On Jan 26, 2020, at 6:15 AM, Patrick Klos <patrick@xxxxxxxx> wrote:
> I would like to address 2 of your points:
>
> "rcap seems windows only"
>
> (asking the list) Why is this the case? Why has remote capture not been implemented on non-Windows platforms?
Because:
Until a few years ago, nobody'd taken the time to pull it from WinPcap source into the main libpcap repository; it's now there.
It's not enabled by default, at least for now, because, if it's enabled, it opens up new attack surfaces on both client and server. Recent libpcap releases have some fixes for problems found by a code auditor (Include Security) as well as some other problems that might also introduce vulnerabilities. (It also has a fix to an interoperability problem between Solaris and non-Solaris machines, and a provision for protocol version negotiation.)
So it's currently implemented in the sense that you can compile an recap-enabled libpcap, and rpcapd, for most if not all modern UN*Xes *if* you run the configure script with --enable-remote or run CMake with -DENABLE_REMOTE=YES, but not in the sense that macOS/*BSD/Linux distributions/Solaris/AIX/any other UN*X that ship with libpcap ship with a version that has remote capture enabled and rpcapd provided.