How do I install rpcapd on Linux

[1001QAdotNET]

Hi guys

I used to use rpcad for remote sniffing It seems that rpcap was taken over by your team Where can I find instructions about how to install this utility?

thanks 1k1

[guyharris]

Instructions:

cd {directory with libpcap source}
./configure --enable-remote
make
sudo make install

or, if you prefer CMake:

cd {directory with libpcap source}
mkdir build
cd build
cmake -DENABLE_REMOTE=YES ..
make
sudo make install

Then you need to run rpcapd, or configure it to be launched by whatever "superdaemon" you have:

• rpcapd/rpcapd.inetd.conf is a line to add to the inetd configuration file;
• rpcapd/rpcapd.xinetd.conf is an entry to add to the xinetd configuration;
• rpcapd/rpcapd@.service and rpcapd/rpcapd.socket are items to add to the systemd configuration;
• rpcapd/org.tcpdump.rpcapd.plist is a launch daemon plist for launchd.

[1001QAdotNET]

I had to run "sh configure --enable-remote" "make" did not work (no targets specified and no make file found)

I donwloaded the master from here and I also tried the official release on www.tcpdump.org

[guyharris]

I had to run "sh configure --enable-remote"

./configure --enable-remote should be sufficient - Linux is a UN*X, and the configure script should be executable, so the shell should just run it (it also begins with #! /bin/sh, so anything that can execute a program should be able to execute it).

"make" did not work (no targets specified and no make file found)

So you ran configure in the top-level directory, and it didn't report any errors, but when you ran make in the same directory, it reported "No targets specified and no makefile found"?

[1001QAdotNET]

yes that is correct I unzipped the files and then I moved into the root folder of the archive The only make file there is a Makefile.in as far as I remember

[guyharris]

yes that is correct I unzipped the files and then I moved into the root folder of the archive The only make file there is a Makefile.in as far as I remember

There won't be a Makefile until you run the configure script, so you can't run make until you first do ./configure --enable-remote in the same directory.

[1001QAdotNET]

OK I installed on a Ubuntu 18 Workstation, minimal When I run the ./configure I did not notice at the end the errors -it was missing yacc and bison after that all worked as you described, thank you

Quick question: do I need to be root to be able to sniff? I was able to get the remote interfaces but when I click on one of them to start the sniffing I get "The interface name has not been specified in the source string. Please the tomake sure you have sufficient permissions or proper interface or pipe specified

[guyharris]

Quick question: do I need to be root to be able to sniff?

For local interfaces, it depends.

On Linux, for regular network interfaces, all a process should need is CAP_NET_RAW to capture and CAP_NET_ADMIN to use promiscuous mode, list devices, etc.. However, to capture raw USB traffic on a USB bus, for example, you need root. (NOTE: "capture raw USB traffic on a USB bus" is different from "capture on a USB network interface" - capturing on a network interface that's a USB device has the same restrictions as capturing on any other network interface.)

However, for remote capturing, all you need is sufficient privilege to connect to rpcapd, and rpcapd running as a user with sufficient privileges. This may mean that you need to run rpcapd as root and, when you connect to rpcapd, supplying root as the user name and root's password as the password.

However:

I was able to get the remote interfaces but when I click on one of them to start the sniffing I get "The interface name has not been specified in the source string. Please the tomake sure you have sufficient permissions or proper interface or pipe specified

that sounds like an error in the URL you supplied as a capture device, not like a permissions issue. What URL did you provide as the device on which to capture?

[1001QAdotNET]

it is in the format rpcap:[ipaddress]/intname

[guyharris]

it is in the format rpcap:[ipaddress]/intname

The correct format is rpcap://{ipaddress}/{intname}; did you forget the // after rpcap:?

[1001QAdotNET]

nope that was my typo it is exactly like that : rpcap://{ipaddress}/{intname} see this: https://i.imgur.com/BMJqVuD.png

BTW: what I noticed is that the above url (correct form) has a ">" sign to the left if you click that is expands to show an IP that I think I used for sniffing ...it is in the remove environment where the host is... what is the real meaning of that The above show up if I go to Capture-Options

[guyharris]

nope that was my typo it is exactly like that : rpcap://{ipaddress}/{intname} see this: https://i.imgur.com/BMJqVuD.png

So if you double-click one of those interfaces in Wireshark, you get a "The interface name has not been specified in the source string." error?

[1001QAdotNET]

yes the error below:

The interface name has not been specified in the source string. Please make sure you have sufficient permissions or proper interface or pipe specified

[guyharris]

What version of Wireshark are you running?

[1001QAdotNET]

I am seeing the same error with both , 2.6.6 and 2.9 (dev edition)

[guyharris]

What version of WinPcap or Npcap do you have installed on the machine running Wireshark?

And what version of libpcap did you build on the Linux machine - 1.9.0 or the current master branch? If it's the master branch, I just checked in a fix (75528c32e49bfa1adf0241e552036b0efa4e838f) to a bug that added a protocol error, but the symptom I was seeing with Wireshark 2.6.6 and WinPcap 4.1.3 was a hang when trying to find all devices on the remote machine (running macOS rather than Linux, but the bug should show up on all OSes); once I fixed the bug, I didn't get that hang, and I didn't see any errors when selecting a remote interface from the list and capturing on it.

[guyharris]

That screenshot is from Wireshark on Windows (the local interfaces are Windows interfaces).

If you're using Npcap on Windows, its remote capture code is buggy; they need to build Npcap based on libpcap 1.9.0, rather than 1.8.1, as the 1.8.1 code for remote capture was not complete and had a number of bugs in it - bugs that would cause the reported problem. (The square brackets don't belong around IPv4 addresses, but libpcap 1.8.1 was putting them there anyway; however, they were confusing libpcap 1.8.1's URL-parsing code.)

You'll have to use WinPcap on Windows to do remote capture until Npcap upgrades to libpcap 1.9.0.