How to Capture Network Packets Remotely with Wireshark and rpcapd

Overview

When using Wireshark for packet analysis, capturing packets locally on a remote device and then transferring the file to a workstation is inconvenient and prevents real‑time analysis. This approach also risks performance impact on the target device and can cause service interruptions.

How to Use Remote Capture

1. Software Installation

Install rpcapd.exe on the target (controlled) computer. This program is part of the WinPcap suite and provides a remote capture service. On the controlling computer, install the standard Wireshark package.

Rpcapd runs as a service listening on TCP port 2002 and supports encryption and authentication.

2. Network Requirements

Ensure network connectivity between the server (target) and client (controller).

Open TCP port 2002 on any firewalls between the two hosts.

Note: Recent Wireshark versions ship with Npcap, which does not include the rpcapd component. After installing Wireshark you must uninstall Npcap, install WinPcap manually, and reboot the machine.

Download WinPcap from: https://www.winpcap.org/install/

3. Enable Remote Capture

Locate the rpcapd.exe executable in the WinPcap installation directory and run the following command in a command prompt: rpcapd.exe -n This starts the rpcapd service without requiring a password (use appropriate security settings for production environments).

4. Wireshark Configuration

In Wireshark, add a new remote capture interface by specifying the target machine’s IP address and the rpcapd port (default 2002). The following screenshots illustrate the configuration steps:

After entering the target IP and port, Wireshark will begin capturing packets directly from the remote network interface, allowing real‑time analysis.

Conclusion

Remote packet capture with Wireshark and rpcapd is especially useful in automated pipelines, high‑density traffic, or voice/video streaming scenarios where immediate analysis is required. It enables remote engineers to perform online troubleshooting without physically accessing the device, supports multiple simultaneous analysts, and avoids disrupting the production environment.