search

the-tcpdump-group / libpcap

the LIBpcap interface to various kernel packet capture mechanism
https://www.tcpdump.org/
Other
2.72k stars 854 forks source link

Remote pcap : Version mismatch #622

Closed gabdu closed 6 years ago

gabdu commented 7 years ago

I am using libpcap master branch as mentioned in one of the very old tickets (which is supposed to have rpcapd support) compiled in. I have compiled tcpdump with master libpcap version and using rpcapd out of the same tree/version.

I see that tcpdump and rpcapd exchange some info over sockets but rpcapd complains as follows?:

$sudo ./rpcapd -4 -n -v -a "127.0.0.1,2003" Press CTRL + C to stop the server... Connecting to host 127.0.0.1, port 2003, using protocol IPv4 I'm currently discarding data

The other endpoint sent a message that is not allowed here. I'm currently discarding data

The other endpoint sent a message that is not allowed here.

What seems to be going wrong here? Any inputs will be highly appreciated.

Here is what tcpdump says:

18:22:32.657450 IP 172.17.0.2.2003 > 172.17.0.1.35600: Flags [P.], seq 1941715525:1941715533, ack 3132080727, win 311, options [nop,nop,TS val 738336720 ecr 738329452], length 8 0x0000: 4500 003c 397d 4000 4006 a919 ac11 0002 E..<9}@.@....... 0x0010: ac11 0001 07d3 8b10 73bc 3a45 baaf c257 ........s.:E...W 0x0020: 8018 0137 5854 0000 0101 080a 2c02 1fd0 ...7XT......,... 0x0030: 2c02 036c 000d 0000 0000 0000 ,..l........ 18:22:32.657751 IP 172.17.0.1.35600 > 172.17.0.2.2003: Flags [P.], seq 3132080727:3132080825, ack 1941715533, win 229, options [nop,nop,TS val 738336720 ecr 738336720], length 98 0x0000: 4500 0096 af15 4000 4006 3327 ac11 0001 E.....@.@.3'.... 0x0010: ac11 0002 8b10 07d3 baaf c257 73bc 3a4d ...........Ws.:M 0x0020: 8018 00e5 58ae 0000 0101 080a 2c02 1fd0 ....X.......,... 0x0030: 2c02 1fd0 0001 0010 0000 0035 5468 6520 ,..........5The. 0x0040: 5250 4341 5020 6461 656d 6f6e 2072 6563 RPCAP.daemon.rec 0x0050: 6569 7665 6420 6120 6d65 7373 6167 6520 eived.a.message. 0x0060: 7468 6174 2069 7320 6e6f 7420 7661 6c69 that.is.not.vali 0x0070: 6400 0100 1100 0000 1d52 5043 4150 2076 d........RPCAP.v 0x0080: 6572 7369 6f6e 206e 756d 6265 7220 6d69 ersion.number.mi 0x0090: 736d 6174 6368 smatch 18:22:32.703840 IP 172.17.0.2.2003 > 172.17.0.1.35600: Flags [.], ack 3132080825, win 311, options [nop,nop,TS val 738336732 ecr 738336720], length 0 0x0000: 4500 0034 397e 4000 4006 a920 ac11 0002 E..49~@.@....... 0x0010: ac11 0001 07d3 8b10 73bc 3a4d baaf c2b9 ........s.:M.... 0x0020: 8010 0137 584c 0000 0101 080a 2c02 1fdc ...7XL......,... 0x0030: 2c02 1fd0

gabdu commented 7 years ago

Any inputs? Is this known to work?

guyharris commented 7 years ago

Is this known to work?

The current tip of the master branch works for me.

If it doesn't work for you, please use Wireshark or TShark to analyze the traffic between the client and server, as it has a dissector for rpcap, and will show the details, rather than just hex bytes.

infrastation commented 6 years ago

The original reporter, please reopen this issue if it still stands.