> To get it to show up *anywhere* in *shark you'll need a newer version of 
> libpcap - or an older version with the remote-capture support patched in.  
> You will *not* get it with any of the existing libpcap releases and, unless 
> the supplier of the distribution on your development VM has patched it in, 
> you won't get it with the libpcap in that distribution.
> ___
> Sent via:Wireshark-dev mailing list 
> Archives:https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>  mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Guy Harris]

On Nov 11, 2017, at 10:45 AM, Richard Sharpe  
wrote:

> I notice that the latest libpcap git repo calls pcap_open_rpcap from
> pcap_open_live ... but I did not check if that is available in 1.5.3
> that I have on my dev VM ...

pcap_open_rpcap() itself is probably not available in the 1.5.3 you have; it's 
part of the remote capture support, and that simply wasn't present *at all* in 
libpcap until recently.  You'll *have* to build a newer libpcap, and use that, 
on your development VM if you want to do remote captures.

> Anyway, assuming that those things work (for some value of "work") the
> real problem is that the test in Wireshark's acinclude.m4 only checks
> for pcap_open and not pcap_open_live ...

Because libpcap has *always* had pcap_open_live() - if you have libpcap at all, 
you have pcap_open_live().

> However, my first interest is in getting the GTK stuff to show up and
> that is controller by HAVE_PCAP_REMOTE ..

To get it to show up *anywhere* in *shark you'll need a newer version of 
libpcap - or an older version with the remote-capture support patched in.  You 
will *not* get it with any of the existing libpcap releases and, unless the 
supplier of the distribution on your development VM has patched it in, you 
won't get it with the libpcap in that distribution.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 10:25 AM, Guy Harris  wrote:
> On Nov 11, 2017, at 9:55 AM, Richard Sharpe  
> wrote:
>
>> Hmmm, the problem really seems to be that my dev environment fails to
>> find pcap_open so it cannot support rpcap.
>>
>> That is, both HAVE_PCAP_OPEN and HAVE_PCAP_REMOTE are not defined, but
>> HAVE_PCAP_REMOTE is not defined because HAVE_PCAP_OPEN is not defined.
>>
>> Now to see if a more recent version of libpcap that 1.5.3 has what I need.
>
> I infer from "libpcap" that this isn't WinPcap and thus this isn't Windows.
>
> Until recently, rpcap support was not a standard part of libpcap.
>
> The tip of the libpcap master branch (1.9.0-PRE-GIT) does include libpcap 
> support, but it's not configured in by default on UN*X, as I haven't audited 
> the code to make sure it has no buffer overflow risks or other security 
> issues.  If you configure it with autotools, you have to configure with 
> --enable-remote; if you configure it with CMake, you have to configure it 
> with -DENABLE_REMOTE=YES.  (Yes, CMake; I added CMake support to have 
> something that handles building both on UN*X and on Windows.  I also plan to 
> add CMake support to tcpdump at some point.)

Yeah. Linux.

I notice that the latest libpcap git repo calls pcap_open_rpcap from
pcap_open_live ... but I did not check if that is available in 1.5.3
that I have on my dev VM ...

Anyway, assuming that those things work (for some value of "work") the
real problem is that the test in Wireshark's acinclude.m4 only checks
for pcap_open and not pcap_open_live ...

However, my first interest is in getting the GTK stuff to show up and
that is controller by HAVE_PCAP_REMOTE ..

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Guy Harris]

On Nov 11, 2017, at 9:55 AM, Richard Sharpe  wrote:

> Hmmm, the problem really seems to be that my dev environment fails to
> find pcap_open so it cannot support rpcap.
> 
> That is, both HAVE_PCAP_OPEN and HAVE_PCAP_REMOTE are not defined, but
> HAVE_PCAP_REMOTE is not defined because HAVE_PCAP_OPEN is not defined.
> 
> Now to see if a more recent version of libpcap that 1.5.3 has what I need.

I infer from "libpcap" that this isn't WinPcap and thus this isn't Windows.

Until recently, rpcap support was not a standard part of libpcap.

