ExtraHop / rpcapd

ExtraHop Networks' Packet Forwarder, forked from Wireshark's RPCAPD
27 stars 12 forks source link

Remote capture not working #2

Open gabdu opened 7 years ago

gabdu commented 7 years ago

I have successfully compiled this version of rpcapd against system libpcap on Ubuntu 17.04 and trying to make it talk to dumpcap (apt get installed) but dumpcap just never receives any packets and rpcapd keeps trying but never connects.

I am trying everything on localhost here i.e. dumpcap as well as rpcapd

$ ./rpcapd -n -4 -a 10.128.0.4,2003 -l 10.128.0.4 Connecting to host 10.128.0.4, port 2003, using protocol IPv4 Is the server properly installed on 10.128.0.4? connect() failed: Connection refused (code 111) Error connecting to host 10.128.0.4, port 2003, using protocol IPv4

And dumpcap just is stcuk here without any progress

$ sudo dumpcap -i 'TCP@10.128.0.4:2003' Capturing on 'TCP@10.128.0.4:2003'

How do I test this version of rpcapd or it just works with Extrahop software?

mf69 commented 7 years ago

I would suggest you swap the order here... run dumpcap first, then rpcapd. Also drop the -l 10.128.0.4 argument since that instructs rpcapd to run in "server" mode. You may also want to add a -i interface

Getting the right combination of arguments can be tricky! Use rpcapd -h to see them all explained.

The arguments I have used for debugging would look like this (with your IP inserted)...

sudo /opt/extrahop/sbin/rpcapd -n -v -S -a "10.128.0.4,2003"
Press CTRL + C to stop the server...
Connecting to host 10.128.0.4, port 2003, using protocol Unspecified
Opening 'rpcap://tunl0'
pcap_set_buffer_size(16777216)
Connecting UDP packet data socket to 10.128.0.4:2003
setting IP_RECVERR to 1
    IP_RECVERR is set to 1
Ready to forward packets in single-threaded mode
ifrecv=0 (0) TotCapt=0 (0) krnldrop=0 0% (0 0%) ifdrop=0 (0)
...
sent=0 (0) sentbytes=0 (0) eagain=0 (0 sleep) enobufs=0 (0 sleep) senderr=0
    max_dispatch=0 max_caplen=0 read_timeout=0
^CKilled
gabdu commented 7 years ago

Are we running the same version of rpcapd? I tried the command line for localhost this time

$ sudo rpcapd -n -v -S -a "127.0.0.1,2003" rpcapd: invalid option -- 'S' Press CTRL + C to stop the server... Connecting to host 127.0.0.1, port 2003, using protocol Unspecified Is the server properly installed on 127.0.0.1? connect() failed: Connection refused (code 111) Error connecting to host 127.0.0.1, port 2003, using protocol Unspecified

gabdu commented 7 years ago

Even -i is not recognized

sudo rpcapd -n -v -S -i ens4 -a "127.0.0.1,2003" rpcapd: invalid option -- 'S' rpcapd: invalid option -- 'i' Press CTRL + C to stop the server... Connecting to host 127.0.0.1, port 2003, using protocol Unspecified Is the server properly installed on 127.0.0.1? connect() failed: Connection refused (code 111) Error connecting to host 127.0.0.1, port 2003, using protocol Unspecified

And it still doesnt connect to dump which is trying to listen on 2003 on 127.0.0.1

gabdu commented 7 years ago

Sorry, ignore my last 2 comments. Those options are good but I still run into same issues. Is any specific version of dumpcap or libpcap is required at both the ends?

gabdu commented 7 years ago

And how are you running dumpcap? I am assuming you are also testing it using dumpcap.

maehmo commented 4 years ago

@gabdu, are you're still interested in making the above dumpcap arrangement work?

daluu commented 8 months ago

How do I test this version of rpcapd or it just works with Extrahop software?

According to the README of this repo, this rpcapd is customized for ExtraHop, and I believe it is meant to only run in active mode. Not sure if it runs passive mode as well. It is unfortunate I think, that the ExtraHop sensor software (the rpcap (active mode) client) is not open source.

To my knowledge, Wireshark, tshark, dumpcap, tcpdump all use passive mode for "rpcap://" protocol. There is no known public open source active mode rpcap client available. Any active mode ones are either custom in-house tools, or obsolete and not available anymore, e.g. from https://www.winpcap.org/docs/docs_412/html/group__remote.html

Analyzer (http://analyzer.polito.it/30alpha/) has a set of commands (in the Capture menu) that allows you to accept a remote connection and then start the capture on the remote device. Currently, Analyzer is the only tool that is able to work in active mode, since it requires some modifications to the application code.

as such, if passive mode were supported, you would connect to it with dumpcap as follows:

dumpcap -i rpcap://10.128.0.4:2003

and you would normally run the rpcapd like ./rpcapd -n -b 10.128.0.4 -p 2003. This is basing on the syntax of the latest rpcapd that is now under libpcap project.

I'm not aware whether trying to connect via TCP with dumpcap (or Wireshark/tshark/tcpdump) would work, because you need to follow the rpcap protocol defined by "rpcap://". You can skip the "rpcap://" part if going through the Wireshark GUI as that handles it behind the scenes for you and returns a list of remote interfaces prepended with "rpcap://".

Given you mention libpcap already, if trying this today, you can try everything from libpcap source code itself as rpcapd is bundled there already, this repo here is not necessary unless you want to test stuff specific to active mode or the customizations ExtraHop has made as per their README.