Wireshark-readable tcpdump to remote disk
This line captures all packets on the network interface
eth0 with source or destination
TARGET_IP. To obtain a format readable by
tcpdump must be configured to not truncate packets. This is achieved by setting the
-s flag to
65535 (maximum packet length in bytes).
The output is piped through
OUTFILE on a remote host.
$ tcpdump -i eth0 -w - -s 0 host TARGET_IP |\ ssh USER@HOST "cat > dump.pcap"
[c] to stop the capture...
To avoid packet dropping at high traffic volume, it may be reasonable to put the capturing computer as transparent bridge into the IP stream and use a logging host on an independent network, connected to an additional (third) network interface
In one go:
#!/bin/sh NIC1=ethX NIC2=ethY BRIDGE_IP=BRIDGE_IP MASK=SUBNETMASK TARGET_IP=TARGET_IP SSHD=USER@LOGGINGHOST #iptables-restore < /etc/iptables/bridge.v4 ifdown "$NIC1" ifdown "$NIC2" brctl addbr br0 brctl addif br0 "$NIC1" brctl addif br0 "$NIC2" ifconfig "$NIC1" 0.0.0.0 ifconfig "$NIC2" 0.0.0.0 ifconfig br0 "$BRIDGE_IP" netmask "$MASK" up tcpdump -i "$NIC1" -w - -s 65535 host "$TARGET_IP" |\ ssh "$SSHD" "cat > dump_`date +%H.%M.%S`.pcap"
Note: When running this script on a headless/remote machine (e.g. an OpenWRT router), double check its
iptables rules and possible
sshd restrictions to not lock you out or even brick the box.