Remote packet capturing is not working in Alibaba Cloud CentOS ECS

asked 2022-01-12 03:51:21 +0000

lauyatkin
1 ●1 ●2

I have 2 CentOS instances created in Alibaba Cloud.

one of the them has entered the following command:

yum install glibc-static gcc flex
wget http://www.winpcap.org/install/bin/WpcapSrc_4_1_2.zip --no-check-certificate
unzip WpcapSrc_4_1_2.zip
cd winpcap/wpcap/libpcap/
chmod +x configure runlex.sh
CFLAGS=-static ./configure
make
cd rpcapd/
make
sudo ./rpcapd -4 -n -p 6666

The other one entered the following command to perform remote capturing from the first one:

./tshark -i rpcap://[Private IP of first ECS]:6666/eth0 -T ek -b interval:10 -w /wireshark/captured_pcap/xxxx_eth0.json

However, I have the following error after typing it:

Capturing on 'rpcap://[Private IP of first ECS]:6666/eth0'
tshark: The capture session could not be initiated on interface 'rpcap://[Private IP of first ECS]:6666/eth0' (No such device exists).
Please check that you have the proper interface or pipe specified.
0 packets captured

I have added a permit port 6666 ACL from the second ECS to first ECS, does anyone encountered the above issue before?

Alibaba Cloud Support said it is out of their service area so they will not have any support on that.

Thank you.

edit retag flag offensive close merge delete

Comments

Can you test with the Wireshark gui?
4.6. The “Manage Interfaces” Dialog Box

Adding a remote interface in the gui will contact the rpcapd server and request a list of interfaces.
tshark -D and dumpcap -D don't have this ability to query.

Have you looked for messages on the server console where the daemon was started?

Child terminated
SIOCGIFHWADDR: No such device
I'm exiting from the child loop
The other host terminated the connection.

Chuckc ( 2022-01-12 18:15:21 +0000 )edit

Hi Chuckc,

I have posted something in the Answer part.

lauyatkin ( 2022-01-14 07:24:36 +0000 )edit

What is the version of Centos?

Chuckc ( 2022-01-14 13:08:20 +0000 )edit

Are you sure the Centos system has an eth0 interface?
I'm testing on Centos 7 (get the same free() error when listing interface) and capture works fine on ens192.

Chuckc ( 2022-01-14 18:09:20 +0000 )edit

The CentOS of server side and client side are both version 7.9.2009.

I am sure there is eth0 here. When I run tshark -D and ifconfig:

#  tshark -D
1. eth0
2. docker0
3. nflog
4. nfqueue
5. usbmon1
6. vethc4fbece
7. veth5f91ac4
8. vethc5d46a7
9. any
10. lo (Loopback)

    # ifconfig
    docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
......

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.0.81  netmask 255.255.255.0  broadcast 192.168.0.255
......

I also tested on my own VM that is not hosted on Cloud. Everything looks normal. Alibaba Cloud said it does not block the traffic of Wireshark.

lauyatkin ( 2022-01-17 01:17:58 +0000 )edit

see more comments

2 Answers

Sort by » oldest newest most voted

answered 2022-01-17 16:47:02 +0000

Chuckc
3023 ●6 ●608 ●20

updated 2022-01-17 16:48:22 +0000

The client side (dumpcap and tshark) have to be compiled with support HAVE_PCAP_REMOTE.
dumpcap.c:

#ifdef HAVE_PCAP_REMOTE
    fprintf(output, "RPCAP options:\n");

On Windows, it is compiled in:

C:\Program Files\Wireshark>dumpcap -? 2>&1 | findstr /I rpcap
                               rpcap://<host>/<interface>
RPCAP options:
  -r                       don't ignore own RPCAP traffic in capture
  -u                       use UDP for RPCAP data transfer
  -A <user>:<password>     use RPCAP password authentication

And not on linux:

