Rpcapd exe что это
Команда rpcapd
Содержание
Описание
Протокол RPCAP (Remote Packet Capture) предназначен для мониторинга сетевого трафика и захвата пакетов, поступающих на удаленное устройство в сети, для контроля и анализа транзитных потоков данных.
Протокол RPCAP подразумевает взаимодействие удаленного устройства и программы анализа сетевых данных (анализатора пакетов) по схеме сервер-клиент. На удаленном устройстве запускается демон RPCAP, который принимает запросы на соединение от клиентских приложений, производит аутентификацию и начинает обслуживание авторизованных клиентов: «прослушивает» сеть и передаёт запрошенные пакеты клиенту для обработки и анализа.
Устройства «Инфинет» имеют встроенный демон RPCAP. Его конфигурация производится с помощью команды “rpcapd”.
Синтаксис:
Параметры
Параметры управления учетными записями пользователей для подключения к устройству по протоколу RPCAP:
Если в конфигурации RPCAP нет ни одного пользователя, то демон будет запрещать все попытки подключения к нему. Чтобы разрешить соединения от любых клиентов, необходимо использовать пустые значения параметров “user” и “key”.
[-port[=PORT]] [-maxconn[=MAXCONNECTIONS]] [start|stop]
Если команда используется без параметров (rpcapd start), то она устанавливает стандартное значение порта RPCAP 2002 и разрешает неограниченное число клиентских соединений. Для установки других значений порта и максимально разрешённого количества соединений используются параметры “port” и “maxconn”.
Параметры «start/stop» выполняют запуск/остановку демона.
[-buffersize=[SND_BUFFER_SIZE]]
Устанавливает размер внутреннего буфера демона RPCAP на передачу захваченных пакетов клиенту. Размер буфера по умолчанию равен 32 Кб.
show [-s=SOURCENAME]
source
Отображает список ресурсов на данном устройстве, доступных для мониторинга через протокол RPCAP.
clear
Примеры
Разрешим соединения от любых клиентов по протоколу RPCAP.
С помощью параметра «source» выведем список ресурсов доступных на устройстве.
Remote Capture
Modules
Detailed Description
WinPcap comes with Remote Capture capabilities. This is an highly experimental feature that allows to interact to a remote machine and capture packets that are being transmitted on the remote network.
This requires a remote daemon (called rpcapd ) which performs the capture and sends data back and a local client that sends the appropriate commands and receives the captured data.
WinPcap extends the standard WinPcap code in such a way that all WinPcap-based tools can expoit remote capture capabilities. For instance, the capabillity to interact with a remote daemon are added to the client software without any explicit modification to it. Vice versa, the remote daemon must be explicitely installed (and configured) on the remote machine.
Remote Capture Running Modes
The Remote Capture Protocol (RPCAP) can work in two modes:
The Active Mode is useful in case the remote daemon is behind a firewall and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured in order to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.
Analyzer (http://analyzer.polito.it/30alpha/) has a set of commands (in the Capture menu) that allows you to accept a remote connection and then start the capture on the remote device. Currently, Analyzer is the only tool that is able to work in active mode, since it requires some modifications to the application code.
Configuring the Remote Daemon (rpcapd)
The Remote Daemon is a standard Win32 executable running either in console mode or as a service. The executable can be found in the WinPcap folder and it has the following syntax:
The daemon can be compiled and it is actually working on Linux as well.
Here there is a brief description of the allowed commands:
Installing the remote daemon
Starting the remote daemon as a standard executable
Starting a capture on a remote machine
If you are using a tool that is already aware of the remote capture (like Analyzer), everything is simple. The capture wizard will help you to locate the appropriate interface on the remote machine.
If your preferred tool is not aware of the remote capture, you can still use the remote capture. In this case you have to read the next Section.
Be carefully: the capture server ( rpcapd ) must be up and running on the remote machine.
