On Dec 3, 2018, at 12:01 PM, Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
> Over the weekend I was doing some work with rpcap.
>
> I stumbled on one on github but that does not work and uses weird data
> link types for regular Ethernet interfaces. I saw this message from
> dumpcap, for example:
>
> (unknown data link type 3)
>
> However, the version in libpcap/rpcapd works flawlessly with Wireshark
> as far a I can tell.
Yes; the testing I've been doing with it - on macOS, Ubuntu, {Free,Net,Open,DragonFly }BSD, Solaris, and Windows - has largely been with tcpdump, but that all goes through libpcap, so it should work. (I fixed a bug in which rpcapd was just sending network addresses for interfaces over the wire in raw socket address format; *most* systems have formats that happen to be the same over the wire, but Solaris didn't, so pcap_findalldevs_ex() didn't work between Solaris clients and other servers and Solaris servers and other clients.)
libpcap and tcpdump get CI builds from both Travis, on Linux and macOS, and Appveyor, on Windows (with both the WinPcap and Npcap SDKs); the UN*X builds test both without and with remote-capture support (using both autotools and CMake, crossed with both GCC and Clang), and the Windows builds test with remote-capture support. The tests make sure it compiles; they don't test whether remote capture runs - I've tested it, as per the above.
The one at
https://github.com/rpcapd-linux/rpcapd-linux
is presumably the one you found; it's no longer necessary.
