Archives par étiquette : rpcapd

Compiling rpcapd for linux

Several years ago, I compiled rpcapd for linux. To achieve it, I had to comment the win32 specific code, so it compiled on linux.

I recently tried to compile the latest version, and it doesn’t need modifications anymore to successfully compile.

Here is a quick howto, based on debian 5:

Install the required tools

 apt-get install bison flex

Download and unzip winpcap

 wget http://www.winpcap.org/install/bin/WpcapSrc_4_1_2.zip
 unzip WpcapSrc_4_1_2.zip
 cd winpcap/wpcap/libpcap
 chmod +x configure runlex.sh

Configure libpcap to compile statically…

 CFLAGS=-static ./configure

…and compile

 make
 cd rpcapd/

edit the Makefile and add -static to CFLAGS, and finally

 make

Downloads:

amd64: rpcapd-4.1.2-amd64.gz
i386: rpcapd-4.1.2-i386.gz

Rpcapd for Linux : Remote sniffing with ethereal/wireshark

rpcapd is a deamon that captures traffic on a host, and is able to send it to a remote network sniffer, as ethereal.

It’s included with recent winpcap releases, so running it on windows is very easy : it’s located in C:\program files\winpcap

It’s more tricky for linux : rpcapd should compile and work under linux, but I had to remove parts of windows-related code that prevented correct compilation.

Remote linux sniffer :

  • Download rpcapd.gz for linux, statically compiled for linux/i386 (this version will crash with recent Wireshark releases 1.12+)
  • Download from here
  • Gunzip and run as root : ./rpcapd -n

Local Windows ethereal :

  • Install winpcap 4.0
  • Install Wireshark 0.99
  • Go to « Capture Options » and specify remote host : rpcap://remotehost/remoteif
  • Start sniffing

It’s a always good idea to use a capture filter to exclude traffic between local and remote host.

Example with windows 192.168.50.25 remotely sniffing from linux 192.168.50.38:

rpcap

Or, with a recent Wireshark, click « Manage interfaces », add your host and select the desired interfaces.

 

Update: Do the same without rpcapd
Update 2 : Compile your own version, download for other archs here

Wireshark remote sniffing without rpcapd

Wireshark for windows

After reading my article about rpcapd, Peter Calum sent me this message:

I can not use rcapd because of the problem with the random chosen port for the data transfer, because of the FW between our office network and our technical network servers. Our wireshark collecting host is placed here.

But after some work I found another solution which works real fine : Pipe a tcpdump command on the collecting host back trough SSH.
I use plink.exe which comes with PuTTY

Make a command file with the tcpdump command :

tcpdump -s0 -w - -i eth0 not port 22

Run

plink.exe -ssh -pw mypassword root@192.168.1.10 -m commands.txt | "c:program fileswiresharkwireshark.exe" -k -i –

when you send the command wireshark starts up and shows the data … voila

Wireshark for linux

And from linux, just run :

ssh root@192.168.5.228 "tcpdump -w - host 192.168.5.219" | wireshark -k -i -