New string specifiers for interface selection
If your preferred tool is not aware of the remote capture, the only thing you must do is to insert, as interface specifier, the indication of the remote machine you want to contact. The following forms are allowed:
| Adapter String | Description |
|---|---|
| It opens a local file. | |
| It opens a remote adapter; the host is specified by means of the literal name, without port number (i.e. it uses the RPCAP default port). | |
| It is the same as before, but it uses a different port number. | |
| It opens a remote adapter, but the host is specified by means of an IPv4 numeric address, without port number (i.e. it uses the RPCAP default port). | |
| It is the same as before, but it uses a different port number. | |
| It is the same as before, but the numeric address is specified within square brackets (like IPv6 addresses). | |
| It opens a remote adapter, but the host is specified by means of an IPv6 numeric address, without port number (i.e. it uses the RPCAP default port). In case of IPv6 addresses you MUST use the square brackets. | |
| It is the same as before, but it uses a different port number. | |
| It opens a local adapter, without using the RPCAP protocol. | |
| It opens a local adapter; it is kept for compability, but it is strongly discouraged. | |
| It opens the first local adapter; it is kept for compability, but it is strongly discouraged. |
The following formats are not allowed:
| Adapter String | Description |
|---|---|
| It cannot be used to open the first local adapter. | |
| It cannot be used to open the first remote adapter. |
Installing the Remote Capture Daemon in UNIX
The WinPcap source archive can be compiled in UNIX as well. Currently, remote capture has been tested on Linux and BSD. What you have to do is:
The remote capture capabilities are turned on by default on Linux and FreeBSD. In case you do not want remote capture capabilities in libpcap, you can type
What you obtained right now, is:
Warning: in order to run the rpcapd daemon, the program must either
Known bugs
For any question, please refer to the WinPcap help page.
Packet Forwarding with RPCAP
The ExtraHop system generates metrics about your network and applications through a wire data feed, which is typically mirrored from a switch. However, you might not always have access to a switch or you might want to monitor a specific device that is outside of your wire data network. Additionally, in a cloud environment, such as Microsoft Azure or Amazon Web Services (AWS), you cannot directly access switch hardware. For these types of environments, you can forward packets to an ExtraHop Discover appliance (sensor) through a packet forwarder such as Remote Packet Capture (RPCAP).
Deployment overview
The following steps outline the key procedures that are required to implement RPCAP with an ExtraHop Discover appliance (sensor).
Implementing RPCAP with the ExtraHop system
RPCAP is implemented through a small binary file that runs as a daemon (rpcapd) on each device that you want to monitor traffic for.
The RPCAP installation package for Windows or Linux can be downloaded from the ExtraHop Downloads and Resources web page. The following figure shows a simple RPCAP implementation with a single sensor behind a firewall. Your network configuration might vary.
The ExtraHop implementation of RPCAP operates in active mode, which means that devices installed with rpcapd software initiate a TCP connection to the ExtraHop system over defined ports. After the TCP connection is established, the ExtraHop system responds with packet-forwarding rules that identify the allowed traffic. When the allowed traffic is detected on the monitored rpcapd device, packets are forwarded to the ExtraHop system over a designated UDP port range.
Each rpcap-installed device contains a configuration file ( rpcapd.ini ) with the IP addresses of the sensors where traffic should be sent, and the TCP port over which the connection should be initiated.
Each ExtraHop system must have an interface configured to monitor RPCAP traffic. In addition, your ExtraHop system must be configured with packet-forwarding rules that determine which packets are forwarded by the remote devices.
Configure RPCAP on the ExtraHop system
You can configure RPCAP and management on the same interface, but you might want to configure a second interface only for RPCAP to avoid unnecessary performance degradation.
Configure packet-forwarding rules on the ExtraHop system
After you configure the interface as an RPCAP target, you must configure packet-forwarding rules. Packet forwarding rules limit what traffic is allowed to be sent to the ExtraHop system through RPCAP.
By default, an entry is configured for port 2003 that accepts traffic from all interface addresses. You can modify the default entry for your environment, delete the default entry, and add additional entries. Make sure that you specify port numbers greater than 1023 to avoid conflicts with reserved ports. It is a good practice to set these rules first, so that when you configure rpcapd on your remote devices, the ExtraHop system is ready to receive the forwarded packets.