$ ./dumpcap -v | head -1
Dumpcap (Wireshark) 3.7.0 (v3.7.0rc0-69-g79ed34e1c697)
$ 
$ ./dumpcap -h | grep -i rpcap
                               rpcap://<host>/<interface>

The man page and usage for dumpcap and tshark could use more info w.r.t. using rpcap.
And perhaps a check in the code that displays a better error when rpcap: is specified but the code is not compiled for it.

edit flag offensive delete link

Comments

I can see from my client side, when I type the above command you mentioned, it displayed as follow:

[root@network-wiki bin]# ./dumpcap -v | head -1
Dumpcap (Wireshark) 3.4.0 (v3.4.0-0-g9733f173ea5e)
[root@network-wiki bin]# ./dumpcap -h | grep -i rpcap
                               rpcap://<host>/<interface>

When I replace the tshark with dumpcap, it displayed the similar message:

./dumpcap -i rpcap://[Private IP of first ECS]:6666/eth0 -b interval:10 -w /wireshark/captured_pcap/xxxx_eth0.json

Capturing on 'rpcap://[Private IP of first ECS]:6666/eth0'
dumpcap: The capture session could not be initiated on interface 'rpcap://[Private IP of first ECS]:6666/eth0' (No such device exists).
Please check that you have the proper interface or pipe specified.

Do I need to check if dumpcap.c have HAVE_PCAP_REMOTE?

lauyatkin ( 2022-01-18 02:24:01 +0000 )edit

You could try the steps here: How to enable rpcap support in linux version
It requires building libcap with remote support then building wireshark.

Also here: Connect to rpcapd service on Windows from Linux/OSX using tshark

Chuckc ( 2022-01-18 03:30:41 +0000 )edit

Thanks for your comment. May I also know that the above steps are done in client side or server side?

lauyatkin ( 2022-01-18 06:31:44 +0000 )edit

add a comment

answered 2022-01-14 07:15:17 +0000

lauyatkin
1 ●1 ●2

updated 2022-01-14 08:12:27 +0000

When I configurate remote interface, the server side will have the following error message:

