我有一台安装了 rpcapd 的远程服务器,它遵循严格的安全策略规则。任何客户端只能通过遵循相同安全策略的防火墙访问服务器(请不要责怪我,这不是我的主意)。服务器和防火墙上为远程捕获目的打开的唯一端口是tcp:2002。防火墙还会阻止任何未知的传出端口。所以整个情况如下:
client >> firewall (tcp:2002 opened) >> target server (tcp:2002 opened)
问题是:rpcapd 是否使用任何“数据端口”(tcp 或 udp)将捕获的流量转发到客户端?如果是,这些端口是什么?我可以通过某些 cmd 开关手动设置它们吗?
文档中提到的唯一端口是......
-p <port> It sets the port the daemon has to bind to. Default: it binds to port 2002.
..但如果这只是某种“控制端口”,远程捕获对我来说将不起作用。
答案1
通过阅读文档,发现活动模式对于您提供的模式似乎很有用:[来源:https://www.winpcap.org/docs/docs_412/html/group__remote.html]
Remote Capture Running Modes
The Remote Capture Protocol (RPCAP) can work in two modes:
Passive Mode (default): the client (e.g. a network sniffer) connects to the remote daemon, it sends them the appropriate commands, and it starts the capture.
Active Mode: the remote daemon try to establish a connection toward the client (e.g. the network sniffer); then, the client sends the appropriate commands to the daemon and it starts the capture. This name is due to the fact thet the daemon becomes active instead of waiting for new connections.
The Active Mode is useful in case the remote daemon is behind a firewall and it cannot receive connections from the external world. In this case, the daemon can be configured to establish the connection to a given host, which will have been configured in order to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both Active and Passive Mode.