Remote capture not working

Question

Remote capture not working

Opened this issue 7 years ago · 7 comments

I have successfully compiled this version of rpcapd against system libpcap on Ubuntu 17.04 and trying to make it talk to dumpcap (apt get installed) but dumpcap just never receives any packets and rpcapd keeps trying but never connects.

I am trying everything on localhost here i.e. dumpcap as well as rpcapd

$ ./rpcapd -n -4 -a 10.128.0.4,2003 -l 10.128.0.4
Connecting to host 10.128.0.4, port 2003, using protocol IPv4
Is the server properly installed on 10.128.0.4? connect() failed: Connection refused (code 111)
Error connecting to host 10.128.0.4, port 2003, using protocol IPv4

And dumpcap just is stcuk here without any progress

$ sudo dumpcap -i 'TCP@10.128.0.4:2003'
Capturing on 'TCP@10.128.0.4:2003'

How do I test this version of rpcapd or it just works with Extrahop software?

Answer 1 · 2017-09-07T18:54:08.000Z

I would suggest you swap the order here... run dumpcap first, then rpcapd. Also drop the -l 10.128.0.4 argument since that instructs rpcapd to run in "server" mode. You may also want to add a -i interface

Getting the right combination of arguments can be tricky! Use rpcapd -h to see them all explained.

The arguments I have used for debugging would look like this (with your IP inserted)...

sudo /opt/extrahop/sbin/rpcapd -n -v -S -a "10.128.0.4,2003"
Press CTRL + C to stop the server...
Connecting to host 10.128.0.4, port 2003, using protocol Unspecified
Opening 'rpcap://tunl0'
pcap_set_buffer_size(16777216)
Connecting UDP packet data socket to 10.128.0.4:2003
setting IP_RECVERR to 1
    IP_RECVERR is set to 1
Ready to forward packets in single-threaded mode
ifrecv=0 (0) TotCapt=0 (0) krnldrop=0 0% (0 0%) ifdrop=0 (0)
...
sent=0 (0) sentbytes=0 (0) eagain=0 (0 sleep) enobufs=0 (0 sleep) senderr=0
    max_dispatch=0 max_caplen=0 read_timeout=0
^CKilled

Answer 2 · 2017-09-07T19:45:55.000Z

Are we running the same version of rpcapd? I tried the command line for localhost this time

$ sudo rpcapd -n -v -S -a "127.0.0.1,2003"
rpcapd: invalid option -- 'S'
Press CTRL + C to stop the server...
Connecting to host 127.0.0.1, port 2003, using protocol Unspecified
Is the server properly installed on 127.0.0.1? connect() failed: Connection refused (code 111)
Error connecting to host 127.0.0.1, port 2003, using protocol Unspecified

Answer 3 · 2017-09-07T19:46:59.000Z

Even -i is not recognized

sudo rpcapd -n -v -S -i ens4 -a "127.0.0.1,2003"
rpcapd: invalid option -- 'S'
rpcapd: invalid option -- 'i'
Press CTRL + C to stop the server...
Connecting to host 127.0.0.1, port 2003, using protocol Unspecified
Is the server properly installed on 127.0.0.1? connect() failed: Connection refused (code 111)
Error connecting to host 127.0.0.1, port 2003, using protocol Unspecified

And it still doesnt connect to dump which is trying to listen on 2003 on 127.0.0.1

Answer 4 · 2017-09-07T20:19:47.000Z

Sorry, ignore my last 2 comments. Those options are good but I still run into same issues. Is any specific version of dumpcap or libpcap is required at both the ends?

Answer 5 · 2017-09-07T21:21:44.000Z

And how are you running dumpcap? I am assuming you are also testing it using dumpcap.

Answer 6 · 2019-12-17T15:27:40.000Z

@gabdu, are you're still interested in making the above dumpcap arrangement work?

Answer 7 · 2024-03-25T22:58:09.000Z

How do I test this version of rpcapd or it just works with Extrahop software?

According to the README of this repo, this rpcapd is customized for ExtraHop, and I believe it is meant to only run in active mode. Not sure if it runs passive mode as well. It is unfortunate I think, that the ExtraHop sensor software (the rpcap (active mode) client) is not open source.

To my knowledge, Wireshark, tshark, dumpcap, tcpdump all use passive mode for "rpcap://" protocol. There is no known public open source active mode rpcap client available. Any active mode ones are either custom in-house tools, or obsolete and not available anymore, e.g. from https://www.winpcap.org/docs/docs_412/html/group__remote.html

Analyzer (http://analyzer.polito.it/30alpha/) has a set of commands (in the Capture menu) that allows you to accept a remote connection and then start the capture on the remote device. Currently, Analyzer is the only tool that is able to work in active mode, since it requires some modifications to the application code.

as such, if passive mode were supported, you would connect to it with dumpcap as follows:

dumpcap -i rpcap://10.128.0.4:2003

and you would normally run the rpcapd like ./rpcapd -n -b 10.128.0.4 -p 2003. This is basing on the syntax of the latest rpcapd that is now under libpcap project.

I'm not aware whether trying to connect via TCP with dumpcap (or Wireshark/tshark/tcpdump) would work, because you need to follow the rpcap protocol defined by "rpcap://". You can skip the "rpcap://" part if going through the Wireshark GUI as that handles it behind the scenes for you and returns a list of remote interfaces prepended with "rpcap://".

Given you mention libpcap already, if trying this today, you can try everything from libpcap source code itself as rpcapd is bundled there already, this repo here is not necessary unless you want to test stuff specific to active mode or the customizations ExtraHop has made as per their README.