*** Error in `./rpcapd': free(): invalid next size (fast): 0x0000000002582130 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81329)[0x7fdcd2a48329]
./rpcapd[0x412c74]
./rpcapd[0x404bdf]
./rpcapd[0x403a92]
./rpcapd[0x4032c4]
./rpcapd[0x403006]
./rpcapd[0x402e06]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fdcd29e9555]
./rpcapd[0x4028dd]
======= Memory map: ========
00400000-0043a000 r-xp 00000000 fd:01 1576600                            /tmp/winpcap/wpcap/libpcap/rpcapd/rpcapd
0063a000-0063b000 r--p 0003a000 fd:01 1576600                            /tmp/winpcap/wpcap/libpcap/rpcapd/rpcapd
0063b000-0063c000 rw-p 0003b000 fd:01 1576600                            /tmp/winpcap/wpcap/libpcap/rpcapd/rpcapd
0063c000-00658000 rw-p 00000000 00:00 0
02582000-025a3000 rw-p 00000000 00:00 0                                  [heap]
025a3000-025c6000 rw-p 00000000 00:00 0                                  [heap]
7fdccc000000-7fdccc021000 rw-p 00000000 00:00 0
7fdccc021000-7fdcd0000000 ---p 00000000 00:00 0
7fdcd23aa000-7fdcd23bf000 r-xp 00000000 fd:01 655384                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fdcd23bf000-7fdcd25be000 ---p 00015000 fd:01 655384                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fdcd25be000-7fdcd25bf000 r--p 00014000 fd:01 655384                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fdcd25bf000-7fdcd25c0000 rw-p 00015000 fd:01 655384                     /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fdcd25c0000-7fdcd25c2000 r-xp 00000000 fd:01 664698                     /usr/lib64/libdl-2.17.so
7fdcd25c2000-7fdcd27c2000 ---p 00002000 fd:01 664698                     /usr/lib64/libdl-2.17.so
7fdcd27c2000-7fdcd27c3000 r--p 00002000 fd:01 664698                     /usr/lib64/libdl-2.17.so
7fdcd27c3000-7fdcd27c4000 rw-p 00003000 fd:01 664698                     /usr/lib64/libdl-2.17.so
7fdcd27c4000-7fdcd27c6000 r-xp 00000000 fd:01 656894                     /usr/lib64/libfreebl3.so
7fdcd27c6000-7fdcd29c5000 ---p 00002000 fd:01 656894                     /usr/lib64/libfreebl3.so
7fdcd29c5000-7fdcd29c6000 r--p 00001000 fd:01 656894                     /usr/lib64/libfreebl3.so
7fdcd29c6000-7fdcd29c7000 rw-p 00002000 fd:01 656894                     /usr/lib64/libfreebl3.so
7fdcd29c7000-7fdcd2b8b000 r-xp 00000000 fd:01 656952                     /usr/lib64/libc-2.17.so
7fdcd2b8b000-7fdcd2d8a000 ---p 001c4000 fd:01 656952                     /usr/lib64/libc-2.17.so
7fdcd2d8a000-7fdcd2d8e000 r--p 001c3000 fd:01 656952                     /usr/lib64/libc-2.17.so
7fdcd2d8e000-7fdcd2d90000 rw-p 001c7000 fd:01 656952                     /usr/lib64/libc-2.17.so
7fdcd2d90000-7fdcd2d95000 rw-p 00000000 00:00 0
7fdcd2d95000-7fdcd2dac000 r-xp 00000000 fd:01 656978                     /usr/lib64/libpthread-2.17.so
7fdcd2dac000-7fdcd2fab000 ---p 00017000 fd:01 656978                     /usr/lib64/libpthread-2.17.so
7fdcd2fab000-7fdcd2fac000 r--p 00016000 fd:01 656978                     /usr/lib64/libpthread-2.17.so
7fdcd2fac000-7fdcd2fad000 rw-p 00017000 fd:01 656978                     /usr/lib64/libpthread-2.17.so
7fdcd2fad000-7fdcd2fb1000 rw-p 00000000 00:00 0
7fdcd2fb1000-7fdcd2fb9000 r-xp 00000000 fd:01 656956                     /usr/lib64/libcrypt-2.17.so
7fdcd2fb9000-7fdcd31b8000 ---p 00008000 fd:01 656956                     /usr/lib64/libcrypt-2.17.so
7fdcd31b8000-7fdcd31b9000 r--p 00007000 fd:01 656956                     /usr/lib64/libcrypt-2.17.so
7fdcd31b9000-7fdcd31ba000 rw-p 00008000 fd:01 656956                     /usr/lib64/libcrypt-2.17.so
7fdcd31ba000-7fdcd31e8000 rw-p 00000000 00:00 0
7fdcd31e8000-7fdcd320a000 r-xp 00000000 fd:01 656944                     /usr/lib64/ld-2.17.so
7fdcd33fe000-7fdcd3402000 rw-p 00000000 00:00 0
7fdcd3406000-7fdcd3407000 rw-p 00000000 00:00 0
7fdcd3407000-7fdcd3409000 rw-p 00000000 00:00 0
7fdcd3409000-7fdcd340a000 r--p 00021000 fd:01 656944                     /usr/lib64/ld-2.17.so
7fdcd340a000-7fdcd340b000 rw-p 00022000 fd:01 656944                     /usr/lib64/ld-2.17.so
7fdcd340b000-7fdcd340c000 rw-p 00000000 00:00 0
7ffdcd9d0000-7ffdcd9f1000 rw-p 00000000 00:00 0                          [stack]
7ffdcd9f2000-7ffdcd9f4000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Child terminated
The other end system asked to close the connection.
I'm exiting from ...

(more)