Npcap rpcapd SERVER support

[kevinboulain]

Hi there,

I gave a try at rpcapd (via WinPCAP on Windows and libpcap master on Linux) and it seemed to fit our usage nicely. It seems broken (it probably worked one time out of ten and when it doesn't it reports some number of packets but won't forward them) on Windows 2016 (and probably Windows 10 from some reports I saw) but works fine on Windows 2012.

I quickly looked at different mailing lists & issues trackers hoping the problem was already reported or known and I stumbled on npcap.

WinPCAP seems frozen and I don't have much hope to make it work out the box without probably having to debug/recompile it (and I'll probably have issues later since I won't be able to sign it? I'm not well versed in Windows development, sorry :)). Installing npcap in WinPCAP compatibility mode will make rpcapd.exe simply quit immediately and there doesn't seem to be an rpcapd server embedded with npcap.

Do you have any plans to provide rpcapd (which is now available from libpcap with configure --enable-remote) and the corresponding service or do you have any clue why npcap's compatibility mode seems to make rpcapd.exe from WinPCAP exit?

Thanks!

Regards.

[dmiller-nmap]

We haven't done much testing with rpcapd, so I'm not surprised that there are some bugs there. Since the-tcpdump-group/libpcap has taken ownership of the rpcap source, it would be most appropriate to file issues there if the client code (libpcap or Npcap communicating with a correctly-functioning rpcapd.exe) has problems.

I will take a look at running WinPcap's rpcapd.exe under Npcap and see if I can identify why that's not working. That may very well be a Npcap bug, though we do not encourage the use of WinPcap API-compatibility mode if it can be avoided.

A future Npcap release may ship with a rpcapd service, but for now, it's not in our immediate plans. For this reason, I'm using the 'enhancement' label instead of the 'bug' label.

[kevinboulain]

Thanks for taking a look, I understand the priority so no worries.

To avoid any ambiguities I should probably have said that the following work fine:

• tcpdump/libpcap master on Linux communicating to rpcapd/libpcap master on Linux
• tcpdump/libpcap master on Linux communicating to rpcapd/WinPCAP on Windows 2012 (r2)
• Wireshark (probably the latest version from the site but don't have it right now so can't quote it, sorry) on Windows communicating to rpcapd/WinPCAP on Windows 2012

The misbehaving part seem to be rpcapd.exe (or its dependencies) on Windows 2016.

I don't do anything special beside executing rpcapd -n on one machine and tcpdump (tested both TCP and UDP for data transport)/Wireshark on another.

I would gladly avoid using/recommending WinPCAP if Npcap was embedding a working rpcapd.exe since you have signed drivers and actually maintain the project, it's a no-brainer :)

EDIT: I would gladly test some stuff if you have some kind of list, it's just that I'm not accustomed/don't even have the minimum setup to do Windows development so it would probably take me a bit of time just to start digging where the problem could be :)

[guyharris]

I assume by "Windows 2016" you mean "Windows Server 2016"; at least if the "Windows Server 2016" Wikipedia page is to be believed, that's "Windows 10 Server", so this may be a Windows NT 10 issue.

The rpcapd source code in libpcap is changed from what's in the last WinPcap release (4.1.3); it has a bunch of changes to make it build "out of the box" on various UN*Xes, fix a protocol compatibility issue when running on Solaris (so the client and server, on Solaris, should be able to communicate with the server and client, respectively, on other OSes), and fix various other issues.

I don't know how Npcap builds the libpcap component, but if it uses CMake and builds with -DENABLE_REMOTE=YES, it should not only build Npcap with remote-capture support, but should also build rpcapd. That would produce an rpcapd built with the current rpcapd source.

I currently don't have a Windows 10 VM (and have a bunch of other stuff I'm juggling as well), so there's not much I can do right now to diagnose this problem.

[guyharris]

Note that nmap/nmap#1393 appears to be a separate issue - this issue is asking to have Npcap ship the server side of remote capture, i.e. the rpcapd daemon, while nmap/nmap#1393 is asking whether the client side of remote capture, i.e. the client code in libpcap, ships with Npcap's version of libpcap.

[guyharris]

Note: you should upgrade the version of libpcap that Npcap uses to 1.9.0 or later if you're going to support rpcapd; see nmap/nmap#1506.

[Lamorale]

Any updates for shipping a rpcapd service with npcap? Has anyone succeded building compatible npcap and rpcapd services from npcap sources?

[JeromeMigne]

We finally succeeded to build rpcapd over Npcap, a new pull request has been opened on the-tcpdump-group/libpcap: #866, to append the documentation needed to build rpcapd over Npcap for Windows platform.

[guyharris]

We finally succeeded to build rpcapd over Npcap, a new pull request has been opened on the-tcpdump-group/libpcap: #866, to append the documentation needed to build rpcapd over Npcap for Windows platform.

I've updated the documentation myself to give details on how to build libpcap on Windows. The goal of that document isn't to tell people how to build rpcapd over Npcap, it's to tell them how to build libpcap in its entirety, including rpcapd with the Npcap (or WinPcap, if you need it for some reason) SDK; the document now provides that.

[guyharris]

Note: you should upgrade the version of libpcap that Npcap uses to 1.9.0 or later if you're going to support rpcapd; see nmap/nmap#1506.

1.9.1 or later - some security fixes were made, including fixes to the remote capture code path.

[guyharris]

WinPcap installs, in C:\Program Files (x86)\WinPcap, rpcapd.exe.

Npcap should do so as well - the default libpcap build on Windows, with CMake, builds with remote capture support, including building rpcapd, so it should install it in, for example, C:\Program Files\Npcap.

[chmorgan]

Is it straightforward to update the installer to include rpcapd.exe? I'm testing the latest npcap version with SharpPcap and the remote tests started failing and found this issue. If I had a few pointers I could open a PR to include those files.

[aslgithub]

@guyharris @dmiller-nmap Is it possible to get rpcapd included in the npcap installer if its being built please? From Guy's comments looks like the actual build was fixed in 2019.. It would be great to move to npcap, but the lack of this support prevents this. Thanks !

[daluu]

FYI, I followed the instructions for building libpcap to get rpcapd, and the additional comments from Guy here is a bit helpful, but all that is still not enough to actually deploy rpcapd.

To at least run rpcapd -h without issue, you have to follow this guide: https://omnine.blogspot.com/2020/08/wireshark-remote-capture-with-rpcapd.html for the remaining steps. Note that you don't actually need to put rpcapd under Npcap folder, but I assume that's just by convention.

All that is necessary for the npcap installer to perform to replicate what Winpcap installer used to do. And the registry step would be needed if we wish to replicate what Winpcap offered in automatically setting up the rpcapd as a Windows service.

[daluu]

For consideration of this issue request, it would be nice if npcap project can consider https://github.com/nmap/npcap/issues/721 as well so that the included rpcapd would have TLS support, and that Wireshark then can also get TLS support on the rpcap client side, but I think it would require updates to Wireshark GUI codebase (and tshark/wireshark/dumpcap CLI codebase) to make use (or availability) of the TLS feature when available in the underlying libpcap/npcap dependency.