0

I was looking for some command like this, it achieves:

  1. redirect the tcpdump generated pcap file to another server
  2. during the process of 1., using a python script or some tool to analyze each packet.

So from the point of the system user, when packets are being captured, s/he could both view the packets like in wireshark, and download a pcap file. Because the analyzing procedure could consume quite a some system resources, so I hope the pcap file could be redirected to another server, and run analysis on that server. Now the problem is, nc listener quits when tcpdump is killed (I have tried -15), while I hope the listener could still be running, because there may be several servers running tcpdump.

tcpdump -i eth0 port 8801 -w a.pcap | nc 192.168.12.5 9901

Tiina
  • 165
  • 2
  • 9

2 Answers2

1

Set tcpdump to output raw PCAP data to standard out and utilize SSH as your transport mechanism to have that data written to a remote file on the remote analysis host, as a continuous stream.

Example:

tcpdump -i eth0 port 8801 -w - | ssh ${remote_host} "cat >> $(hostname).pcap"

In the above example, I've used $(hostname) to evaluate the hostname of the server (where the tcpdump is being run) to intelligently name the remote file, but of course, adapt this to your needs (maybe include a timestamp in the name, if that's useful).

Alternative example with UNIX timestamp remote file naming:

tcpdump -i eth0 port 8801 -w - | ssh ${remote_host} "cat > $(hostname)_$(date +%s).pcap"
parkamark
  • 1,118
  • 6
  • 11
  • I have tried the `$(hostname).pcap ` could not be opened by wireshark. tcpdump manual says the file format depends on the file suffix, maybe it does not understand the `cat >> $(hostname).pcap` well? – Tiina Sep 19 '18 at 02:51
0

I think you can get the results you want with a separate nc process which listens on the server where tcpdump runs and duplicates it to the remote server.

You can make nc listen and forward with (as an example):

 nc -k -l localhost 9901 | nc 192.168.12.5 9901

then you can connect any tcpdump session you need with

 tcpdump -i eth0 port 8801 -w a.pcap | nc localhost 9901

The -k flags "Forces nc to stay listening for another connection after its current connection is completed."

Please keep in mind that if you're using a Debian based distro, there's a know bug:

The netcat-traditional package on Debian/Ubuntu does not keep listening as > it should. In that case use the netcat-openbsd package instead.

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22
  • nc listener only accepts one connection? I tried to run another tcpdump on a 2nd server, and it exits with `broken pipe` – Tiina Sep 18 '18 at 10:51
  • @Tiina unfortunately I've missed that point. `nc` accepts only one connection at a time. – Daniele Santi Sep 18 '18 at 11:05