Ask Your Question
0

tcpdump capture gets flooded when trying to redirect the output to remote host

asked 2019-12-12 15:52:46 +0000

rgrish gravatar image

Hi Team,

I am trying to redirect and collect tcpdump capture to a remote server but I am facing issue with packets over sizing. Capture gets flooded within seconds and create big files ~500-600 MB. I am using SSH pipe for redirection -

tcpdump -lnni eth1 -XX -w - | ssh <hostname>@<hostip> "cat >> dump.pcap"

Any idea why is this happening and how to correct it ?

If I dump binary output to local machine then there is no flooding and it works well.

edit retag flag offensive close merge delete

Comments

Can you filter out the ssh traffic between the capture host and the remote host?

Chuckc gravatar imageChuckc ( 2019-12-12 15:58:40 +0000 )edit

Chuck, the packets are basically encapsulated and most of them are UDP ~67%. SSH packets are over TCP and comprise ack sequences. So even if I filter out ssh which obviously looks unwanted it is still a huge chunk. One example below for SSH packet which can be avoided from capture.

6930    2019-12-12 20:24:53.481277  172.20.101.5    10.237.0.54 TCP ssh > 10789 [ACK] Seq=465 Ack=600113 Win=6147 Len=0[Packet size limited during capture]

But UDP packets which are 67% of the packet capture cant be filtered out.

6943    2019-12-12 20:24:53.482458  172.20.110.11   192.168.50.4    ESP ESP (SPI=0x00054fe3)
rgrish gravatar imagergrish ( 2019-12-12 16:30:17 +0000 )edit

Have you tried disabling promiscuous mode for tcpdump?
Do you need any of the ESP traffic? Exclude it by adding "! esp" or "not esp" to your capture filter.

Chuckc gravatar imageChuckc ( 2019-12-12 16:40:59 +0000 )edit

Chuck I need those ESP packets. I have not tried with -p option which I guess is for avoiding promiscuous mode. tcpdump by default uses promiscuous mode.

rgrish gravatar imagergrish ( 2019-12-13 00:53:35 +0000 )edit

Hi Chuck, With promiscuous mode I see there is little advantage but still flooding is not stopped. I am not sure why this over-sizing issue happens only when I use raw(binary) mode i.e -w option. Without this capture is OK and do not has any issue but gets saved in text file which is not of use.

rgrish gravatar imagergrish ( 2019-12-13 09:06:17 +0000 )edit

Can you post a small prortion of an ASCII and of a binary capture on a file sharing site?

Chuckc gravatar imageChuckc ( 2019-12-13 12:10:49 +0000 )edit

Hi Chuck,

Can you let me know which one you mean by file sharing site ?

I have those pcaps ready for your perusal.

KR

rgrish gravatar imagergrish ( 2019-12-15 16:40:44 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-12 19:35:07 +0000

Jaap gravatar image

When you capture on the same interface where your remote capture is sent over, you have to capture filter your own traffic away. Otherwise your capture will capture you sending to the remote host, which will be sent to your remote host, which will be captured and sent to your remote host, which ....

edit flag offensive delete link more

Comments

But why this happens with raw capture only i.e when I am using -w option. Without -w option capture is fine but it is in text format.

rgrish gravatar imagergrish ( 2019-12-13 00:54:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-12-12 15:52:46 +0000

Seen: 50 times

Last updated: Dec 12 '19