First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Redirection not working with tcpdump

  • retag add tags

Hi Team,

I am trying to redirect the tcpdump capture on an interface to a remote server usinf ssh pipe as below -

tcpdump -i any ! host 172.xx.xx.116 -s 0 | ssh [email protected] “cat > dump.pcap”

I do not have any issue with redirection but when I open it in Windows PC I see the format is not understood by Wireshark.

As I know wireshark expects binary file but I am saving it as a text file so not sure if I need some converter to work this out. Due to limited space in our hardware units we often need to redirect the tcpdump caputre. Also I am not sure if with winScp the file gets corrupted.

Please help me here.

Thanks Rish

rgrish's avatar
3
rgrish
asked 2019-12-11 22:05:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

From the tcpdump man page:

       -w file
              Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be written as soon as they are re-
              ceived.

Try:

tcpdump -i any ! host 172.xx.xx.116 -s 0 -w - | ssh [email protected] 'cat>dump.pcap'


(assuming the xx.xx are replaced to complete the IP address)

Chuckc's avatar
3k
Chuckc
answered 2019-12-11 22:30:29 +0000, updated 2019-12-11 22:32:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the reply. I have tried this option but I am not sure why within seconds the redirected output nearing to 1 GB of size

-rw-rw---- 1 samadmin sam 686M Dec 12 06:42 dump.pcap

rgrish's avatar rgrish (2019-12-12 05:48:23 +0000) edit
more
  • delete

Also to mention is that when I am not using -w option in the above ssh pipe I do not see flooding od redirected packets.

rgrish's avatar rgrish (2019-12-12 07:39:22 +0000) edit
more
  • delete

"parsing and printing them out."
Printing them is ASCII throttles the output with the overhead required to process each packet.
Have you looked at the binary capture in Wireshark? Is that working properly?

Chuckc's avatar Chuckc (2019-12-12 13:04:18 +0000) edit
more
  • delete

Yes, binary capture of WS in the localhost works fine. And redirection is intended just to capture the packets for longer duration of time. The local machine has space limitation and is risky for me to capture as it causes unknow issues and even reset of the server. I would appreciate if you can suggest alternatives. I even looked for text2pcap as with the mentioned one liner I am able to get the capture but only in text format which is not a readable format for wireshark to understand.

rgrish's avatar rgrish (2019-12-12 13:19:14 +0000) edit
more
  • delete

Is the binary file being created on the remote host (the large dump.pcap file) readable by Wireshark?
If that is working then a next step would be to refine the capture filter to capture less data.

Chuckc's avatar Chuckc (2019-12-12 13:26:17 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer