Support remote capture on Linux devices

[tyunkinilya]

I am using latest version of PcapPlusPlus, built with vs2019 (windows machine). I am also using the latest version of libpcap (https://github.com/the-tcpdump-group/libpcap), compiled with --enable-remote (linux machine). So using wireshark (win) I can succesfully connect to rpcapd on linux and get traffic from it. I have modified the TcpReassembly example for remote capture interface, by adding the following code

IPv4Address remoteDeviceIPAddr(remoteIP);
PcapRemoteDeviceList* remoteDevices;
if (remoteLogin != "")
{
    PcapRemoteAuthentication remoteAuth(remoteLogin, remotePassword);
    remoteDevices = PcapRemoteDeviceList::getRemoteDeviceList(&remoteDeviceIPAddr, remotePort, &remoteAuth);
}
else
{
    remoteDevices = PcapRemoteDeviceList::getRemoteDeviceList(&remoteDeviceIPAddr, remotePort);
}
printf("Remote devices list:\n");
for (PcapRemoteDeviceList::RemoteDeviceListIterator remoteDevIter = remoteDevices->begin(); remoteDevIter != remoteDevices->end(); remoteDevIter++)
{
    printf("\t%s\n", (*remoteDevIter)->getName());
}

if (interfaceNameOrIP == "")
    EXIT_WITH_ERROR("Interface (-i name or ip) wasn't provided");

PcapRemoteDevice* pRemoteDevice = remoteDevices->getRemoteDeviceByIP(&remoteDeviceIPAddr);
if (pRemoteDevice == NULL)
    EXIT_WITH_ERROR("Couldn't find interface by provided IP");

printf("MTU: %d\n", pRemoteDevice->getMtu());
if (pRemoteDevice->getDeviceType() == PcapLiveDevice::RemoteDevice)
    printf("That is remote device\n");

doTcpReassemblyOnLiveTraffic(pRemoteDevice, tcpReassembly, bpfFilter);

Remote devices list:
        rpcap://[192.168.56.103]:2002/eth0
        rpcap://[192.168.56.103]:2002/eth1
        rpcap://[192.168.56.103]:2002/any
        rpcap://[192.168.56.103]:2002/lo
        rpcap://[192.168.56.103]:2002/docker0
        rpcap://[192.168.56.103]:2002/bluetooth-monitor
        rpcap://[192.168.56.103]:2002/nflog
        rpcap://[192.168.56.103]:2002/nfqueue

With this code I am connecting to the rpcapd and retrieving interfaces list, but when i am trying to capture traffic, no matter what interface I specify, I don't receive anything. Is there any way to fix it? Or may be you have some example code?

[seladb]

Just to make sure: are you running rpcapd on Linux and trying to connect to it from Windows? I'm not sure I've ever tried that. Are you sure the remote capture protocol used in WinPcap is compatible with the one used in Linux?

[tyunkinilya]

Yes, you are right. And I am sure that it is possible, because I double checked the connection using wireshark. And actually it is even possible to connect from linux wireshark to linux rpcapd, if using this guide Proof: UPD: I also checked connection, using rebuilt wireshark on linux. It works as well.

May I requests a feature of using remote capture on linux, not only on windows? :)

[seladb]

There are multiple things I'd check:

• Does it work when you run rpcapd locally on your Windows machine?
• Does it work when you run rpcapd remotely on another Windows machine?
• Could be be some permissions issue?

[seladb]

@tyunkinilya is it working for you now?

[tyunkinilya]

After testing on Windows, I have found an error in my code above, now it works perfectly, thank you! (pcapplusplus on windows, rpcapd on linux or windows) But can you mark this as feature request (Support rpcap on linux)? There is an implementation of rpcap protocol in libpcap, so I guess its possible.

[seladb]

Thanks @tyunkinilya for the info! I've just created a feature request from this issue.

If you have some time, I'd really appreciate if you can work on this. I can provide the support you may need.

[tyunkinilya]

I've managed to make it work on linux, that was as easy as removing if defined(WIN32) and rewriting only one function -> getStatistics. But now I have a problem with conflicting versions of libpcap - it will work only with the latest build from libpcap. How can I build pcapplusplus with a custom(?) way to libpcap or specific libpcap version? I didn't manage to resolve this issue and deleted all other libpcap version, leaving the one from github intact, that worked, but it's not the cool way, as I have to reinstall wireshark, tcpdump and so on.

[seladb]

That's great news! thanks for working on that!

What I'd suggest is the following:

• Run make clean for PcapPlusPlus
• Remove all libpcap versions from your machine
• Build libpcap from source and install it on your machine
• Build PcapPlusPlus again

That should do the trick. Please let me know if it works

[tyunkinilya]

To make it clear - I've done exactly these actions.

Run make clean for PcapPlusPlus Remove all libpcap versions from your machine Build libpcap from source and install it on your machine Build PcapPlusPlus again

And it was working. But I don''t like this item: Remove all libpcap versions from your machine, cause it will automatically remove all packages, that depend on older versions of libpcap. I'd like to find the way to compile PcapPlusPlus with the newest libpcap, while leaving older versions intact.

[seladb]

PcapPlusPlus supports LDFLAGS so if you define the specific version using LDFLAGS that should do the trick

[seladb]

I've managed to make it work on linux, that was as easy as removing if defined(WIN32) and rewriting only one function -> getStatistics

Would you mind contributing your code to the main repo?

[tyunkinilya]

Would be cool if you could check commits in my forked repo and integrate them properly to your project. Or should I create a pull commit?

[seladb]

if you can create a PR that would be great. After all, you did the work, you should get the credit 😄

[seladb]

Do you know in which version of libpcap remote capture was introduced?

[seladb]

Closing this issue for now, please reopen it if needed