[Linux 4.4.0] No interfaces found when connecting Wireshark client to compiled rpcapd daemon #666

thecityofguanyu · 2017-11-28T16:43:04Z

Rpcapd complied from current master, commit 800fff521b3a90300d03af880b4626ede13c57bd.

Details of system compiling/running rpcapd:

Linux pcap 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Compiling process:

pcap:/opt/tmp# git clone https://github.com/the-tcpdump-group/libpcap.git
pcap:/opt/tmp/libpcap# ./configure --enable-remote
pcap:/opt/tmp/libpcap# make
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-linux.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-usb-linux.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-netfilter-linux.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./fad-getad.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap.c
bison -y -p pcap_ -o grammar.c -d grammar.y
grammar.y: warning: 38 shift/reduce conflicts [-Wconflicts-sr]
flex -P pcap_ --header-file=scanner.h --nounput -o scanner.c scanner.l
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./gencode.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./optimize.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./nametoaddr.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./etherent.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./fmtutils.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./savefile.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./sf-pcap.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./sf-pcap-ng.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./fopen.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-common.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./bpf_image.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./bpf_dump.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-new.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./pcap-rpcap.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./rpcap-protocol.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c ./sockutils.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c scanner.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c grammar.c
rm -f bpf_filter.c
ln -s ./bpf/net/bpf_filter.c bpf_filter.c
gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -Dpcap_EXPORTS -DHAVE_CONFIG_H  -g -O2    -c bpf_filter.c
ar rc libpcap.a pcap-linux.o pcap-usb-linux.o pcap-netfilter-linux.o fad-getad.o pcap.o gencode.o optimize.o nametoaddr.o etherent.o fmtutils.o savefile.o sf-pcap.o sf-pcap-ng.o fopen.o pcap-common.o bpf_image.o bpf_dump.o pcap-new.o pcap-rpcap.o rpcap-protocol.o sockutils.o scanner.o grammar.o bpf_filter.o
ranlib libpcap.a
VER=`cat ./VERSION`; \
MAJOR_VER=`sed 's/\([0-9][0-9]*\)\..*/\1/' ./VERSION`; \
gcc  -shared -Wl,-soname,libpcap.so.$MAJOR_VER \
    -o libpcap.so.$VER pcap-linux.o pcap-usb-linux.o pcap-netfilter-linux.o fad-getad.o pcap.o gencode.o optimize.o nametoaddr.o etherent.o fmtutils.o savefile.o sf-pcap.o sf-pcap-ng.o fopen.o pcap-common.o bpf_image.o bpf_dump.o pcap-new.o pcap-rpcap.o rpcap-protocol.o sockutils.o scanner.o grammar.o bpf_filter.o
cd rpcapd; make
make[1]: Entering directory '/opt/tmp/libpcap/rpcapd'
gcc -fvisibility=hidden -I. -I.. -I. -I./..  -DHAVE_CONFIG_H  -g -O2    -c ./daemon.c
gcc -fvisibility=hidden -I. -I.. -I. -I./..  -DHAVE_CONFIG_H  -g -O2    -c ./fileconf.c
gcc -fvisibility=hidden -I. -I.. -I. -I./..  -DHAVE_CONFIG_H  -g -O2    -c ./log-stderr.c
gcc -fvisibility=hidden -I. -I.. -I. -I./..  -DHAVE_CONFIG_H  -g -O2    -c ./rpcapd.c
gcc -fvisibility=hidden -g -O2     -o rpcapd daemon.o fileconf.o log-stderr.o rpcapd.o ../rpcap-protocol.o ../sockutils.o ../fmtutils.o ../libpcap.a  -lcrypt -lpthread
make[1]: Leaving directory '/opt/tmp/libpcap/rpcapd'
./config.status --file=pcap-config.tmp:./pcap-config.in
config.status: creating pcap-config.tmp
mv pcap-config.tmp pcap-config
chmod a+x pcap-config

And daemon started with:

./rpcapd -4 -n -d

The following outputs to stdout when client attempts to connect:

I'm currently discarding data

I'm exiting from the child loop

Child terminated

The rpcap client is running Wireshark v2.2.6-0-g32dac6a. That Wireshark instance displays error window noting "No remote interfaces found".

The text was updated successfully, but these errors were encountered:

guyharris · 2017-11-28T17:24:22Z

What OS is the rpcap client running?

Is the rpcap client also using libpcap built from the current master?

Do you have a network trace of the rpcap traffic?

guyharris · 2017-11-28T21:53:18Z

Try it with the current tip of the master branch; 2972769 fixes a bug where protocol version negotiation didn't work.

That does, however, show a Wireshark bug - the error dialog should have said "The server doesn't support any protocol version that we support", but the Wireshark code doesn't properly handle getting an actual error from pcap_findalldevs_ex().

guyharris · 2017-11-28T21:55:27Z

Try it with the current tip of the master branch

This means try building rpcapd for the server from the current tip of the master branch AND, if you built Wireshark on the client with a libpcap built from the master branch, try building Wireshark on the client with a libpcap built from the current tip of the master branch - the bug was in both the client and server side.

