Long term traffic capture with tcpdump over netcat

jonathanbaird

Hi,

I am looking to set up some long term traffic capture with tcpdump. I will need tcpdump to run when pfSense boots and I need it to write the output to a remote file over a netcat session. I am using the following command on the pfSense machine.

tcpdump -s 0 -U -n -i em0 -w - 'not port 9999' | nc 82.70.8.X 9999

And I am using the following command on a Windows machine receiving the output from tcpdump.

netcat-1.11>nc -l -p 9999 > tcpdump.pcap

This is working fine, and I am successfully saving the traffic to a pcap file on the Windows machine. The only problem I have is as I need to leave this running, the pcap file will simply get bigger and bigger. I have tried the -C option but as the file is not being written locally, it seems to be ignored. Is there any way I can set a file size limit on this so that once a file reaches say 100MB, a new file is generated? I assume the limit would need to be set on the destination side, in this instance on the Windows machine but I am not sure exactly how to achieve this.

Any help would be much appreciated.

Thank you in advance.

Jonathan.

heper

No answer for you question but wouldnt it be easier to setup a SPAN port on your switch, then capture directly on the windows device?

jonathanbaird

@heper:

No answer for you question but wouldnt it be easier to setup a SPAN port on your switch, then capture directly on the windows device?

This would be a lot easier, the problem is I am running this in a VMware vCloud Director environment which is located at a datacentre and I have no access to any physical hardware at all.

jimp

The problem here is more of a standard UNIX utility and not specific to pfSense.

That said, you might want to utilize something like tee(1), split(1) or some combination to achieve the desired result.

GruensFroeschli

As in the original thread:
https://forum.pfsense.org/index.php?topic=107605.msg599270#msg599270

You can pipe the output of nc on your receiving machine into wireshark.
Wireshark has the option to store a capture directly to a file and split the files at given intervals.
Take a look at the wireshark man page: https://www.wireshark.org/docs/man-pages/wireshark.html
you need arguments along the line of:

nc -l -p 12345 | wireshark -k -i - -w /path/to/some/file -b filesize:100000

Guest

I am looking to set up some long term traffic capture with tcpdump.

Only if needed

the pcap file will simply get bigger and bigger.

I would recommend not to go over a limit of 2 GB for each file either you have a really strong and
good sorted PC or Server where the files have to be viewed.

NOYB

plink, ssh , wireshark and tcpdump remote auto start.

https://forum.pfsense.org/index.php?topic=89917.msg497700