[Winpcap-users] Remote Packet Capture from Linux machine.

Bhat, Mahesh mabhat at ea.com
Wed Sep 12 02:04:58 PDT 2012


Applied the patch as pointed out in this thread :- http://www.winpcap.org/pipermail/winpcap-users/2011-November/004540.html

I am able to add remote interfaces in Wireshark now.

Thanx !

-----Original Message-----


From: Bhat, Mahesh 
Sent: Friday, August 31, 2012 7:40 PM
To: 'winpcap-users at winpcap.org'
Subject: Remote Packet Capture from Linux machine.

Hi,

I have installed RPCAP (WpcapSrc_4_1_2.zip) in a Linux machine. It is running (as user root) and listening on the default port 2002 :-

./rpcapd -b <IP> -n
Press CTRL + C to stop the server...

netstat -anp | grep rpcap
tcp        0      0 <IP>:2002           0.0.0.0:*                   LISTEN      32432/rpcapd

I have installed Wireshark on a Windows machine :-

Compiled (32-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Aug 15 2012), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap

However, when I try to add the REMOTE INTERFACE, I see the error message :-

Can't get list of interfaces: The other host terminated the connection.

So, I ran a strace on the RPCAP server in order to determine what is causing this. I am unable to decipher the strace output :-

1342  execve("./rpcapd", ["./rpcapd", "-b", "10.50.135.86", "-n"], [/* 29 vars */]) = 0
1342  brk(0)                            = 0x96a6000
1342  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fb7000 ...................
...................
...................
...................
1343  accept(3,  <unfinished ...>
1553  close(3)                          = 0
1553  select(5, [4], NULL, NULL, {90, 0}) = 1 (in [4], left {90, 0})
1553  recv(4, "\0\10\0\0\0\0\0\10", 8, 0) = 8
1553  recv(4, "\0\0\0\0\0\0\0\0", 8, 0) = 8
1553  send(4, "\0\210\0\0\0\0\0\0", 8, MSG_NOSIGNAL) = 8
1553  select(5, [4], NULL, NULL, {180, 0}) = 1 (in [4], left {179, 791000})
1553  recv(4, "\0\2\0\0\0\0\0\0", 8, 0) = 8
1553  socket(PF_NETLINK, SOCK_RAW, 0)   = 3
1553  bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
1553  getsockname(3, {sa_family=AF_NETLINK, pid=1553, groups=00000000}, [12]) = 0
1553  time(NULL)                        = 1346320791
1553  sendto(3, "\24\0\0\0\22\0\1\3\2279?P\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
1553  recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\364\0\0\0\20\0\2\0\2279?P\21\6\0\0\0\0\4\3\1\0\0\0I\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 736
1553  recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\2279?P\21\6\0\0\0\0\0\0\1\0\0\0I\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
1553  sendto(3, "\24\0\0\0\26\0\1\3\2309?P\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
1553  recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"<\0\0\0\24\0\2\0\2309?P\21\6\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
1553  recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0\2309?P\21\6\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
1553  recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\2309?P\21\6\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
1553  close(3)                          = 0
1553  socket(PF_PACKET, SOCK_RAW, 768)  = 3
1553  ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
1553  ioctl(3, SIOCGIFHWADDR, {ifr_name="lo", ifr_hwaddr=00:00:00:00:00:00}) = 0
1553  ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
1553  bind(3, {sa_family=AF_PACKET, proto=0x03, if1, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0
1553  getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
1553  setsockopt(3, SOL_PACKET, 0x8 /* PACKET_??? */, [1], 4) = 0
1553  setsockopt(3, SOL_PACKET, PACKET_RX_RING, "\0\20\0\0\0\2\0\0\200\0\0\0\0@\0\0", 16) = 0
1553  mmap2(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0xb7dae000
1553  setsockopt(3, SOL_PACKET, PACKET_RX_RING, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = -1 EBUSY (Device or resource busy)
1553  munmap(0xb7dae000, 2097152)       = 0
1553  close(3)                          = 0
1553  socket(PF_PACKET, SOCK_RAW, 768)  = 3
1553  ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
1553  ioctl(3, SIOCGIFHWADDR, {ifr_name="eth0", ifr_hwaddr=00:50:56:b0:1a:28}) = 0
1553  ioctl(3, SIOCGIFINDEX, {ifr_name="eth0", ifr_index=2}) = 0
1553  bind(3, {sa_family=AF_PACKET, proto=0x03, if2, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0
1553  getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
1553  setsockopt(3, SOL_PACKET, 0x8 /* PACKET_??? */, [1], 4) = 0
1553  setsockopt(3, SOL_PACKET, PACKET_RX_RING, "\0\20\0\0\0\2\0\0\200\0\0\0\0@\0\0", 16) = 0
1553  mmap2(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0xb7dae000
1553  setsockopt(3, SOL_PACKET, PACKET_RX_RING, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = -1 EBUSY (Device or resource busy)
1553  munmap(0xb7dae000, 2097152)       = 0
1553  close(3)                          = 0
1553  socket(PF_PACKET, SOCK_RAW, 768)  = 3
1553  ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
1553  ioctl(3, SIOCGIFHWADDR, {ifr_name="any", ???}) = -1 ENODEV (No such device)
1553  close(3)                          = 0
1553  open("/proc/bus/usb", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3
1553  fstat64(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
1553  fcntl64(3, F_SETFD, FD_CLOEXEC)   = 0
1553  getdents64(3, /* 2 entries */, 4096) = 48
1553  getdents64(3, /* 0 entries */, 4096) = 0
1553  close(3)                          = 0
1553  --- SIGSEGV (Segmentation fault) @ 0 (0) ---
1343  <... accept resumed> 0xbf97e714, [128]) = ? ERESTARTSYS (To be restarted)
1343  --- SIGCHLD (Child exited) @ 0 (0) ---
1343  waitpid(-1, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV}], WNOHANG) = 1553
1343  write(2, "Child terminated\n", 17) = 17
1343  waitpid(-1, 0xbf97e3f0, WNOHANG)  = -1 ECHILD (No child processes)
1343  sigreturn()                       = ? (mask now [])
1343  accept(3,  <unfinished ...>
.......
.......
.......

Can somebody help me out with this ?
 


More information about the Winpcap-users mailing list