Main Page   Modules   Data Structures   File List   Data Fields   Globals   Related Pages  

wpcap_remote.htm

Go to the documentation of this file.
00001 <html>
00002 
00003 <head>
00004 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
00005 <meta name="GENERATOR" content="Microsoft FrontPage 4.0">
00006 <meta name="ProgId" content="FrontPage.Editor.Document">
00007 <title>Using WinPcap Remote Capture</title>
00008 </head>
00009 
00010 <body>
00011 
00012 <hr>
00013 <p>WinPcap 3.0 comes with Remote Capture capabilities. This is an highly
00014 experimental feature that allows to interact to a remote machine and capture
00015 packets that are being transmitted on the remote network.</p>
00016 <p>This requires a <b>remote daemon </b>(called <code>rpcapd</code>) which performs the
00017 capture and sends data back and a <b>local client </b>that sends the appropriate
00018 commands and receives the captured data.</p>
00019 <p>WinPcap 3.0 extends the standard WinPcap code in such a way that all
00020 WinPcap-based tools can expoit remote capture capabilities. For instance, the
00021 capabillity to interact with a remote daemon are added to the client software without any explicit
00022 modification to it. Vice versa, the remote daemon must be explicitely installed
00023 (and configured) on the remote machine.</p>
00024 <h2>Remote Capture Running Modes</h2>
00025 <p>The Remote Capture Protocol (RPCAP) can work in two modes:</p>
00026 <ul>
00027   <li><b>Passive Mode</b> (default): the client (e.g. a network sniffer)
00028     connects to the remote daemon, it sends them the appropriate commands, and
00029     it starts the capture.</li>
00030   <li><b>Active Mode</b>: the remote daemon try to establish a connection toward
00031     the client (e.g. the network sniffer); then, the client sends the
00032     appropriate commands to the daemon and it starts the capture. This name is
00033     due to the fact thet the daemon becomes <i>active</i> instead of <i>waiting</i>
00034     for new connections.</li>
00035 </ul>
00036 <p>The Active Mode is useful in case the remote daemon is behind a firewall and
00037 it cannot receive connections from the external world. In this case, the daemon
00038 can be configured to establish the connection to a given host, which will have
00039 been configured in order to <i>wait</i> for that connection. After establishing
00040 the connection, the protocol continues its job in almost the same way in both Active
00041 and Passive Mode.</p>
00042 <p>Analyzer (<a href="http://analyzer.polito.it/30alpha/">http://analyzer.polito.it/30alpha/</a>)
00043 has a set of commands (in the <b>File</b> menu) that allows you to accept a
00044 remote connection and then start the capture on the remote device. Currently,
00045 Analyzer is the only tool that is able to work in active mode, since it requires
00046 some modifications to the application code.</p>
00047 <h2>Configuring the Remote Daemon (rpcapd)</h2>
00048 <p>The Remote Daemon is a standard Win32 executable running either in console
00049 mode or as a service. The executable can be found in the <code>WinPcap</code>
00050 folder and it has the following syntax:</p>
00051 <pre>        rpcapd [-b &lt;address&gt;] [-p &lt;port&gt;] [-6] [-l &lt;host_list&gt;] [-a &lt;host,port&gt;] 
00052                [-n] [-v] [-d] [-s &lt;file&gt;] [-f &lt;file&gt;]</pre>
00053 <p>The daemon can be compiled and it is actually working on Linux as well.</p>
00054 <p>Here there is a brief description of the allowed commands:</p>
00055 <div align="left">
00056   <table border="1">
00057     <tr>
00058       <th>Switch</th>
00059       <th>Description</th>
00060     </tr>
00061     <tr>
00062       <td>
00063         <pre>-b &lt;address&gt;</pre>
00064       </td>
00065       <td>It sets the address the daemon has to bind to (either numeric or
00066         literal). Default: it binds to all local IPv4 and IPv6 addresses.</td>
00067     </tr>
00068     <tr>
00069       <td>
00070         <pre>-p &lt;port&gt;</pre>
00071       </td>
00072       <td>It sets the port the daemon has to bind to. Default: it binds to port
00073         2002.</td>
00074     </tr>
00075     <tr>
00076       <td>
00077         <pre>-4</pre>
00078       </td>
00079       <td>It binds only to IPv4 addresses. Default: both IPv4 and IPv6 waiting
00080         sockets are used.</td>
00081     </tr>
00082     <tr>
00083       <td>
00084         <pre>-l &lt;host_list_file&gt;</pre>
00085       </td>
00086       <td>It specifies a file that keeps the list of the hosts which are allowed