The tip of the libpcap master branch (1.9.0-PRE-GIT) does include libpcap 
support, but it's not configured in by default on UN*X, as I haven't audited 
the code to make sure it has no buffer overflow risks or other security issues. 
 If you configure it with autotools, you have to configure with 
--enable-remote; if you configure it with CMake, you have to configure it with 
-DENABLE_REMOTE=YES.  (Yes, CMake; I added CMake support to have something that 
handles building both on UN*X and on Windows.  I also plan to add CMake support 
to tcpdump at some point.)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 8:19 AM, Pascal Quantin
 wrote:
>
>
> Le 11 nov. 2017 17:15, "Richard Sharpe"  a
> écrit :
>
> On Sat, Nov 11, 2017 at 7:50 AM, Pascal Quantin
>  wrote:
>> Hi Richard,
>>
>> 2017-11-11 16:45 GMT+01:00 Richard Sharpe :
>>>
>>> Hi folks,
>>>
>>> I am hearing from one user that they could no longer use rpcap from
>>> 2.0.2 of Wireshark, and I see that while I can enable it in configure
>>> (--with-remote-pcap) it does not seem to show up in the
>>> Capture->Interface or Capture->Options.
>>>
>>> Does anyone know how to get it to work or if it works?
>>
>>
>> I have not used it myself lately, but the configuration dialog is still
>> present. Go to Capture -> Options -> Manage Interfaces -> Remote
>> Interfaces
>> tab.
>
> Hmmm, you are correct for 2.4.2, however, for the latest Master that
> does not seem to work, at least on the GTK version ...
>
> Still investigating.
>
>
> Nobody is working on GTK version, that is deprecated. Expect it to work less
> and less over time.
> The menu is present in Qt version for master branch also but as I said I
> have not used it since more than a year. Nobody reported that it is broken
> yet, but it could be because it is not used that much.

Hmmm, the problem really seems to be that my dev environment fails to
find pcap_open so it cannot support rpcap.

That is, both HAVE_PCAP_OPEN and HAVE_PCAP_REMOTE are not defined, but
HAVE_PCAP_REMOTE is not defined because HAVE_PCAP_OPEN is not defined.

Now to see if a more recent version of libpcap that 1.5.3 has what I need.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Pascal Quantin]

Le 11 nov. 2017 17:15, "Richard Sharpe"  a
écrit :

On Sat, Nov 11, 2017 at 7:50 AM, Pascal Quantin
 wrote:
> Hi Richard,
>
> 2017-11-11 16:45 GMT+01:00 Richard Sharpe :
>>
>> Hi folks,
>>
>> I am hearing from one user that they could no longer use rpcap from
>> 2.0.2 of Wireshark, and I see that while I can enable it in configure
>> (--with-remote-pcap) it does not seem to show up in the
>> Capture->Interface or Capture->Options.
>>
>> Does anyone know how to get it to work or if it works?
>
>
> I have not used it myself lately, but the configuration dialog is still
> present. Go to Capture -> Options -> Manage Interfaces -> Remote
Interfaces
> tab.

Hmmm, you are correct for 2.4.2, however, for the latest Master that
does not seem to work, at least on the GTK version ...

Still investigating.


Nobody is working on GTK version, that is deprecated. Expect it to work
less and less over time.
The menu is present in Qt version for master branch also but as I said I
have not used it since more than a year. Nobody reported that it is broken
yet, but it could be because it is not used that much.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

On Sat, Nov 11, 2017 at 7:50 AM, Pascal Quantin
 wrote:
> Hi Richard,
>
> 2017-11-11 16:45 GMT+01:00 Richard Sharpe :
>>
>> Hi folks,
>>
>> I am hearing from one user that they could no longer use rpcap from
>> 2.0.2 of Wireshark, and I see that while I can enable it in configure
>> (--with-remote-pcap) it does not seem to show up in the
>> Capture->Interface or Capture->Options.
>>
>> Does anyone know how to get it to work or if it works?
>
>
> I have not used it myself lately, but the configuration dialog is still
> present. Go to Capture -> Options -> Manage Interfaces -> Remote Interfaces
> tab.

Hmmm, you are correct for 2.4.2, however, for the latest Master that
does not seem to work, at least on the GTK version ...

Still investigating.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Re: [Wireshark-dev] rpcap support seems to have disappeared ...

[Pascal Quantin]

Hi Richard,

2017-11-11 16:45 GMT+01:00 Richard Sharpe :

> Hi folks,
>
> I am hearing from one user that they could no longer use rpcap from
> 2.0.2 of Wireshark, and I see that while I can enable it in configure
> (--with-remote-pcap) it does not seem to show up in the
> Capture->Interface or Capture->Options.
>
> Does anyone know how to get it to work or if it works?
>

I have not used it myself lately, but the configuration dialog is still
present. Go to Capture -> Options -> Manage Interfaces -> Remote Interfaces
tab.

BR,
Pascal.
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

[Wireshark-dev] rpcap support seems to have disappeared ...

[Richard Sharpe]

Hi folks,

I am hearing from one user that they could no longer use rpcap from
2.0.2 of Wireshark, and I see that while I can enable it in configure
(--with-remote-pcap) it does not seem to show up in the
Capture->Interface or Capture->Options.

Does anyone know how to get it to work or if it works?

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___
Sent via:Wireshark-dev mailing list 
Archives:https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
 mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe