This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

rpcapd allowed hosts list format in linux?

0

I'm using rpcapd on my Tomato router to access all packets from a Wireshark client on my network. rpcapd works great and I can see traffic for each bridge I select in remote connection in Wireshark. I am using null authentication at the moment, and I would of course like to create an allowed hosts lists with the: rpcapd -l allowed_host_list but for some reason no format I use in this list is accepted during the connection in Wireshark. I've tried IP address, MAC address, etc, every time it says the device I'm connecting from is not in the allowed hosts list. Any idea what the format is supposed to be for the allowed hosts list in linux? I see the format for rpcapd.ini in Windows, but can find no reference to what this file format should be in linux?

asked 18 May '13, 23:34

fvultee's gravatar image

fvultee
11112
accept rate: 0%


One Answer:

1

Any idea what the format is supposed to be for the allowed hosts list in linux?

according to the (WinPcap) code, it is a file with a list of allowed hosts, separated by one of these characters.

pcap-remote.h

#define RPCAP_HOSTLIST_SEP " ,;\n\r"

According to the online help of rpcapd

  -l <host_list>: a file that keeps the list of the hosts which are allowed
to connect to this server (if more than one, list them one per line).
We suggest to use literal names (instead of numeric ones) in order to
avoid problems with different address families

So far, so good…

I’ve tried IP address, MAC address, etc, every time it says the device I’m connecting from is not in the allowed hosts list.

Unfortunately the code to parse the hosts list is severely broken.

int sock_check_hostlist(char *hostlist, const char *sep, struct sockaddr_storage *from, char *errbuf, int errbuflen)
{
// checks if the connecting host is among the ones allowed
if ( (hostlist) && (hostlist[0]) )
{
char *token;                    // temp, needed to separate items into the hostlist
struct addrinfo *addrinfo, *ai_next;
char *temphostlist;

    temphostlist= (char *) malloc (strlen(hostlist) + 1);
    if (temphostlist == NULL)
    {
        sock_geterror(&quot;sock_check_hostlist(), malloc() failed&quot;, errbuf, errbuflen);
        return -2;
    }

    // The problem is that strtok modifies the original variable by putting &#39;0&#39; at the end of each token
    // So, we have to create a new temporary string in which the original content is kept
    strcpy(temphostlist, hostlist);

    token= strtok(temphostlist, sep);</code></pre><p>Instead of tokenizing the <strong>content</strong> of the file, it uses the <strong>file name</strong> :-(. Thus, you will never get a positive answer unless you name the hosts list file according to the connecting IP address ;-)</p><p>This works on my system.</p><blockquote><p><code>create an empty file named: 192.168.158.139,192.168.158.140,.txt</code></p></blockquote><p>Then start rpcapd.</p><blockquote><p><code>./rpcapd -b 192.168.158.129 -p 2002 -n -l 192.168.158.139,192.168.158.140,.txt</code><br />

Now connect from 192.168.158.139 or from 192.168.158.140.

The content of the file does not matter in this case, as it is not read anyways.

While this might be an acceptable workaround for you, it is clearly a bug and should be reported to the WinPcap team.

Please do so, with a reference to my answer.

http://www.winpcap.org/bugs.htm

Regards
Kurt

answered 20 May '13, 07:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 May '13, 07:40