Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Passive Rcore, UI Phantoms

Running the Rcore in a configuration that does not display phantoms can be useful in various scenarios. For instance, you might want a quick, non-intrusive view of a network or need to locate and document the placement of DHCP servers or vulnerability scanners. This "no-phantoms" configuration is referred to as passive mode.

Why Do Phantoms Appear in Passive Mode?

Occasionally, you may observe phantoms in the UI even when the Rcore is set to passive mode. What’s happening?

If the Rcore is in passive mode, but phantoms (associated with TCP connections) appear in the UI, it indicates that TCP data—actual content—is leaking into the machine running the Rcore. This can occur due to:

  • The machine being connected to a hub instead of a switch.
  • Guest VMs running on the same computer as the Rcore. This issue is particularly common when the Rcore operates on the host system of a hypervisor instead of a guest operating system.
If your Rcore is in passive mode and you see phantoms in the UI, it does not mean those devices will be recognized as phantoms in active mode. Instead, it suggests that data is leaking into the machine running the Rcore. This could indicate a serious network security issue.

Data leakage into the Rcore machine should be treated as a potential security event. Investigate and resolve the cause of the leak to secure the network.

If you want to run the Rcore in passive mode, but do not want to see any phantom icons in the UI (who cares about data leakage, right?), then do not include this argument in the Rcore configuration:

  • --show-tcp

If you remove the argument above, then the Rcore will not report on TCP events to the UI.