Ask Your Question
0

Redirection not working with tcpdump

asked 2019-12-11 22:05:15 +0000

rgrish gravatar image

Hi Team,

I am trying to redirect the tcpdump capture on an interface to a remote server usinf ssh pipe as below -

tcpdump -i any ! host 172.xx.xx.116 -s 0 | ssh [email protected] “cat > dump.pcap”

I do not have any issue with redirection but when I open it in Windows PC I see the format is not understood by Wireshark.

As I know wireshark expects binary file but I am saving it as a text file so not sure if I need some converter to work this out. Due to limited space in our hardware units we often need to redirect the tcpdump caputre. Also I am not sure if with winScp the file gets corrupted.

Please help me here.

Thanks Rish

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2019-12-11 22:30:29 +0000

Chuckc gravatar image

updated 2019-12-11 22:32:23 +0000

From the tcpdump man page:

       -w file
              Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be written as soon as they are re-
              ceived.

Try:

tcpdump -i any ! host 172.xx.xx.116 -s 0 -w - | ssh [email protected] 'cat>dump.pcap'


(assuming the xx.xx are replaced to complete the IP address)

edit flag offensive delete link more

Comments

Thanks for the reply. I have tried this option but I am not sure why within seconds the redirected output nearing to 1 GB of size

-rw-rw---- 1 samadmin sam 686M Dec 12 06:42 dump.pcap

rgrish gravatar imagergrish ( 2019-12-12 05:48:23 +0000 )edit

Also to mention is that when I am not using -w option in the above ssh pipe I do not see flooding od redirected packets.

rgrish gravatar imagergrish ( 2019-12-12 07:39:22 +0000 )edit

"parsing and printing them out."
Printing them is ASCII throttles the output with the overhead required to process each packet.
Have you looked at the binary capture in Wireshark? Is that working properly?

Chuckc gravatar imageChuckc ( 2019-12-12 13:04:18 +0000 )edit

Yes, binary capture of WS in the localhost works fine. And redirection is intended just to capture the packets for longer duration of time. The local machine has space limitation and is risky for me to capture as it causes unknow issues and even reset of the server. I would appreciate if you can suggest alternatives. I even looked for text2pcap as with the mentioned one liner I am able to get the capture but only in text format which is not a readable format for wireshark to understand.

rgrish gravatar imagergrish ( 2019-12-12 13:19:14 +0000 )edit

Is the binary file being created on the remote host (the large dump.pcap file) readable by Wireshark?
If that is working then a next step would be to refine the capture filter to capture less data.

Chuckc gravatar imageChuckc ( 2019-12-12 13:26:17 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-12-11 22:05:15 +0000

Seen: 680 times

Last updated: Dec 11 '19