RHEL 7.1 安裝 rpcapd－wsunccake的隨手記事

rpcapd(Remote Packet Capture Daemon)是提供遠端抓封包服務的Daemon, 可使用tcpdump或wireshark抓取遠端主機的封包. 由於這服務是在Windows上的WinRcap服務提供的, 所以Linux要使用就需要另外安裝. 在安裝前須先編譯libpcap

libpcap:
rhel:~ # wget http://www.winpcap.org/install/bin/WpcapSrc_4_1_3.zip
rhel:~ # unzip WpcapSrc_4_1_3.zip
rhel:~/winpcap/wpcap/libpcap # cd winpcap/wpcap/libpcap
rhel:~/winpcap/wpcap/libpcap # chmod +x configure runlex.sh
rhel:~/winpcap/wpcap/libpcap # ./configure --enable-remote
rhel:~/winpcap/wpcap/libpcap # make
rhel:~/winpcap/wpcap/libpcap # make install

rpcapd:
rhel:~ # cd winpcap/wpcap/libpcap/rpcapd/
rhel:~/winpcap/wpcap/libpcap/rpcapd # ./configure
rhel:~/winpcap/wpcap/libpcap/rpcapd # make
rhel:~/winpcap/wpcap/libpcap/rpcapd # make install
rhel:~/winpcap/wpcap/libpcap/rpcapd # cp rpcapd /usr/local/sbin

若不會編譯, 可直接去 http://www.pawelko.net/tag/rpcapd/ 下載直接使用

rhel:~ # /usr/local/sbin/rpcapd -n & # 啟動 rpcapd, -n 不需要帳號密碼

因為Linux中的tcpdump和wireshark並不支援rpcap, 所以要在Linux直接使用就需要另外編譯. (會使用到libpcap, libpcap安裝同上)

tcpdump:
rhel:~ # tar zxf tcpdump-4.0.0.tar.gz
rhel:~ # cd tcpdump-4.0.0/
rhel:~/tcpdump-4.0.0 # ln -s ../winpcap/wpcap/libpcap .
rhel:~/tcpdump-4.0.0 # ./configure
rhel:~/tcpdump-4.0.0 # make
rhel:~/tcpdump-4.0.0 # cp tcpdump /usr/local/bin

rhel:~ # /usr/local/bin/tcpdump -i rpcap://10.10.0.1:2002/eth0 #操作跟一般tcpdump一樣, 只是多支援 rpcap

wireshark:
rhel:~ # wget --no-check-certificate https://1.as.dl.wireshark.org/src/wireshark-1.12.5.tar.bz2
rhel:~ # tar jxf wireshark-1.12.5.tar.bz2
rhel:~/wireshark-1.12.5 # cd wireshark-1.12.5/
rhel:~/wireshark-1.12.5 # ./configure --with-pcap --with-pcap-remote --enable-tshark
rhel:~/wireshark-1.12.5 # make
rhel:~/wireshark-1.12.5 # make install

rhel:~ # tshark -i rpcap://10.10.0.1:2002/eth0 # 使用 textmode wireshark

ref:
http://roan.logdown.com/posts/230705-rpcapd-remote-capture-remote-system-network-traffic
http://www.voipmonitor.org/doc/Windows_rpcapd