Some tech documentation and snippets, finally organized.
Posts tagged as network

Wireshark-readable tcpdump to remote disk

This line captures all packets on the network interface eth0 with source or destination TARGET_IP. To obtain a format readable by wireshark, tcpdump must be configured to not truncate packets. This is achieved by setting the -s flag to 0 or 65535 (maximum packet length in bytes).

The output is piped through ssh to OUTFILE on a remote host.

$ tcpdump -i eth0 -w - -s 0 host TARGET_IP |\
    ssh USER@HOST "cat > dump.pcap"

[Ctrl]+[c] to stop the capture...

To avoid packet dropping at high traffic volume, it may be reasonable to put the capturing computer as transparent bridge into the IP stream and use a logging host on an independent network, connected to an additional (third) network interface ethZ.

In one go:




#iptables-restore < /etc/iptables/bridge.v4

ifdown "$NIC1"
ifdown "$NIC2"
brctl addbr br0
brctl addif br0 "$NIC1"
brctl addif br0 "$NIC2"
ifconfig "$NIC1"
ifconfig "$NIC2"
ifconfig br0 "$BRIDGE_IP" netmask "$MASK" up

tcpdump -i "$NIC1" -w - -s 65535 host "$TARGET_IP" |\
    ssh "$SSHD" "cat > dump_`date +%H.%M.%S`.pcap"

Note: When running this script on a headless/remote machine (e.g. an OpenWRT router), double check its iptables rules and possible sshd restrictions to not lock you out or even brick the box.

Dynamic IP workaround

When running on a NATed computer (e.g. a NAS), this shell script checks an external service for the router's WAN IP in an configurable interval. Whenever it detects a change, an e-mail with the new IP address will be sent via msmtp. As long as the $APIURL is valid, only the $MAILTO definition needs to be adapted.


MSG="Subject: Home IP\n\nCurrent IP: "
GETIP="/usr/bin/curl -s "$APIURL""

printf "$MSG""$IP" | "$SENDCMD" "$MAILTO"
sleep "$INTERVAL"

while : ; do
    if [ "$IPNEW" = "$IP" ] ; then
        sleep "$INTERVAL"
        echo "$MSG""$IP" | "$SENDCMD" "$MAILTO"

And here a simple msmtp configuration with TLS enabled – be aware that the mail password is stored on the host computer in plaintext.

### File: ~/.msmtprc or /etc/msmtprc

auth            on
tls             on
tls_starttls    off
tls_trust_file  /etc/ssl/certs/ca-certificates.crt
logfile         ~/.msmtp.log

account         ACCOUNT_1
host            SMTP_SERVER
user            USER_NAME
password        PASSWORD
from            FROM_ADDRESS

account default : ACCOUNT_1

Piping dd

Write to several devices at once with dd and tee:

$ dd if=INFILE | tee > (dd of=/dev/sdX) | dd of=/dev/sdY

dd over the network with netcat and bzip compression (not encrypted),

$ nc -l 9000 | bzip2 -d | dd bs=1M of=OUTFILE

...and clientside:

$ dd bs=1M if=INFILE | bzip2 -c | nc SERVER 9000

Writing data to an ssh server, using xz transport compression:

$ dd if=INFILE bs= 1M | xz |\
    ssh user@host "xz -d | dd of=OUTFILE bs=1M"

Reading data from an ssh server, again with xz transport compression:

$ ssh user@host "dd if=INFILE bs=1M | xz" |\
    xz -d | dd of=OUTFILE bs=1M