This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote packet capture on Remote Linux machine

0

Hello all, I am trying to capture packets on a Remote Linux machine ( CentOS 6). I have already tried the instructions mentioned in the URL : http://www.winpcap.org/docs/docs_40_2/html/group__remote.html

I have run the command to start daemon on that Remote machine. But from my Local machine ( Windows XP), it shows the following error while trying to start the Remote Capture!

Can't get list of interfaces: Is the server properly installed on 192.168.0.72? connect() failed: A socket operation was attempted to an unreachable host. (code 10065)

Please Help!!

asked 01 Aug '12, 02:24

baila's gravatar image

baila
21101115
accept rate: 0%

edited 01 Aug '12, 03:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


2 Answers:

0

10065 is a winsock error message, telling you that your Windows XP machine is unable to reach the host (usually no route).

http://msdn.microsoft.com/en-us/library/windows/desktop/ms740668%28v=vs.85%29.aspx

Some questions:

  1. Can you ping the linux box from your Windows XP?
  2. Did you write a firewall rule on linux to allow traffic on port 2002?

Regards
Kurt

answered 01 Aug '12, 02:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

  1. Yes, the ping response is fine from XP machine.
  2. I don't know how to write any firewall rule on linux!
(01 Aug '12, 02:35) baila

I don't know how to write any firewall rule on linux!

Take a look at the CentOS wiki.

BTW: Are you sure the system does a LISTEN on that port?

CentOS: netstat -nap | grep ":2002"

(01 Aug '12, 02:38) Kurt Knochner ♦

Well.. There is some interesting things,like,

I have run the following command on my Remote Linux VM ( IP - 192.168.0.72)

./rpcapd -b 192.168.0.72 -p 2002

Press CTRL+C to stop the server...

On attempting to make the connection from my Local XP machine ( IP - 192.168.0.60) from the GUI of Wireshark,on Linux console it shows-

Child terminated

It echoes the message each time while trying to connect the Linux machine.

(01 Aug '12, 03:31) baila

sniff the tcp connection on tcp port 2002 (with another Wireshark instance on your Windows box) and see what's going on. Wireshark is able to dissect rpcap traffic.

I assume again, authentication problems, as you did not start rpcapd with "-n". Did you specify the proper crendentials within Wireshark?

BTW: How did you manage to get rid of the Winsock error (10065)?

(01 Aug '12, 03:35) Kurt Knochner ♦

I just tried it with rpcapd on Ubuntu 12.04.

  • I do get the same error message if authentication fails.
  • I works with NULL authentication (-n), although rpcapd spits out some nasty error messages.
  • I works with authentication, if the proper credentials are provided. You need the credentials of the user that excecutes the daemon. HINT: If you run it with 'sudo', you need the credentials of root!

WARNING: The rpcap communication is not encrypted. All credentials will pass the network in readable form! So, remote capture with authentication is probably not a good idea!

(01 Aug '12, 03:51) Kurt Knochner ♦

Its true that the rpcap communication is not encrypted. We can see easily the username and password in the captured packets. I just tried with the -n option,but there is no change in result. I am running the rpcapd on the Remote linux (CentOS 6) machine from root.

I can't understand that what is really wrong there!!

(01 Aug '12, 04:34) baila

I can't understand that what is really wrong there!!

Me neither, as I works out of the box on Ubuntu 12.04 (see above).

Can you please change the root password (just a security measure), then try again with NULL authentication. Post the capture of that communication on cloudshark.org.

(01 Aug '12, 05:20) Kurt Knochner ♦

I have some interesting facts. Like,

I have run the daemon on the remote Linux machine ( running on VM) by

./rpcapd -b 192.168.0.72 ( Remote Linux machine IP) -l 192.168.0.60 ( Local Windows machine IP)

and wireshark on local Windows XP machine and tried to connect the remote machine. While trying to connect, on console of Remote linux, it shows

" Child terminated "

and

" Can't get list of interfaces: The other host terminated the connection."

on Local Windows machine.

Can you suggest me any way out!!

(01 Aug '12, 08:41) baila

without the capture file (see above), I can only guess, and that's not a very good troubleshooting method ;-)) Please post a cpature file with the communication between Win and Lin.

And I'd like to repeat my question:

  • Did you provide the root credentials in Wireshark, while retrieving the interface list from Linux?
(01 Aug '12, 09:01) Kurt Knochner ♦

I have posted the capture file during the Win-Lin communication on http://cloudshark.org/captures/949146646ed3 . Please check.

Does Root credentials mean the details about the Remote Linux ( Like IP, Port no, Username, Password) ? If so, I am already provided those to wireshark.

