Shulou(Shulou.com)06/01 Report--

WireShark can grab both local and remote host traffic packets [support remote packet capture protocal (rpacapd)]

This article explains how to install rpcapd services that support remote packet capture on hosts based on Linux and Windows systems respectively, and then you can capture remote host traffic on your local computer through WireShark.

Install and start the rpcapd service on the Windows system

(1) download the software: https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe, double click to install it.

(2) enable rpcapd service

Method 1: under the Windows graphical interface

Press "win+r" at the same time to open the run window-> enter "services.msc"-> find "Remote Packet Capture Protocol v.0 (experimental)" in the service list-> finally open the service.

Method 2: start the command line

Cmd enters this directory C:\ Program Files (x86)\ WinPcap

Rpcapd.exe-h can see the help message describing that the default port is 2002

Rpcapd.exe-lnd, then use netstat-an | findstr / I "2002" to verify that the port is open

Note: close it in time after use to prevent others from remotely connecting to this host for traffic monitoring

If the service is blocked by security software such as firewall, please deal with it accordingly

Install and start the rpcapd service on the Linux system

(1) compile and install

Yum-y install glibc-static

Wget http://www.winpcap.org/install/bin/WpcapSrc_4_1_2.zip or look for http://www.winpcap.org/archive/ under this link

Unzip WpcapSrc_4_1_2.zip

Cd winpcap/wpcap/libpcap

Chmod + x configure runlex.sh

CFLAGS=-static. / configure

Make

Cd rpcapd

Make

(2) run the service

. / rpcapd-n-d

# Note if it does not work properly, you may need to modify iptables, as shown below:

If the SSH port is 22 (the default port is not recommended here, it is better to change the SSH port)

# iptables-An INPUT-p tcp-- dport 22-j ACCEPT

# iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

# / etc/rc.d/init.d/iptables save

Iptables: Saving firewall rules to / etc/sysconfig/iptables: [OK]

Modify iptables to open port 2002

# iptables-An INPUT-p tcp-- dport 2002-j ACCEPT

# iptables-An OUTPUT-p tcp-- sport 2002-j ACCEPT

# / etc/init.d/iptables save

Iptables: Saving firewall rules to / etc/sysconfig/iptables: [OK]

View the contents of iptables

# vim iptables # or execute: # iptables-L

Restart iptables

# service iptables restart

Iptables: Setting chains to policy ACCEPT: filter [OK]

Iptables: Flushing firewall rules: [OK]

Iptables: Unloading modules: [OK]

Run. / rpcapd-n

#. / rpcapd-n

Press CTRL + C to stop the server...

Socket (): Address family supported by protocol (code 98)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.