0

I have a remote server with rpcapd installed that follows strict security policy rules. Any client can access to the server only via firewall that follows same security policy (please, don't blame me, it wasn't my idea). The only port opened on the server and the firewall for remote capture purpose is tcp:2002. Also firewall blocks any unknown outgoing ports. So the whole picture looks like:

client >> firewall (tcp:2002 opened) >> target server (tcp:2002 opened)

The questions is: does rpcapd use any "data ports" (either tcp or udp) to forward captured traffic to the client? If so, what are these ports? Can I manually set them via some cmd switch?

The only port mentioned in the docs is...

-p <port> It sets the port the daemon has to bind to. Default: it binds to port 2002.

.. but if this is just some kind of "control port" remote capture won't work in my case.

enzo
  • 1
  • 3
  • You're right, port 2002 is only used for connection control and the data is streamed on a separate TCP connection using random ports on each end. Wireshark (dumpcap) can make the data stream to use UDP instead of TCP but that's also using dynamic ports on both end. I don't see any options to force the data stream to use a fixed port. – bcs78 Sep 11 '18 at 09:31

1 Answers1

0

By read the documentation there is the Active Mode seems useful for the schema you provide: [source: https://www.winpcap.org/docs/docs_412/html/group__remote.html]

Remote Capture Running Modes
The Remote Capture Protocol (RPCAP) can work in two modes:

Passive Mode (default): the client (e.g. a network sniffer) connects to the remote daemon, it sends them the appropriate commands, and it starts the capture.
Active Mode: the remote daemon try to establish a connection toward the client (e.g. the network sniffer); then, the client sends the appropriate commands to the daemon and it starts the capture. This name is due to the fact thet the daemon becomes active instead of waiting for new connections.
The Active Mode is useful in case the remote daemon is behind a firewall and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured in order to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.
AtomiX84
  • 415
  • 2
  • 7