I’m just continually impressed with the quality of so many open source products available today. One such product that should be extremely high on any network engineer’s list is WireShark. WireShark has become the de-facto standard for packet capture software and is almost unrivaled in features and functionality.
Last week I had the task of diagnosing some very intermittent desktop/application performance issues at a remote site. I had installed WireShark locally on a few desktops but I wanted the ability to remotely monitor a few specific desktops without obstructing the users workflow to get a baseline for later comparison. I was excited to learn that WireShark and WinPCAP had (experimental) remote packet capture functionality built into each product. I followed the instructions on the WireShark website by installing WinPCAP v4.1.2 on the remote machine and then starting the “Remote Packet Capture Protocol v.0 (experimental)” service. With that done I then proceeded to 
launch WireShark on my local desktop and configure the remote packet capture settings. From within WireShark I chose Options -> Capture, changed the Interface from Local to Remote. Then enter the IP address of the remote machine along with the TCP port (the default TCP port is 2002). I initially tried to use “Null authentication” but was unsuccessful. I eventually ended up choosing “Password authentication” and used the local Administrator account and password of the remote desktop that had WinPCAP installed on it. If the remote desktop had multiple interfaces I could have selected which interface I wanted to perform the remote packet capture on. In this case the desktop in question only had an integrated Intel(R) 82567LM-3 network adapter. I clicked ‘Start’ and to my sheer amazement the packet trace was off and running collecting packets from the remote desktop. There will still be the occasional need to place the Dolch (portable sniffer) onsite when the situation demands it but this is a great tool to have available.
Cheers!
Updated: Sunday September 5, 2010
The images appear to be missing above because the URL paths are wrong, not sure how WordPress messed up that. I don’t have time right now to fix it but I will fix it a little later.
WireShark has been in my tool kit for years. However, I did not know they had a remote packet capture. I am looking forward to using this in the future troubleshooting.
I attempted to work with Nortel’s Remote Port Mirroring, but did not have any luck in the past. We ended up using local port mirroring with the Dolch box. When I have some free time, I will follow your Remote Port Mirroring guide.
Hi Gabe,
I also have multiple (licensed) copies of OmniPeek from Wildpackets but I often switch between OmniPeek and WireShark depending on the type of problem and the specfiic protocol that I’m trying to decode. I knew that RPCAP was out there and the folks from WinPACP were working on it (experimental) but I didn’t realize it was so easy to setup, configuration and get going.
The Nortel/Avaya remote port mirroring works quite well… it just encapsulates the frames and switches them across the network to a destination port. The origination and destination need to be ERS 8600 switches and then the middle points just need to bridge the VLAN which will carry the encapsulated frames. There’s a little configuration to it but it’s still pretty easy.
Cheers!