LINUX - Tcpdump - trick - record to pcap and read after - also to record pcap to remote server

LOCAL pcap RECORDING with TCPDUMP

When troubleshooting and doing tcpdumps it might be best to capture full output and then analyze it. Instead of later realizing that you might of missed some input:

-step1-

RECORD:
tcpdump -i eth1 -w filetosave.pcap -s 1522 <tcp options>

OR TO RECORD EVERYTHING:
tcpdump -i eth1 -w filetosave.pcap

NOTE: Stop capture with CONTROL-C

-step2-

ANALYZE:
tcpdump -r filetosave.pcap -Xnn > file1

vi file1

Also now we have a full on capture we can read with wireshark

--full on example--
Example:
tcpdump -i eth1 -w capture1111and2222.pcap -s 1522 ip host 2.2.2.2 or ip host 1.1.1.1

 

Then Read:

 tcp -r capture1111and2222.pcap -Xnn > file




SAVING tcpdump REMOTELY


Captureing


captureing from localmachine to an ssh server www.remotehost.com who has port 50005 for ssh instead of 22


Not compressed:

tcpdump -i eth1-w -  |  ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 "cat - > /tmp/remotecapture.pcap"

tcpdump -i eth1-w -  |  ssh www.remotehost.com -p 50005 "cat - > /tmp/remotecapture.pcap"


NOTE: Stop capture with CONTROL-C

NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line



To GZIP the pcap (might be a good idea):

tcpdump -i eth1 -w -  |  ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 "cat - | gzip > /tmp/remotecapture.pcap.gz"

tcpdump -i eth1 -w -  |  ssh www.remotehost.com -p 50005 "cat - | gzip > /tmp/remotecapture.pcap.gz"


NOTE: Stop capture with CONTROL-C

NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line



OPENING THE FILES:


When opening the files you might need to strip the very top line with notepad++  as its a mistake header or with linux using the following method:


To Non Compressed file

Remove first line:

cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap


To GZIPED file:

1st ungzip then (note gzip uncompresses the file by uncompressing and saving final file with the same name without the .gz suffix - also saves file to where compressed file is - and finally removes the compressed file leaving only the uncompressed file):

gzip -d remotecapture.pcap.gz

Remove first line:

cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap


Captureing and preparing saved file (by removing top line):
 I would rather do these steps manually but here they are combined...
tcpdump -i eth1 -w -  |  ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 "cat - | gzip > /tmp/remotecapture.pcap.gz && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap"

tcpdump -i eth1-w -  |  ssh www.remotehost.com -p 50005 "cat - > /tmp/remotecapture.pcap && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap "


NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line


Note for the compressed version it wouldnt make sense to do this in command line because you would have to uncompress the file after the gzip compress command, remove the top line, and then compress it all back up again - REDUDANT - just remember you need to remove the top line with "head -n -1"
SelectionFile type iconFile nameDescriptionSizeRevisionTimeUser
Comments