Rpcapd is a daemon (Unix) or service (Win32) that allows the capture and filter part of libpcap to be run on a remote system.
Rpcapd can run in two modes: passive mode (default) and active mode.
In passive mode, the client (e.g., a network sniffer) connects to rpcapd. It then sends hem the appropriate commands to start the capture.
In active mode, rpcapd tries to establish a connection toward the client (e.g., a network sniffer). The client then sends the appropriate commands to rpcapd to start the capture.
Active mode is useful in case rpcapd is run behind a firewall and cannot receive connections from the external world. In this case, rpcapd can be configured to establish the connection to a given host, which has to be configured in order to wait for that connection. After establishing the connection, the protocol continues its job in almost the same way in both active and passive mode.
The user can create a configuration file in the same folder of the executable, and put the configuration commands in there. In order for rpcapd to execute the commands, you have to restart it on Win32, i.e. the initialization file is parsed only at the beginning). The UNIX version of rpcapd will reread the configuration file when receiving a HUP signel. In that case, all the existing connections remain in place, while the new connections will be created according to the new parameters.
In case a user does not want to create the configuration file manually, they can launch rpcapd with the requested parameters plus "-s filename". Rpcapd will parse all the parameters and save them into the specified configuration file.
The remote daemon is installed automatically when installing WinPcap. The installation process places the rpcapd file into the WinPcap folder. This file can be executed either from the command line, or as a service. For instance, the installation process updates the list of available services list and it creates a new item (Remote Packet Capture Protocol v.0 (experimental) ). To avoid security problems, the service is inactive and it has to be started manually (control panel - administrative tools - services - start).
The service has a set of "standard" parameters, i.e. it is launched with the -d flag (in order to make it run as a service) and the -f rpcapd.ini flag.
The rpcapd executable can be launched directly, i.e. it can run in the foreground as well (not as a daemon/service). The procedure is quite simple: you have to invoke the executable from the command line with all the requested parameters except for the -d flag. The capture server will start in the foreground.