0

I am trying to capture remote tcp packets using tshark/pyshark. I can see the packets in wireshark if the firewall in the remote machine is turned off. It doesn't work with the firewall on. I have the tcp ports 2002 and 1448 opened in the remote machine firewall.

I have run the rpcapd service with the command rpcapd -n

If any of you have done remote capturing behind the firewall, your help will be much appreciated

Arun Thomas
  • 805
  • 1
  • 12
  • 21
  • In which mode are you running rpcapd? active or passive? – mik1904 Aug 26 '19 at 13:16
  • I think this article will be useful for you:https://www.cisco.com/assets/sol/sb/WAP321_Emulators/WAP321_Emulator_v1-0-0-3/help/Admin30.html – Ido Segal Aug 26 '19 at 13:18
  • @mik1904 passive mode. tried active mode as well, but don't know if i did it correctly. ```rpcapd -n -a ,2002``` – Arun Thomas Aug 26 '19 at 13:31
  • Okok, It definitely looks like a firewall problem. Cannot help much without knowing them which is not really safe to post here. – mik1904 Aug 26 '19 at 13:40

1 Answers1

0

Using netstat i checked the ports listening and found that there is a random port between 30000-39999 listening everytime my pyshark program sniffs.

I was having windows server 2008 which prevented me from opening a range of ports.

So the solution to my problem was to allow the rpcapd.exe program in the firewall.

Arun Thomas
  • 805
  • 1
  • 12
  • 21