tcpdump capture gets flooded when trying to redirect the output to remote host
Hi Team,
I am trying to redirect and collect tcpdump capture to a remote server but I am facing issue with packets over sizing. Capture gets flooded within seconds and create big files ~500-600 MB. I am using SSH pipe for redirection -
tcpdump -lnni eth1 -XX -w - | ssh <hostname>@<hostip> "cat >> dump.pcap"
Any idea why is this happening and how to correct it ?
If I dump binary output to local machine then there is no flooding and it works well.
Can you filter out the ssh traffic between the capture host and the remote host?
Chuck, the packets are basically encapsulated and most of them are UDP ~67%. SSH packets are over TCP and comprise ack sequences. So even if I filter out ssh which obviously looks unwanted it is still a huge chunk. One example below for SSH packet which can be avoided from capture.
But UDP packets which are 67% of the packet capture cant be filtered out.
Have you tried disabling promiscuous mode for tcpdump?
Do you need any of the ESP traffic? Exclude it by adding "! esp" or "not esp" to your capture filter.
Chuck I need those ESP packets. I have not tried with -p option which I guess is for avoiding promiscuous mode. tcpdump by default uses promiscuous mode.
Hi Chuck, With promiscuous mode I see there is little advantage but still flooding is not stopped. I am not sure why this over-sizing issue happens only when I use raw(binary) mode i.e -w option. Without this capture is OK and do not has any issue but gets saved in text file which is not of use.
Can you post a small prortion of an ASCII and of a binary capture on a file sharing site?
Hi Chuck,
Can you let me know which one you mean by file sharing site ?
I have those pcaps ready for your perusal.
KR
Your choice of site to upload to.
https://ask.wireshark.org/question/13...
"This isn't generally supported. Instead, upload the capture to a public file share, e.g. Google Drive, DropBox etc. and post a link back here."
Here you go-
https://drive.google.com/drive/folder...
Let me know if you are able to access. bin.pcap is the binary version which works and txt.pcap is text version which is not readable by WS.
Are the captures both done on the same device?
Yes it is in the same device.