tshark with rpcap also captures its own interfaces

0
votes

Platform : Fedora 13, 32-bit machine I am running tshark in my client and rpcapd in my remote machine. Here is an example:-

Remote machine :- IP Address 192.168.100.100 (say) and Interface name - eth1 (say) bash$:- sudo ./rpcapd -n

Client side :- IP Address 192.168.100.200 bash$:- sudo tshark -w output.pcap -i rpcap://192.168.100.100/eth6 -f "ip proto 132"

Packet Capture is running successfully and packets are also being captured. But it also captures the packets to and from own machine's interfaces which are not related to remote machine's interface.

Please help me out to understand this..

2
wiresharktshark

2 Answers

0
votes

You can exclude traffic to your capture host by adding a filter:

 tshark -f '(host not 192.168.100.200) and (ip proto 132)'
0
votes

The problem occurred due to promiscuous mode.

I tried this :

$sudo tshark -p -w output.pcap -i rpcap://192.168.100.100/eth6 -f "ip proto 132"

and it worked !! The option -p signifies that the interface will not be put on promiscuous mode.

Here are the details :- https://www.wireshark.org/docs/man-pages/tshark.html