First time here? Check out the FAQ!

Ask Your Question
0

Redirection not working with tcpdump

asked Dec 11 '19

rgrish gravatar image

Hi Team,

I am trying to redirect the tcpdump capture on an interface to a remote server usinf ssh pipe as below -

tcpdump -i any ! host 172.xx.xx.116 -s 0 | ssh samadmin@172.31.30.196 “cat > dump.pcap”

I do not have any issue with redirection but when I open it in Windows PC I see the format is not understood by Wireshark.

As I know wireshark expects binary file but I am saving it as a text file so not sure if I need some converter to work this out. Due to limited space in our hardware units we often need to redirect the tcpdump caputre. Also I am not sure if with winScp the file gets corrupted.

Please help me here.

Thanks Rish

Preview: (hide)

1 Answer

Sort by » oldest newest most voted
1

answered Dec 11 '19

Chuckc gravatar image

updated Dec 11 '19

From the tcpdump man page:

       -w file
              Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be written as soon as they are re-
              ceived.

Try:

tcpdump -i any ! host 172.xx.xx.116 -s 0 -w - | ssh samadmin@172.31.30.196 'cat>dump.pcap'


(assuming the xx.xx are replaced to complete the IP address)

Preview: (hide)
link

Comments

Thanks for the reply. I have tried this option but I am not sure why within seconds the redirected output nearing to 1 GB of size

-rw-rw---- 1 samadmin sam 686M Dec 12 06:42 dump.pcap

rgrish gravatar imagergrish ( Dec 12 '19 )

Also to mention is that when I am not using -w option in the above ssh pipe I do not see flooding od redirected packets.

rgrish gravatar imagergrish ( Dec 12 '19 )

"parsing and printing them out."
Printing them is ASCII throttles the output with the overhead required to process each packet.
Have you looked at the binary capture in Wireshark? Is that working properly?

Chuckc gravatar imageChuckc ( Dec 12 '19 )

Yes, binary capture of WS in the localhost works fine. And redirection is intended just to capture the packets for longer duration of time. The local machine has space limitation and is risky for me to capture as it causes unknow issues and even reset of the server. I would appreciate if you can suggest alternatives. I even looked for text2pcap as with the mentioned one liner I am able to get the capture but only in text format which is not a readable format for wireshark to understand.

rgrish gravatar imagergrish ( Dec 12 '19 )

Is the binary file being created on the remote host (the large dump.pcap file) readable by Wireshark?
If that is working then a next step would be to refine the capture filter to capture less data.

Chuckc gravatar imageChuckc ( Dec 12 '19 )

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: Dec 11 '19

Seen: 695 times

Last updated: Dec 11 '19