First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tcpdump capture gets flooded when trying to redirect the output to remote host

  • retag add tags

Hi Team,

I am trying to redirect and collect tcpdump capture to a remote server but I am facing issue with packets over sizing. Capture gets flooded within seconds and create big files ~500-600 MB. I am using SSH pipe for redirection -

tcpdump -lnni eth1 -XX -w - | ssh <hostname>@<hostip> "cat >> dump.pcap"

Any idea why is this happening and how to correct it ?

If I dump binary output to local machine then there is no flooding and it works well.

rgrish's avatar
3
rgrish
asked 2019-12-12 15:52:46 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you filter out the ssh traffic between the capture host and the remote host?

Chuckc's avatar Chuckc (2019-12-12 15:58:40 +0000) edit
more
  • delete

Chuck, the packets are basically encapsulated and most of them are UDP ~67%. SSH packets are over TCP and comprise ack sequences. So even if I filter out ssh which obviously looks unwanted it is still a huge chunk. One example below for SSH packet which can be avoided from capture.

6930    2019-12-12 20:24:53.481277  172.20.101.5    10.237.0.54 TCP ssh > 10789 [ACK] Seq=465 Ack=600113 Win=6147 Len=0[Packet size limited during capture]

But UDP packets which are 67% of the packet capture cant be filtered out. 

6943    2019-12-12 20:24:53.482458  172.20.110.11   192.168.50.4    ESP ESP (SPI=0x00054fe3)
rgrish's avatar rgrish (2019-12-12 16:30:17 +0000) edit
more
  • delete

Have you tried disabling promiscuous mode for tcpdump?
Do you need any of the ESP traffic? Exclude it by adding "! esp" or "not esp" to your capture filter.

Chuckc's avatar Chuckc (2019-12-12 16:40:59 +0000) edit
more
  • delete

Chuck I need those ESP packets. I have not tried with -p option which I guess is for avoiding promiscuous mode. tcpdump by default uses promiscuous mode.

rgrish's avatar rgrish (2019-12-13 00:53:35 +0000) edit
more
  • delete

Hi Chuck, With promiscuous mode I see there is little advantage but still flooding is not stopped. I am not sure why this over-sizing issue happens only when I use raw(binary) mode i.e -w option. Without this capture is OK and do not has any issue but gets saved in text file which is not of use.

rgrish's avatar rgrish (2019-12-13 09:06:17 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

When you capture on the same interface where your remote capture is sent over, you have to capture filter your own traffic away. Otherwise your capture will capture you sending to the remote host, which will be sent to your remote host, which will be captured and sent to your remote host, which ....

Jaap's avatar
13.7k
Jaap
answered 2019-12-12 19:35:07 +0000
edit flag offensive 0 remove flag delete link
more

Comments

But why this happens with raw capture only i.e when I am using -w option. Without -w option capture is fine but it is in text format.

rgrish's avatar rgrish (2019-12-13 00:54:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer