LOCAL pcap RECORDING with TCPDUMP
When troubleshooting and doing tcpdumps it might be best to capture full output and then analyze it. Instead of later realizing that you might of missed some input:
-step1-
RECORD:
tcpdump -i eth1 -w filetosave.pcap -s 1522 <tcp options>
OR TO RECORD EVERYTHING:
tcpdump -i eth1 -w filetosave.pcap
NOTE: Stop capture with CONTROL-C
-step2-
ANALYZE:
tcpdump -r filetosave.pcap -Xnn > file1
vi file1
Also now we have a full on capture we can read with wireshark
–full on example–
Example:
tcpdump -i eth1 -w capture1111and2222.pcap -s 1522 ip host 2.2.2.2 or ip host 1.1.1.1
Then Read:
tcp -r capture1111and2222.pcap -Xnn > file
SAVING tcpdump REMOTELY
Captureing
captureing from localmachine to an ssh server www.remotehost.com who has port 50005 for ssh instead of 22
Not compressed:
tcpdump -i eth1-w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – > /tmp/remotecapture.pcap”
tcpdump -i eth1-w – | ssh www.remotehost.com -p 50005 “cat – > /tmp/remotecapture.pcap”
NOTE: Stop capture with CONTROL-C
NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line
To GZIP the pcap (might be a good idea):
tcpdump -i eth1 -w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz”
tcpdump -i eth1 -w – | ssh www.remotehost.com -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz”
NOTE: Stop capture with CONTROL-C
NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line
OPENING THE FILES:
When opening the files you might need to strip the very top line with notepad++ as its a mistake header or with linux using the following method:
To Non Compressed file
Remove first line:
cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap
To GZIPED file:
1st ungzip then (note gzip uncompresses the file by uncompressing and saving final file with the same name without the .gz suffix – also saves file to where compressed file is – and finally removes the compressed file leaving only the uncompressed file):
gzip -d remotecapture.pcap.gz
Remove first line:
cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap
Captureing and preparing saved file (by removing top line):
I would rather do these steps manually but here they are combined…
tcpdump -i eth1 -w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap”
tcpdump -i eth1-w – | ssh www.remotehost.com -p 50005 “cat – > /tmp/remotecapture.pcap && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap ”
NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line
Note for the compressed version it wouldnt make sense to do this in command line because you would have to uncompress the file after the gzip compress command, remove the top line, and then compress it all back up again – REDUDANT – just remember you need to remove the top line with “head -n -1”