Wireshark-readable tcpdump to remote disk
This line captures all packets on the network interface eth0
with source or destination TARGET_IP
. To obtain a format readable by wireshark
, tcpdump
must be configured to not truncate packets. This is achieved by setting the -s
flag to 0
or 65535
(maximum packet length in bytes).
The output is piped through ssh
to OUTFILE
on a remote host.
$ tcpdump -i eth0 -w - -s 0 host TARGET_IP |\
ssh USER@HOST "cat > dump.pcap"
[Ctrl]
+[c]
to stop the capture...
To avoid packet dropping at high traffic volume, it may be reasonable to put the capturing computer as transparent bridge into the IP stream and use a logging host on an independent network, connected to an additional (third) network interface ethZ
.
In one go:
#!/bin/sh
NIC1=ethX
NIC2=ethY
BRIDGE_IP=BRIDGE_IP
MASK=SUBNETMASK
TARGET_IP=TARGET_IP
SSHD=USER@LOGGINGHOST
#iptables-restore < /etc/iptables/bridge.v4
ifdown "$NIC1"
ifdown "$NIC2"
brctl addbr br0
brctl addif br0 "$NIC1"
brctl addif br0 "$NIC2"
ifconfig "$NIC1" 0.0.0.0
ifconfig "$NIC2" 0.0.0.0
ifconfig br0 "$BRIDGE_IP" netmask "$MASK" up
tcpdump -i "$NIC1" -w - -s 65535 host "$TARGET_IP" |\
ssh "$SSHD" "cat > dump_`date +%H.%M.%S`.pcap"
Note: When running this script on a headless/remote machine (e.g. an OpenWRT router), double check its iptables
rules and possible sshd
restrictions to not lock you out or even brick the box.
Dynamic IP workaround
When running on a NATed computer (e.g. a NAS), this shell script checks an external service for the router's WAN IP in an configurable interval. Whenever it detects a change, an e-mail with the new IP address will be sent via msmtp
. As long as the $APIURL
is valid, only the $MAILTO
definition needs to be adapted.
#!/bin/sh
MAILTO="YOUR_E-MAIL_ADDRESS"
MSG="Subject: Home IP\n\nCurrent IP: "
APIURL="http://api.ipify.org/"
INTERVAL="1800"
GETIP="/usr/bin/curl -s "$APIURL""
SENDCMD="/usr/bin/msmtp"
IP=`$GETIP`
printf "$MSG""$IP" | "$SENDCMD" "$MAILTO"
sleep "$INTERVAL"
while : ; do
IPNEW=`$GETIP`
if [ "$IPNEW" = "$IP" ] ; then
sleep "$INTERVAL"
IPNEW=`$GETIP`
else
IP="$IPNEW"
echo "$MSG""$IP" | "$SENDCMD" "$MAILTO"
fi
done
And here a simple msmtp
configuration with TLS enabled – be aware that the mail password is stored on the host computer in plaintext.
### File: ~/.msmtprc or /etc/msmtprc
defaults
auth on
tls on
tls_starttls off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account ACCOUNT_1
host SMTP_SERVER
user USER_NAME
password PASSWORD
from FROM_ADDRESS
account default : ACCOUNT_1
Piping dd
Write to several devices at once with dd
and tee
:
$ dd if=INFILE | tee > (dd of=/dev/sdX) | dd of=/dev/sdY
dd
over the network with netcat
and bzip
compression (not encrypted),
serverside...
$ nc -l 9000 | bzip2 -d | dd bs=1M of=OUTFILE
...and clientside:
$ dd bs=1M if=INFILE | bzip2 -c | nc SERVER 9000
Writing data to an ssh
server, using xz
transport compression:
$ dd if=INFILE bs= 1M | xz |\
ssh user@host "xz -d | dd of=OUTFILE bs=1M"
Reading data from an ssh
server, again with xz
transport compression:
$ ssh user@host "dd if=INFILE bs=1M | xz" |\
xz -d | dd of=OUTFILE bs=1M