(01 Aug '12, 09:40) baila

Well, that was a tough day... I have some information which may help others like me..

Finally I get success on capturing packets on the Remote Linux machine.

In case of Ubuntu it works fine with the prescribed format. But in case of CentOS, there is some problems of getting the device list from the Remote machine. It shows error messages on the Local machine while trying to retrieve the list of the Remote ( CentOS) machine,but it works fine if we directly give the interface ( like rpcapd://ip_address/interface_name) as Local machine interface.

(02 Aug '12, 08:17) baila

This problem i have faced in CentOS but the function is normal in case of Ubuntu. I don't know the exact reason.

If anyone have any idea, please share it.

Thank you Wireshark!! :-)

(02 Aug '12, 08:19) baila
1

But in case of CentOS, there is some problems of getting the device list from the Remote machine

Yes, you can see that in the capture file as well. There is a request to find all devices, but no answer, not even an error message. On Ubuntu there is either the list of interfaces or at least an error message.

This problem i have faced in CentOS but the function is normal in case of Ubuntu. I don't know the exact reason.

You can run rpcapd with strace on CentOS, then request the interface list again.

strace -f -o /var/tmp/rpcapd.trace ./rpcapd -b 192.168.0.72 -l 192.168.0.60 -n

After that, post the content of rpcapd.trace.

(03 Aug '12, 01:15) Kurt Knochner ♦

Well, that sounds better. I hope that will work legally, either the interface list or some Error message. :-)

(03 Aug '12, 07:34) baila

good. Go ahead and post the results here or on pastebin.com.

(04 Aug '12, 04:20) Kurt Knochner ♦

Well Kurt, i have tried that command and tried to run rpcapd with strace on CentOS, then requested the interface list. But it didn't work,gave " Child terminated" as before. As per your instruction i have posted the content of rpcapd.trace on pastebin.com. The URL is : http://pastebin.com/8UPACXw3.

Thanks!

(06 Aug '12, 00:30) baila

Unfortunately, the strace output is too short. Did you use the strace option "-f" (follow childs), as in my example above?

(06 Aug '12, 05:42) Kurt Knochner ♦

Yeah. I have just copied the prescribed command, changed the ip and run!

(06 Aug '12, 23:25) baila

I'm sorry, but then I have no idea what's going wrong on CentOS 6.

BTW: What is your CentOS version (output of 'lsb_release -a')? If I find some time in the next couple of days, I will try myself.

(07 Aug '12, 04:02) Kurt Knochner ♦

Well..that command didn't work!! From the System Monitor, I found that:

CentOS Linux Release 6.0 (Final) Kernel Linux 2.6.32-71.el6.i686 GNOME 2.28.2

Now, what should I do?

I have another question ( which is being closed : http://ask.wireshark.org/questions/13352/remote-packet-capture-linux-to-linux )

Thanks!!

(08 Aug '12, 21:29) baila

Your other question was closed as it's IMHO just the same as this one. You are trying to run a remote capture on a linux system, I don't see that having a different local OS, i.e. linux vs Windows makes a difference.

(09 Aug '12, 01:21) grahamb ♦

Yeah, there is some difference. I have already mentioned that!!

(09 Aug '12, 01:26) baila

We'll see, but I think once your issues in this question have been resolved, the other one will also have been answered as the problem seems to be the remote OS and not the local OS.

AFAICT, you have managed to run a remote capture from XP to Ubuntu but not CentOS. Can you run Ubuntu to Ubuntu?

(09 Aug '12, 02:25) grahamb ♦

which is being closed : http://ask.wireshark.org/questions/13352/remote-packet-capture-linux-to-linux )

The problem is, that the Linux libpcap does not have remote capturing capabilities. Maybe it's possible to link Wireshark against the libpcap.a that is provided by rpcapd (WinPcap), but I have not tried yet.

(09 Aug '12, 02:39) Kurt Knochner ♦

CentOS Linux Release 6.0 (Final) Kernel Linux 2.6.32-71.el6.i686 GNOME 2.28.2
Now, what should I do?

Maybe I'll have some minutes to look at CentOS today. Can't you use Ubuntu instead?

(09 Aug '12, 02:40) Kurt Knochner ♦
The problem is, that the Linux libpcap does not have remote capturing capabilities. Maybe it's possible to link Wireshark against the libpcap.a that is provided by rpcapd (WinPcap), but I have not tried yet.

So the other question actually is: How do I initiate a remote capture from a Linux System?