00087         to connect to this daemon (if more than one, the file keeps them one per
00088         line). We suggest to use literal names (instead of numeric ones) in
00089         order to avoid problems with different address families (IPv4 and IPv6).</td>
00090     </tr>
00091     <tr>
00092       <td>
00093         <pre>-n</pre>
00094       </td>
00095       <td>It permits NULL authentication (usually used with '-l', that
00096         guarantees that only the allowed hosts can connect to the daemon). Default: the
00097         username/password authentication mechanism is required.</td>
00098     </tr>
00099     <tr>
00100       <td>
00101         <pre>-a &lt;host, port&gt;</pre>
00102       </td>
00103       <td>It forces the daemon to run in active mode and to connect to 'host' on
00104         port 'port'. This does not exclude that the daemon is still able to
00105         accept passive connections.</td>
00106     </tr>
00107     <tr>
00108       <td>
00109         <pre>-v</pre>
00110       </td>
00111       <td>It forces the daemon to run in active mode only (default: the daemon always
00112         accepts active connections, even if the '-a' switch is specified).</td>
00113     </tr>
00114     <tr>
00115       <td>
00116         <pre>-d</pre>
00117       </td>
00118       <td>Forces the daemon to run in background, i.e. as a daemon (UNIX only)
00119         or as a service (Win32 only). <b>Warning</b> (Win32): this switch is provided automatically when WinPcap
00120         installs this daemon into the Win32 services (control panel - administrative
00121         tools      - services).</td>
00122     </tr>
00123     <tr>
00124       <td>
00125         <pre>-s &lt;file&gt;</pre>
00126       </td>
00127       <td>It saves the current configuration to file.</td>
00128     </tr>
00129     <tr>
00130       <td>
00131         <pre>-f &lt;file&gt;</pre>
00132       </td>
00133       <td>It loads the current configuration from file; all the switches
00134         specified from the command line are ignored and the file settings are
00135         used instead.</td>
00136     </tr>
00137     <tr>
00138       <td>
00139         <pre>-h</pre>
00140       </td>
00141       <td>It prints an help screen.</td>
00142     </tr>
00143   </table>
00144 </div>
00145 <h3>Installing the remote daemon</h3>
00146 <p>The remote daemon is installed automatically when installing WinPcap 3.0. The
00147 installation process places the <code>rpcapd</code> file into the <code>WinPcap</code>
00148 folder. This file can be executed either from the command line, or as a service.
00149 For instance, the installation process updates the list of available services
00150 list and it creates a new item (<b>Remote Packet Capture Protocol v.0 (experimental)</b> ). To avoid security problems, the service is inactive and it has to be
00151 started manually (control panel - administrative tools      - services - start).</p>
00152 <p>The service has a set of &quot;standard&quot; parameters, i.e. it it launched
00153 with the &quot;<code>-d</code>&quot; flag (in orde to make it running as a
00154 service) and the &quot;<code>-f rpcapd.ini</code>&quot; flag. The user can
00155 create a file called <code>rpcapd.ini</code> in the same folder of the
00156 executable, and put the configuration commands in there. In order for the service to execute
00157 the commands, you have to stop and restart it again (i.e. the initialization
00158 file is parsed only at the beginning). Viceversa, the UNIX version of <code>rpcapd</code>
00159 is able to read the configuration file when sending a kill -HUP signal to it. In
00160 that case, all the existing connections remain in place, while the new
00161 connections will be created according to the new parameters.</p>
00162 <p>In case the user does not want to create the configuration file manually, it
00163 can launch <code>rpcapd</code> with the requested parameters plus the &quot;<code>-s
00164 filename</code>&quot; one. The daemon will parse all the parameters and save
00165 them into the specified configuration file.</p>
00166 <h3>Launching the remote daemon as a standard executable</h3>
00167 <p>The <code>rpcapd</code> executable can be launched directly, i.e. it can run
00168 in the foreground as well (not as a daemon/service). The procedure is quite
00169 simple: you have to invoke the executable from the command line with all the
00170 requested parameters but the &quot;<code>-d</code>&quot; flag. The capture
