pawelko.net

  1. Accueil
  2. Linux

Rpcapd for Linux : Remote sniffing with ethereal/wireshark

Le 06-02-07 à 20:49, par Cyril Pawelko Permalien.
dans Linux.

rpcapd is a deamon that captures traffic on a host, and is able to send it to a remote network sniffer, as ethereal.

It's included with recent winpcap releases, so running it on windows is very easy : it's located in C:\program files\winpcap

It's more tricky for linux : rpcapd should compile and work under linux, but I had to remove parts of windows-related code that prevented correct compilation.

Remote linux sniffer :

  • Download rpcapd.gz for linux, statically compiled for linux/i386
  • Gunzip and run as root : ./rpcapd -n

Local Windows ethereal :

  • Install winpcap 4.0
  • Install Wireshark 0.99
  • Go to "Capture Options" and specify remote host : rpcap://remotehost/remoteif
  • Start sniffing

It's a always good idea to use a capture filter to exclude traffic between local and remote host.

Example with windows 192.168.50.25 remotely sniffing from linux 192.168.50.38:

Update: Do the same without rpcapd Update 2 : Compile your own version, download for other archs here