rtdump 1.0 review
DownloadRtdump is a version of tcpdump modified to capture traffic on remote systems and networks
|
|
Rtdump is a version of tcpdump modified to capture traffic on remote systems and networks. It enables you to run a packet capture program (the server) on a target computer, which will sniff the network traffic on that system, and uplink the captured packets to another host (the client), where the captured packets can be processed, analysed and archived . The rpcap system thus consists of two separate processes, the server (or agent) which captures network traffic on a remote system, and a client, which receives and processes these packets. The server code is a standalone executable program which uses the libpcap packet capture library to capture network traffic. The client is actually a library called librpcap, which is linked to a user program and used on the client system in a manner identical to libpcap.
The librpcap client library exposes a subset of the pcap API as defined in the pcap (3) manpage. The API is used in a manner identical to that of libpcap, so that any programs which do not use the libpcap functions not present in rpcap can directly link to rpcap in place of pcap. The API functions as a set of pcap-compatible wrapper functions over a Sun RPC interface to the remote server, which invoke the corresponding libpcap functionality on it.
At this time, rpcap has been built and tested only on Linux on Intel platforms. However, it should build on any UNIX like system that supports multithreading and has the RPC libraries and utilities available, so that it should be possible to build it on most systems. Please note however that there are a couple of bugs in the code (all my own!) that currently restrict it to little-endian systems. I will fix this ASAP.
The rtdump executable is just a slightly modified version of tcpdump. The difference is that rtdump links against librpcap rather than libpcap, and so requires some modifications in the initialization stuff. The main difference for end users is in the command line. Rtdump is invoked as follows:
rtdump
The remote host name option is of course the name or IP address of the remote host on which you desire to capture traffic.
For example, supposing you want to capture tcp traffic to your local machine (the client) from a remote machine called, say, fred, on fred's eth1 interface, you should invoke rtdump thus:
rtdump -i eth1 tcp fred
The difference between a normal tcpdump invocation and this invocation is the addition of the remote host name. The capture data is dumped to the current host, i.e. the system on which rtdump has been invoked, By default rtdump uses the default rpcap port values of 21373 tcp and 61373 udp for communication with the server process, apart from the RPC process. If any of these defaults need to be changed, the
initialization code in rtdump.c has to be modified accordingly (check the init_rpcap function and the lines preceding it).
All other rtdump operational parameters are identical to tcpdump (it *is* tcpdump with a few minor modifications, after all!), so please check man (1) tcpdump for details.
What's New in This Release:
Modified tcpdump to link to librpcap and compile as rtdump for remote capture
renamed tcpdump.c to rtdump.c
added librpcap initialization code to main() in rtdump.c
added rpcap client host address routines to main() in rtdump.c
added rpcap capture end function to cleanup() in rtdump.c
added the str_utils.c and str_utils.h files for parsing client names (called in main() in rtdump.c)
rtdump 1.0 keywords