Linux

LOCAL pcap RECORDING with TCPDUMP

When troubleshooting and doing tcpdumps it might be best to capture full output and then analyze it. Instead of later realizing that you might of missed some input:

-step1-

RECORD:
tcpdump -i eth1 -w filetosave.pcap -s 1522 <tcp options>

OR TO RECORD EVERYTHING:
tcpdump -i eth1 -w filetosave.pcap

NOTE: Stop capture with CONTROL-C

-step2-

ANALYZE:
tcpdump -r filetosave.pcap -Xnn > file1

vi file1

Also now we have a full on capture we can read with wireshark

–full on example–
Example:
tcpdump -i eth1 -w capture1111and2222.pcap -s 1522 ip host 2.2.2.2 or ip host 1.1.1.1

Then Read:
tcp -r capture1111and2222.pcap -Xnn > file
SAVING tcpdump REMOTELY

Captureing

captureing from localmachine to an ssh server www.remotehost.com who has port 50005 for ssh instead of 22

Not compressed:
tcpdump -i eth1-w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – > /tmp/remotecapture.pcap”
tcpdump -i eth1-w – | ssh www.remotehost.com -p 50005 “cat – > /tmp/remotecapture.pcap”

NOTE: Stop capture with CONTROL-C
NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line
To GZIP the pcap (might be a good idea):
tcpdump -i eth1 -w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz”
tcpdump -i eth1 -w – | ssh www.remotehost.com -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz”

NOTE: Stop capture with CONTROL-C
NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line
OPENING THE FILES:

When opening the files you might need to strip the very top line with notepad++ as its a mistake header or with linux using the following method:

To Non Compressed file
Remove first line:
cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap

To GZIPED file:
1st ungzip then (note gzip uncompresses the file by uncompressing and saving final file with the same name without the .gz suffix – also saves file to where compressed file is – and finally removes the compressed file leaving only the uncompressed file):
gzip -d remotecapture.pcap.gz
Remove first line:
cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap

Captureing and preparing saved file (by removing top line):
I would rather do these steps manually but here they are combined…
tcpdump -i eth1 -w – | ssh www.remotehost.com -c arcfour,blowfish-cbc -C -p 50005 “cat – | gzip > /tmp/remotecapture.pcap.gz && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap”

tcpdump -i eth1-w – | ssh www.remotehost.com -p 50005 “cat – > /tmp/remotecapture.pcap && cat /tmp/remotecapture.pcap | head -n -1 > /tmp/remotecapture.pcap ”

NOTE: the -c arcfour,blowfish-cbc -C selects the fastest method of encryption with -c, and -C compresses the ssh traffic on the line

Note for the compressed version it wouldnt make sense to do this in command line because you would have to uncompress the file after the gzip compress command, remove the top line, and then compress it all back up again – REDUDANT – just remember you need to remove the top line with “head -n -1”

Leave a Reply

Your email address will not be published. Required fields are marked *