How to Capture Network Packets Remotely with Wireshark and rpcapd

Overview

Remote packet capture with Wireshark avoids transferring pcap files and enables real‑time analysis on low‑performance or time‑critical devices.

Software installation

On the remote (target) machine install rpcapd.exe from the WinPcap package. On the local (controlling) machine install Wireshark. Recent Wireshark versions bundle Npcap, which does not contain the rpcapd component; therefore uninstall Npcap, install WinPcap, and reboot the remote host.

Network requirements

Open TCP port 2002 on any firewalls between client and server and ensure network connectivity. The service listens on this port and supports optional encryption and authentication.

Download WinPcap from https://www.winpcap.org/install/

Start remote capture service

From a command prompt on the remote host, navigate to the WinPcap installation directory and run: rpcapd.exe -n The -n flag starts the daemon without prompting for a password.

Configure Wireshark

In Wireshark open Capture Options , select the Remote tab, and enter the remote host IP address and port 2002. Click “Start” to begin live capture.

Example screenshots:

Caveats

Npcap must be removed because it lacks the rpcapd component.

WinPcap must be installed on the remote host; the service runs under the account that starts it.

Network latency can affect capture responsiveness.

Use cases

Remote capture is suitable for automated pipelines, high‑throughput traffic, voice/video streams, and any scenario where on‑site engineers need to reproduce issues while remote analysts perform live analysis.