(09 Aug '12, 03:24) grahamb ♦

I think so. Maybe we should reopen it. It's really a different issue.

(09 Aug '12, 03:32) Kurt Knochner ♦

Actually I was working with remote CentOS, that's why I found this problem. In case of Ubuntu, it works fine!! :-)

(09 Aug '12, 03:34) baila

In case of Ubuntu, it works fine!! :-)

?? Do you mean, you can start a remote capturing session from Ubuntu (client) to Ubuntu/Windows (server)?

(09 Aug '12, 03:36) Kurt Knochner ♦

As I see it we actually have two questions:

  1. How do I connect to rpcapd running on CentOS?
  2. How do I initiate an rpcapd connection from Linux?

Unfortunately the question titles and/or texts don't really reflect that, which is what causes confusion for folks, i.e. me.

If baila can confirm I have things correct I'll have a little edit.

(09 Aug '12, 03:41) grahamb ♦

CentOS Linux Release 6.0 (Final) Kernel Linux 2.6.32-71.el6.i686 GNOME 2.28.2

I found an old VMware image of that release in my archive (however it's 64 Bit), so I was able to do a quick test. It works out of the box. rpcacp spits out some nasty error messages but it delivers the interface list. So, it's not a general problem with CentOS 6, but rather with your system. I don't think I can help anymore with this problem, as your strace does not return any valuable information. Look at my strace output!

I recommend to run rpcapd either on Ubuntu 12.04 or perhaps on a newer release of CentOS. 6.3 is the lastest release.

Just by chance: Did you forget to mention some relevant error messages on your CentOS system or any speciality of that system (e.g. Virtual System of a Hosting company)?

(09 Aug '12, 08:22) Kurt Knochner ♦

@Kurt: I was telling about Local windows to Remote Ubuntu! That works fine. But there is nothing more for CentOS 6. I will try it for the latest release of CentOS!

My question was what is the procedure if the Local and Remote both machines are Linux!!

(09 Aug '12, 21:55) baila

@Kurt : I see that there is so many things of the rpcapd.trace in your posted link. Honestly speaking, i really can't understand anything! :-(

(09 Aug '12, 21:58) baila

My question was what is the procedure if the Local and Remote both machines are Linux!!

I know, and I already answered it (see above).

Cite: The problem is, that the Linux libpcap does not have remote capturing capabilities.... (see above for the rest). If you can confirm what @grahamb asked, we can reopen your other linux question and answer it there.

i really can't understand anything! :-(

if you manage to get the same amount of output when you run strace, I will check it. The problem with your strace output is, that it contains almost nothing. That's why I asked if you added the option "-f". I did, and this is what strace records. If you did as well, then there is a weird problem with your system and you need to fix that first. Alternatively, I suggest to use CentOS 6.3.

(10 Aug '12, 00:09) Kurt Knochner ♦
showing 5 of 34 show 29 more comments

0

I ran into this very same problem. The strace indicated that there occurred a segfault in the rpcapd server daemon when you attempt to add the remote interface in the Wireshark running on the windows platform :

.......... ......... 1553 socket(PF_PACKET, SOCK_RAW, 768) = 3 1553 ioctl(3, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0 1553 ioctl(3, SIOCGIFHWADDR, {ifr_name="any", ???}) = -1 ENODEV (No such device) 1553 close(3) = 0 1553 open("/proc/bus/usb", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 1553 fstat64(3, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 1553 fcntl64(3, F_SETFD, FD_CLOEXEC) = 0 1553 getdents64(3, / 2 entries /, 4096) = 48 1553 getdents64(3, / 0 entries /, 4096) = 0 1553 close(3) = 0 1553 --- SIGSEGV (Segmentation fault) @ 0 (0) --- 1343 <... accept resumed> 0xbf97e714, [128]) = ? ERESTARTSYS (To be restarted) 1343 --- SIGCHLD (Child exited) @ 0 (0) --- 1343 waitpid(-1, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGSEGV}], WNOHANG) = 1553 1343 write(2, "Child terminated\n", 17) = 17 ...... ......

The cause of this segfault and the patch is available at http://www.winpcap.org/pipermail/winpcap-users/2011-November/004540.html. I applied the patch to the rpcapd and ran "make" again for it. This fixes the issue.

answered 13 Sep '12, 21:17

muzahyd's gravatar image

muzahyd
1
accept rate: 0%

edited 25 Sep '12, 21:43

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Sorry, but your given link is not working! It shows " 404 Not Found "!!

(25 Sep '12, 21:31) baila

Please try the link again.

(25 Sep '12, 21:43) cmaynard ♦♦