Computer Networks
Remote Packet Capture
- 在嵌入式系統(
Embedded Linux)中, 有時我們需要抓取某一個對外網口 (e.qwan0)來回的封包, 以便確認其封包內容是我們所期望的. - 通常我們會透過
tcpdump. 但透過tcpdump抓取的封包還需傳送至桌上型電腦端,再行解開,一來一回浪費掉許多時間. rpcapd是一個不錯的選擇,可以直接將網口的封包直接轉送到電腦的Wireshark.
Topology
+-------------------+ +-----------------------------------+
| Running Wireshark | | Running rpcapd |
| on PC | | on Embedded Linux |
+-------------------+ +-----------------------------------+
| | | |
| +---------------+ +---------------+ +---------------+
| | adapter |========+ br0 +===+ wan0 |
| | (192.168.0.10)| | (192.168.0.1) | | (192.168.2.2) |
| +---------------+ +-------++------+ +---------------+
| | | || |
| | | || +---------------+ +----------+
| | | || | wlan0 | | Smart |
| | | ++==========| (192.168.0.1) | ))(( | Phone |
| | | +---------------+ | |
| | | | | |
+-------------------+ +-----------------------------------+ +----------+
Installation (on BBB)
-
Install
-
Precondition (Optional)
$ apt-get install build-essential libpcap-dev $ apt-get install flex bison -
Build libpcap
$ wget http://www.tcpdump.org/release/libpcap-1.9.0.tar.gz $ tar xvf libpcap-1.9.0.tar.gz $ cd libpcap-1.9.0 $ ./configure --with-pcap=linux $ make $ make install - Build rpcapd
$ ldcondif $ cp $ make build-rpcapd (Go next step if something wrong) $ cd rpcapd $ gcc -fvisibility=hidden -g -O2 -o rpcapd daemon.o fileconf.o log-stderr.o rpcapd.o rpcap-protocol.o sockutils.o ../fmtutils.o ../libpcap.a -lpthread -lcrypt $ ls -la rpcapd -rwxr-xr-x 1 root root 1145032 Oct 27 05:10 rpcapd
Running
Linux Server side
$ ./rpcapd -p 2002 -n -4 -b 192.168.0.1 #<= -b <address>: the address to bind to (either numeric or literal).
Default: it binds to all local IPv4 addresses
-p <port>: the port to bind to. Default: it binds to port 2002
-t <data port>: the port to transfer data.
-4: use only IPv4 (default both IPv4 and IPv6 waiting sockets are used)
-l <host_list>: a file that keeps the list of the hosts which are allowed
to connect to this server (if more than one, list them one per line).
We suggest to use literal names (instead of numeric ones) in order to
avoid problems with different address families
-n: permit NULL authentication (usually used with '-l')
-a <host,port>: run in active mode when connecting to 'host' on port 'port'
In case 'port' is omitted, the default port (2003) is used
-v: run in active mode only (default: if '-a' is specified, it accepts
passive connections as well
-d: run in daemon mode (UNIX only) or as a service (Win32 only)
Warning (Win32): this switch is provided automatically when the service
is started from the control panel
-s <file>: save the current configuration to file
-f <file>: load the current configuration from file; all the switches
specified from the command line are ignored
-h: print this help screen
Windows Side
-
Install Wireshark
-
Invoke
Wireshark -
Capture>Options>Manage Interfaces>Remote Interfaces>Add -
Please click
▶to play below video for more detail.
Reference
- rpcapd與netcat-測試嵌入式系統的好工具
- rpcapd: Capture Remote System Network Traffic
- Sysdig: 容器故障排除工具
- How can I sniff the traffic of remote machine with wireshark?
- ttysnoop