rpcapd - capture daemon to be controlled by a remote libpcap application
rpcapd [ -b address ] [ -p port ] [ -4 ] [
-l host_list ] [ -a host,port ] [ -n
] [ -v ] [ -d ] [ -i ] [ -D ] [ -s
config_file ] [ -f config_file ] [ -S ] [
-K ssl_keyfile ] [ -X ssl_certfile ] [ -C ]
Rpcapd is a daemon (Unix) or service (Win32) that allows the capture and
filter part of libpcap to be run on a remote system.
Rpcapd can run in two modes: passive mode (default) and active
mode.
In passive mode, the client (e.g., a network sniffer) connects to
rpcapd. The client then sends the appropriate commands to
rpcapd to start the capture.
In active mode, rpcapd tries to establish a connection
toward the client (e.g., a network sniffer). The client then sends the
appropriate commands to rpcapd to start the capture.
Active mode is useful in case rpcapd is run behind a
firewall and cannot receive connections from the external world. In this
case, rpcapd can be configured to establish the connection to a given
host, which has to be configured in order to wait for that connection. After
establishing the connection, the protocol continues its job in almost the
same way in both active and passive mode.
The user can create a configuration file in the same directory as the
executable, and put the configuration commands in there. In order for
rpcapd to execute the commands, it needs to be restarted on Win32, i.e.
the configuration file is parsed only at the beginning. The UNIX version of
rpcapd will reread the configuration file upon receiving a HUP
signal. In that case, all the existing connections remain in place, while the
new connections will be created according to the new parameters.
In case a user does not want to create the configuration file
manually, they can launch rpcapd with the desired flags plus -s
filename. Rpcapd will parse all the parameters and save them into the
specified configuration file.
The remote daemon is installed automatically when installing WinPcap. The
installation process places the rpcapd executable file into the WinPcap
folder. This file can be executed either from the command line, or as a
service. For instance, the installation process updates the list of available
services list and it creates a new item (Remote Packet Capture Protocol v.0
(experimental)). To avoid security problems, the service is inactive and it
has to be started manually (control panel - administrative tools - services -
start).
The service has a set of "standard" parameters, i.e. it
is launched with the -d flag (in order to make it run as a service)
and the -f rpcapd.ini flag.
The rpcapd executable can be launched directly, i.e. it can run in the
foreground as well (not as a daemon/service). The procedure is quite simple:
you have to invoke the executable from the command line with all the requested
parameters except for the -d flag. The capture server will start in the
foreground.
rpcapd needs sufficient privileges to perform packet capture, e.g. run as
root or be owned by root and have suid set. Most operating systems provide
more elegant solutions when run as user than the above solutions, all of them
different.
If your system supports systemd(1) and the corresponding
rpcapd.socket and rpcapd@.service service files have been
installed, the rpcapd service can be enabled by enabling the
rpcapd.socket unit.
If your system supports launchd(8) and the
org.tcpdump.rpcapd.plist file has been installed, the rpcapd service
can be enabled by loading the org.tcpdump.rpcapd service.
If your system supports inetd(8) and the
rpcapd.inetd.conf entry has been added to inetd.conf(5), the
rpcapd service can be enabled by telling inetd to reread its configuration
file.
If your system supports xinetd(8) and the
rpcapd.xinetd.conf entry has been added to xinetd.conf(5), the
rpcapd service can be enabled by telling xinetd to reread its configuration
file.
- -b address
- Bind to the IP address specified by address (either numeric or
literal). By default, rpcapd binds to all local IPv4 and IPv6
addresses.
- -p port
- Bind to the port specified by port. By default, rpcapd binds
to port 2002.
- -4
- Listen only on IPv4 addresses. By default, rpcapd listens on both
IPv4 and IPv6 addresses.
- -l host_list
- Only allow hosts specified in the host_list argument to connect to
this server. host_list is a list of host names or IP addresses,
separated by commas. We suggest that you use host names rather than
literal IP addresses in order to avoid problems with different address
families.
- -n
- Permit NULL authentication (usually used with the -l flag).
- -a host,port
- Run in active mode, connecting to host host on port port. In
case port is omitted, the default port (2003) is used.
- -v
- Run in active mode only; by default, if -a is specified,
rpcapd accepts passive connections as well.
- -d
- Run in daemon mode (UNIX only) or as a service (Win32 only). Warning
(Win32): this flag is specified automatically when the service is started
from the control panel.
- -i
- Run in inetd mode (UNIX only).
- -D
- Log debugging messages.
- -s config_file
- Save the current configuration to config_file in the format
specified by rpcapd-config(5).
- -f config_file
- Load the current configuration from config_file in the format
specified by rpcapd-config(5) and ignore all flags specified on the
command line.
- -h
- Print this help screen.
If rpcapd was compiled with SSL support, the following
options are also available:
- -S
- Require that SSL be used on connections.
- -C
- With SSL enabled, XXX - I'm not sure how *fetching* the list of
compression mechanisms does anything to compression.
- -S ssl_keyfile
- With SSL enabled, use ssl_keyfile as the SSL key file.
- -X ssl_certfile
- With SSL enabled, use ssl_certfile as the SSL certificate file.
pcap(3), rpcapd-config(5)