00171 server will start in the foreground.</p>
00172 <h2>Launching a capture on a remote machine</h2>
00173 <p>If you are using a tool that is already aware of the remote capture (like
00174 Analyzer), everything is simple. The capture wizard will help you to locate the
00175 appropriate interface on the remote machine.</p>
00176 <p>If your preferred tool is not aware of the remote capture, you can still use
00177 the remote capture. In this case you have to read the next Section.</p>
00178 <p><b>Be carefully</b>: the capture server (<code>rpcapd</code>) must be up and
00179 running on the remote machine.</p>
00180 <h3>New string specifiers for interface selection</h3>
00181 <p>If your preferred tool is not aware of the remote capture, the only thing you
00182 must do is to insert, as interface specifier, the indication of the remote
00183 machine you want to contact. The following forms are allowed:</p>
00184 <div align="left">
00185   <table border="1">
00186     <tr>
00187       <th>Adapter String</th>
00188       <th>Description</th>
00189     </tr>
00190     <tr>
00191       <td>
00192         <pre>file://filename</pre>
00193       </td>
00194       <td>It opens a local file.</td>
00195     </tr>
00196     <tr>
00197       <td>
00198         <pre>rpcap://host.foo.bar/adaptername</pre>
00199       </td>
00200       <td>It opens a remote adapter; the host is specified by means of the
00201         literal name, without port number (i.e. it uses the RPCAP default port).</td>
00202     </tr>
00203     <tr>
00204       <td>
00205         <pre>rpcap://host.foo.bar:1234/adaptername</pre>
00206       </td>
00207       <td>It is the same as before, but it uses a different port number.</td>
00208     </tr>
00209     <tr>
00210       <td>
00211         <pre>rpcap://10.11.12.13/adaptername</pre>
00212       </td>
00213       <td>It opens a remote adapter, but the host is specified by means of an
00214         IPv4 numeric address, without port number (i.e. it uses the RPCAP
00215         default port).</td>
00216     </tr>
00217     <tr>
00218       <td>
00219         <pre>rpcap://10.11.12.13:1234/adaptername</pre>
00220       </td>
00221       <td>It is the same as before, but it uses a different port number.</td>
00222     </tr>
00223     <tr>
00224       <td>
00225         <pre>rpcap://[10.11.12.13]:1234/adaptername</pre>
00226       </td>
00227       <td>It is the same as before, but the numeric address is specified within
00228         square brackets (like IPv6 addresses).</td>
00229     </tr>
00230     <tr>
00231       <td>
00232         <pre>rpcap://[1:2:3::4]/adaptername</pre>
00233       </td>
00234       <td>It opens a remote adapter, but the host is specified by means of an
00235         IPv6 numeric address, without port number (i.e. it uses the RPCAP
00236         default port). In case of IPv6 addresses you MUST use the square
00237         brackets. </td>
00238     </tr>
00239     <tr>
00240       <td>
00241         <pre>rpcap://[1:2:3::4]:1234/adaptername</pre>
00242       </td>
00243       <td>It is the same as before, but it uses a different port number.</td>
00244     </tr>
00245     <tr>
00246       <td>
00247         <pre>rpcap://adaptername</pre>
00248       </td>
00249       <td>It opens a local adapter, without using the RPCAP protocol.</td>
00250     </tr>
00251     <tr>
00252       <td>
00253         <pre>adaptername</pre>
00254       </td>
00255       <td>It opens a local adapter; it is kept for compability, but it is
00256         strongly discouraged.</td>
00257     </tr>
00258     <tr>
00259       <td>
00260         <pre>(NULL)</pre>
00261       </td>
00262       <td>It opens the first local adapter; it is kept for compability, but it
00263         is strongly discouraged.</td>
00264     </tr>
00265   </table>
00266 </div>
00267 <p>The following formats are not allowed:</p>
00268 <table border="1">
00269   <tr>
00270     <th>Adapter String</th>
00271     <th>Description</th>
00272   </tr>
00273   <tr>
00274     <td>
00275       <pre>rpcap://</pre>
00276     </td>
00277     <td>It cannot be used to open the first local adapter.</td>
00278   </tr>
00279   <tr>
00280     <td>
00281       <pre>rpcap://hostname/</pre>
00282     </td>
00283     <td>It cannot be used to open the first remote adapter.</td>
00284   </tr>
00285 </table>
00286 <hr>
00287 <p align="right"><i>For any question, please refer to the WinPcap help page.</i></p>
00288 
00289 </body>
00290 
00291 </html>

documentation. Copyright (c) 2002-2003 Politecnico di Torino. All rights reserved.