How to Capture Remote Machine Traffic with Wireshark: Solving Error 10061 on Remote Interface


2 views

When attempting to capture network traffic from a remote machine using Wireshark's remote interface feature, many users encounter the frustrating Error 10061. This typically indicates a connection refusal, meaning Wireshark can't establish communication with the remote capture service.

Before diving into solutions, ensure these components are properly configured:

1. Remote machine running WinPcap or Npcap with remote capture enabled
2. Wireshark installed on both local and remote machines
3. Proper network connectivity between the machines
4. Administrative privileges on both systems
5. Correct firewall configurations

1. Setting Up the Remote Machine

First, install and configure the remote capture service on the target machine:

# On Windows remote machine (admin command prompt):
"C:\Program Files\Npcap\rpcapd.exe" -n -d
# -n: allows null authentication (for testing)
# -d: runs as daemon/service

2. Configuring Firewall Rules

Add an inbound rule to allow TCP port 2002 (default rpcapd port):

netsh advfirewall firewall add rule name="Wireshark Remote" dir=in action=allow protocol=TCP localport=2002

3. Local Wireshark Configuration

In Wireshark's capture options:

- Select "Manage Interfaces"
- Go to "Remote Interfaces" tab
- Click "+" and enter: rpcap://[remote_IP]:2002
- Leave authentication blank if using -n flag
- Test connection before saving

Authentication Problems

If you need secure authentication, modify the rpcapd command:

rpcapd.exe -n -f auth.conf
# auth.conf format:
# username password

Alternative Capture Methods

When direct remote capture isn't feasible, consider these alternatives:

# SSH tunneling for Linux remote capture:
ssh user@remote -L 2002:localhost:2002
# Then connect to rpcap://localhost:2002

# Using dumpcap for continuous capture:
dumpcap -i eth0 -w - | ssh user@local "cat > remote.pcap"

For enterprise environments, consider these enhancements:

# Run as Windows service:
sc create rpcapd binPath= "\"C:\Program Files\Npcap\rpcapd.exe\" -d -f auth.conf"
# Use different port:
rpcapd.exe -p 5000
# IPv6 support:
rpcapd.exe -6

Always remember:

- Never run rpcapd with -n in production
- Use VPN for remote connections
- Regularly rotate credentials
- Limit access via firewall rules
- Consider encrypted capture methods for sensitive networks

Capturing network traffic from a remote machine requires proper configuration of both the target machine and your Wireshark instance. The error code 10061 typically indicates a connection refusal, meaning Wireshark can't establish a remote capture session.

Before attempting remote capture, ensure:

  • The remote machine has WinPcap or npcap installed
  • Remote Packet Capture Protocol (RPcap) service is running
  • Firewall allows connections on port 2002 (default RPcap port)
  • You have administrative privileges on both machines

On the remote Windows machine, you'll need to configure the RPcap service:

# Install npcap with "Install Npcap in WinPcap API-compatible Mode" option
# Then start the RPcap service from command prompt:
net start npcap
# Or for newer versions:
net start npcap_rpcap

In Wireshark's capture options:

  1. Click "Capture" > "Options"
  2. Select "Remote" from the interface list
  3. Enter the remote machine's IP address in format: rpcap://[IP_ADDRESS]
  4. Add credentials if required (domain\username and password)

If you still encounter error 10061:

# Check if RPcap service is running on remote machine:
sc query npcap_rpcap

# Verify firewall rules (Windows example):
netsh advfirewall firewall add rule name="Wireshark Remote" dir=in action=allow protocol=TCP localport=2002

# For Linux remote machines using dumpcap:
ssh user@remote_machine "sudo dumpcap -i eth0 -w -" | wireshark -k -i -

If RPcap continues to fail, consider these alternatives:

# SSH tunnel method (Linux/Unix):
ssh -C -R 2002:localhost:2002 user@remote_machine

# Using tcpdump and piping to Wireshark:
ssh root@remote_machine "tcpdump -U -s0 -w - 'not port 22'" | wireshark -k -i -

# Windows with Plink (Putty Link):
plink.exe -ssh -pw password -batch username@remote_machine "dumpcap -P -i \"Ethernet\" -w - -f \"not port 3389\"" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Always remember:

  • Use VPN when capturing over public networks
  • Restrict access to RPcap service
  • Consider using read-only credentials
  • Encrypt sensitive capture sessions with SSH