You can configure up to 16 rules for packet forwarding in the ExtraHop system; each rule must have a single TCP port over which the ExtraHop system communicates the packet-forwarding rules to rpcapd devices.
| Important: | The information in the rpcapd configuration file on the devices that are forwarding packets must not contradict the rules set in the ExtraHop system. |
Save the running configuration file
After you configure the interface and configure packet forwarding rules, you must save the changes to the running configuration file.
Installing rpcapd on your remote devices
You can customize the rpcapd installation by specifying the following configuration options.
| Important: | These options should not be modified without an understanding of how the change might affect your workflow. |
Standard Script
Script Filters
Modify the start up script to refine the traffic that is sent to the sensor.
Debian-Ubuntu Linux distributions
The minimum Linux kernel version required to run rpcapd is 3.2.
RPM-based Linux distributions
Other Linux distributions
Configure rpcapd on a Linux device with multiple interfaces
For devices with multiple interfaces, rpcapd can be configured to forward packets by interface.
To edit the configuration file, complete the following steps.
where is the name of the interface from which you want to forward packets and is the IP address of the interface from which the packets are forwarded. The can be either an individual IP address, such as 10.10.1.100, or a CIDR specification that contains the IP address, such as 10.10.1.0/24
Example Linux configurations
The following example shows an interface in CIDR format.
The following example shows a configuration that forwards packets by interface name:
Uninstall the software
Install rpcapd on a Windows server with the installation wizard
Configure rpcapd on a Windows device with multiple interfaces
For network devices with multiple interfaces, rpcapd can be configured to forward packets from multiple interfaces.
To edit the configuration file, complete the following steps.
where is the name of the interface from which you want to forward packets and is the IP address of the interface from which the packets are forwarded. The can be either an individual IP address, such as 10.10.1.100, or a CIDR specification that contains the IP address, such as 10.10.1.0/24.
The is formatted as \Device\NPF_ < >, where is the globally unique identifier (GUID) of the interface. For example, if the interface GUID is 2C2FC212-701D-42E6-9EAE-BEE969FEFB3F, the interface name is \Device\NPF_ <2C2FC212-701D-42E6-9EAE-BEE969FEFB3F>.
Example Windows configurations
The following example shows two interfaces in CIDR format.
The following example shows a configuration that forwards packets by interface name.
Uninstall the software
Complete the following steps to uninstall RPCAP software through the Windows Programs control panel.
Verify your RPCAP traffic
After your configuration is complete, you can view RPCAP packets and throughput metrics on the System Health page to verify that the correct traffic is being forwarded to the ExtraHop system.
Forwarded by Peer
A list chart that displays the following information regarding packets and frames that are forwarded by an RPCAP peer:
How this information can help you
Received by Appliance
A list chart that displays the following information regarding packets and frames that are received by an ExtraHop system from a Remote Packet Capture (RPCAP) peer:
How this information can help you
Tracking the encapsulated packets and bytes is a good way to make sure that RPCAP forwarders are not placing an unnecessary load on your network. You can monitor tunnel packets and bytes to make sure that the ExtraHop system is receiving everything that the RPCAP device is sending.
Sample RPCAP configuration
The following sample configurations illustrate how traffic rules apply to packet forwarding.
In all scenarios below, the sensor interface has a network configuration of 172.25.26.5, 172.25.26.0/24 and is configured for RPCAP, as displayed in the following figure.
Scenario 1: The sensor is configured to accept all interface traffic, as displayed in the following figure.
eth0 = 10.10.1.21 10.10.1.0/24
eth1 = 192.168.4.21, 192.168.4.0/24
eth0 = 10.10.1.21, 10.10.1.0/24
eth1 = 192.168.4.21, 192.168.4.0/24
eth0 = 10.10.1.21, 10.10.1.0/24
eth1 = 192.168.4.21, 192.168.4.0/24
ActiveClient=172.25.26.5, 2003, ifname= eth0
ActiveClient=172.25.26.5, 2003, ifname = eth1
Scenario 2: The sensor is configured to accept traffic from only the device eth1 interface, as displayed in the following figure.
