WinPcap remote capture

WinPcap 3.0 comes with Remote Capture capabilities. This is an highly experimental feature that allows to interact to a remote machine and capture packets that are being transmitted on the remote network.

This requires a remote daemon (called rpcapd) which performs the capture and sends data back and a local client that sends the appropriate commands and receives the captured data.

WinPcap 3.0 extends the standard WinPcap code in such a way that all WinPcap-based tools can expoit remote capture capabilities. For instance, the capabillity to interact with a remote daemon are added to the client software without any explicit modification to it. Vice versa, the remote daemon must be explicitely installed (and configured) on the remote machine.

Remote Capture Running Modes

The Remote Capture Protocol (RPCAP) can work in two modes:

The Active Mode is useful in case the remote daemon is behind a firewall and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured in order to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.

Analyzer (http://analyzer.polito.it/30alpha/) has a set of commands (in the File menu) that allows you to accept a remote connection and then start the capture on the remote device. Currently, Analyzer is the only tool that is able to work in active mode, since it requires some modifications to the application code.

Configuring the Remote Daemon (rpcapd)

The Remote Daemon is a standard Win32 executable running either in console mode or as a service. The executable can be found in the WinPcap folder and it has the following syntax:

        rpcapd [-b <address>] [-p <port>] [-6] [-l <host_list>] [-a <host,port>] 
               [-n] [-v] [-d] [-s <file>] [-f <file>]

The daemon can be compiled and it is actually working on Linux as well.

Here there is a brief description of the allowed commands:

Switch Description
-b <address>
It sets the address the daemon has to bind to (either numeric or literal). Default: it binds to all local IPv4 and IPv6 addresses.
-p <port>
It sets the port the daemon has to bind to. Default: it binds to port 2002.
-4
It binds only to IPv4 addresses. Default: both IPv4 and IPv6 waiting sockets are used.
-l <host_list_file>
It specifies a file that keeps the list of the hosts which are allowed to connect to this daemon (if more than one, the file keeps them one per line). We suggest to use literal names (instead of numeric ones) in order to avoid problems with different address families (IPv4 and IPv6).
-n
It permits NULL authentication (usually used with '-l', that guarantees that only the allowed hosts can connect to the daemon). Default: the username/password authentication mechanism is required.
-a <host, port>
It forces the daemon to run in active mode and to connect to 'host' on port 'port'. This does not exclude that the daemon is still able to accept passive connections.
-v
It forces the daemon to run in active mode only (default: the daemon always accepts active connections, even if the '-a' switch is specified).
-d
Forces the daemon to run in background, i.e. as a daemon (UNIX only) or as a service (Win32 only). Warning (Win32): this switch is provided automatically when WinPcap installs this daemon into the Win32 services (control panel - administrative tools - services).
-s <file>
It saves the current configuration to file.
-f <file>
It loads the current configuration from file; all the switches specified from the command line are ignored and the file settings are used instead.
-h
It prints an help screen.

Installing the remote daemon

The remote daemon is installed automatically when installing WinPcap 3.0. The installation process places the rpcapd file into the WinPcap folder. This file can be executed either from the command line, or as a service. For instance, the installation process updates the list of available services list and it creates a new item (Remote Packet Capture Protocol v.0 (experimental) ). To avoid security problems, the service is inactive and it has to be started manually (control panel - administrative tools - services - start).

The service has a set of "standard" parameters, i.e. it it launched with the "-d" flag (in orde to make it running as a service) and the "-f rpcapd.ini" flag. The user can create a file called rpcapd.ini in the same folder of the executable, and put the configuration commands in there. In order for the service to execute the commands, you have to stop and restart it again (i.e. the initialization file is parsed only at the beginning). Viceversa, the UNIX version of rpcapd is able to read the configuration file when sending a kill -HUP signal to it. In that case, all the existing connections remain in place, while the new connections will be created according to the new parameters.

In case the user does not want to create the configuration file manually, it can launch rpcapd with the requested parameters plus the "-s filename" one. The daemon will parse all the parameters and save them into the specified configuration file.

Launching the remote daemon as a standard executable

The rpcapd executable can be launched directly, i.e. it can run in the foreground as well (not as a daemon/service). The procedure is quite simple: you have to invoke the executable from the command line with all the requested parameters but the "-d" flag. The capture server will start in the foreground.

Launching a capture on a remote machine

If you are using a tool that is already aware of the remote capture (like Analyzer), everything is simple. The capture wizard will help you to locate the appropriate interface on the remote machine.

If your preferred tool is not aware of the remote capture, you can still use the remote capture. In this case you have to read the next Section.

Be carefully: the capture server (rpcapd) must be up and running on the remote machine.

New string specifiers for interface selection

If your preferred tool is not aware of the remote capture, the only thing you must do is to insert, as interface specifier, the indication of the remote machine you want to contact. The following forms are allowed:

Adapter String Description
file://filename
It opens a local file.
rpcap://host.foo.bar/adaptername
It opens a remote adapter; the host is specified by means of the literal name, without port number (i.e. it uses the RPCAP default port).
rpcap://host.foo.bar:1234/adaptername
It is the same as before, but it uses a different port number.
rpcap://10.11.12.13/adaptername
It opens a remote adapter, but the host is specified by means of an IPv4 numeric address, without port number (i.e. it uses the RPCAP default port).
rpcap://10.11.12.13:1234/adaptername
It is the same as before, but it uses a different port number.
rpcap://[10.11.12.13]:1234/adaptername
It is the same as before, but the numeric address is specified within square brackets (like IPv6 addresses).
rpcap://[1:2:3::4]/adaptername
It opens a remote adapter, but the host is specified by means of an IPv6 numeric address, without port number (i.e. it uses the RPCAP default port). In case of IPv6 addresses you MUST use the square brackets.
rpcap://[1:2:3::4]:1234/adaptername
It is the same as before, but it uses a different port number.
rpcap://adaptername
It opens a local adapter, without using the RPCAP protocol.
adaptername
It opens a local adapter; it is kept for compability, but it is strongly discouraged.
(NULL)
It opens the first local adapter; it is kept for compability, but it is strongly discouraged.

The following formats are not allowed:

Adapter String Description
rpcap://
It cannot be used to open the first local adapter.
rpcap://hostname/
It cannot be used to open the first remote adapter.