Question about RPCAP active mode

[uchiit]

Hi!

Is it true, that currently there is no way to terminate rpcap active mode sessions?

Thank you!

[uchiit]

Under "terminate" I mean "land on some server"

[guyharris]

In active mode, the machine whose traffic is to be captured is the client, and the server is the machine on which the program using libpcap to do a remote capture is running, as per the WinPcap documentation's "Remote Capture" page.

In theory, a program using the remote capture APIs should be able to accept a connection from a remote machine running rpcapd in active mode (with the -a command-line option). This has not been tested in a long while, so there might be some "code rot"; if you try it and it doesn't work, submit a bug. (Note that Wireshark includes a dissector for the rpcap protocol; a capture of the traffic between the two machines might be useful in a bug report.)

Note that active mode currently requires use of the active mode APIs in the program using libpcap. tcpdump, and Wireshark's dumpcap, do not currently use those APIs, so those programs (meaning tcpdump, Wireshark, TShark, dumpcap, and anything else that doesn't have an "active mode" option in which it uses those APIs) will not support active-mode captures.

Part of the process of adding remote capture support to the pcap_create()/pcap_activate() APIs may involve simplifying the process of using active mode (I think the split between create and activate may allow such a simplification).

[uchiit]

Thank you!

Well, we decide to develop our own app which will start captures on client device in active or passive mode. Not sure if we will use active mode but we will try to do so, because it can be helpful for our project.