CANT_GET_INTERFACE_LIST does *NOT* mean "No remote interfaces found.", as in "there are no remote interfaces"; a NULL return from get_remote_interface_list() and an err value of 0 means that. CANT_GET_INTERFACE_LIST means "something bad happened and the error string says what it is". Display that error string, so when people report problems: the-tcpdump-group/libpcap#666 they'll give the actual error message, and I'll fix my breakage of the rpcap protocol negotiation: the-tcpdump-group/libpcap@2972769 rather than just wondering what the problem was and asking the reporter of the problem for more information. Report anything other than "there are no remote interfaces" as an error, not a warning. Change-Id: Ia9381953d080e037254f21e47ee7ecc4619b7254 Reviewed-on: https://code.wireshark.org/review/24627 Reviewed-by: Guy Harris <guy@alum.mit.edu> (cherry picked from commit ae65dc2) Reviewed-on: https://code.wireshark.org/review/24628

CANT_GET_INTERFACE_LIST does *NOT* mean "No remote interfaces found.", as in "there are no remote interfaces"; a NULL return from get_remote_interface_list() and an err value of 0 means that. CANT_GET_INTERFACE_LIST means "something bad happened and the error string says what it is". Display that error string, so when people report problems: the-tcpdump-group/libpcap#666 they'll give the actual error message, and I'll fix my breakage of the rpcap protocol negotiation: the-tcpdump-group/libpcap@2972769 rather than just wondering what the problem was and asking the reporter of the problem for more information. Report anything other than "there are no remote interfaces" as an error, not a warning. Change-Id: Ia9381953d080e037254f21e47ee7ecc4619b7254 Reviewed-on: https://code.wireshark.org/review/24627 Reviewed-by: Guy Harris <guy@alum.mit.edu>

CANT_GET_INTERFACE_LIST does *NOT* mean "No remote interfaces found.", as in "there are no remote interfaces"; a NULL return from get_remote_interface_list() and an err value of 0 means that. CANT_GET_INTERFACE_LIST means "something bad happened and the error string says what it is". Display that error string, so when people report problems: the-tcpdump-group/libpcap#666 they'll give the actual error message, and I'll fix my breakage of the rpcap protocol negotiation: the-tcpdump-group/libpcap@2972769 rather than just wondering what the problem was and asking the reporter of the problem for more information. Report anything other than "there are no remote interfaces" as an error, not a warning. Change-Id: Ia9381953d080e037254f21e47ee7ecc4619b7254 Reviewed-on: https://code.wireshark.org/review/24627 Reviewed-by: Guy Harris <guy@alum.mit.edu> (cherry picked from commit ae65dc2) Reviewed-on: https://code.wireshark.org/review/24629

guyharris · 2017-11-28T23:43:43Z

That does, however, show a Wireshark bug - the error dialog should have said "The server doesn't support any protocol version that we support", but the Wireshark code doesn't properly handle getting an actual error from pcap_findalldevs_ex().

Fixed in Wireshark change 24627 and in the backports to 2.4 and 2.2.

thecityofguanyu · 2017-11-29T00:35:27Z

@guyharris

What OS is the rpcap client running?

rpcap client OS is Windows 10.0.14393. Off topic, but is there a way to run an rpcap client off *nix?

Is the rpcap client also using libpcap built from the current master?

The rpcap client is not using libpcap built from current master. Its libpcap version within Wireshark 2.2.6 appears to be libpcap 1.0 branch 1_0_rel0b (20091008).

Do you have a network trace of the rpcap traffic?

I do not have a network trace.

Try it with the current tip of the master branch; 2972769 fixes a bug where protocol version negotiation didn't work.

I can confirm that this appears to fix the issue! Pulled master (commit 2972769) and there was no error upon connecting the client. Capturing seems to work as expected.

Thanks for the quick response and work!

guyharris · 2017-11-29T01:07:47Z

Off topic, but is there a way to run an rpcap client off *nix?

Yes, but you have to build libpcap yourself (I'd suggest using the tip of the master branch), configuring it with --enable-remote if you're using autotools or -DENABLE_REMOTE=YES if you're using CMake, and arrange to link your program (tcpdump, Wireshark, etc.) with that version of libpcap.

The rpcap client is not using libpcap built from current master. Its libpcap version within Wireshark 2.2.6 appears to be libpcap 1.0 branch 1_0_rel0b (20091008).

OK, that one doesn't have the bug I introduced, so replacing the rpcapd is sufficient.

I do not have a network trace.

Not needed - it showed up with tcpdump (built on *nix - macOS - with tip-of-the-master branch libpcap) when I was doing some other rpcap testing, and it, unlike Wireshark, actually reported the real problem, so it was easier to diagnose.

guyharris closed this as completed Nov 29, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Linux 4.4.0] No interfaces found when connecting Wireshark client to compiled rpcapd daemon #666

[Linux 4.4.0] No interfaces found when connecting Wireshark client to compiled rpcapd daemon #666

thecityofguanyu commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

thecityofguanyu commented Nov 29, 2017

guyharris commented Nov 29, 2017

[Linux 4.4.0] No interfaces found when connecting Wireshark client to compiled rpcapd daemon #666

[Linux 4.4.0] No interfaces found when connecting Wireshark client to compiled rpcapd daemon #666

Comments

thecityofguanyu commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

guyharris commented Nov 28, 2017

thecityofguanyu commented Nov 29, 2017

guyharris commented Nov 29, 2017