Using tcpdump to capture traffic remotely but save output to a local file

jonathanbaird

Hi,

I have set up SSH and can successfully SSH into my pfSense machine. I can also run tcpdump no problem. My question is, would it be possible to run tcpdump remotely over either a VPN/WAN but save the output to a local machine using a ring buffer?

I need to leave tcpdump running to try and capture an intermittent issue we are running into, and the packet capture GUI doesn't offer me the functionality I need to perform this.

Any help or guidance would be great.

Thank you in advance.

Jonathan.

GruensFroeschli

Even better:
You can directly capture traffic remote with wireshark

On your PC you start:

nc -l -p 12345 | wireshark -k -i -

This will start wireshark, with netcat listening on port 12345 and forwarding anything directly to wireshark.

On the pfSense you start:

tcpdump -i vr0 -U -w - | nc 10.0.42.2 12345

This will capture traffic on the interface vr0 and forward everything to the PC at the address 10.0.42.2 on port 12345.
Replace 10.0.42.2 with the IP of the PC running the wireshark and listening on port 12345

_Edit:
Instead of running wireshark you can also directly pipe into a file:

nc -l -p 12345 > /home/user/somefile.pcap

```_

2chemlud

Very cool! 8-)

jonathanbaird

This does look interesting! I'll take a look - thanks for your help.

jonathanbaird

@GruensFroeschli:

Even better:
You can directly capture traffic remote with wireshark

On your PC you start:

nc -l -p 12345 | wireshark -k -i -

This will start wireshark, with netcat listening on port 12345 and forwarding anything directly to wireshark.

On the pfSense you start:

tcpdump -i vr0 -U -w - | nc 10.0.42.2 12345

This will capture traffic on the interface vr0 and forward everything to the PC at the address 10.0.42.2 on port 12345.
Replace 10.0.42.2 with the IP of the PC running the wireshark and listening on port 12345

_Edit:
Instead of running wireshark you can also directly pipe into a file:

nc -l -p 12345 > /home/user/somefile.pcap

Hi,

Thanks for your help with this. With the below command, can we add a ring buffer to this so that files are a total of 100MB in size?

nc -l -p 12345 > /home/user/somefile.pcap

I've done some testing with this but cannot seem to get this to work. I'm also using a Windows Server for this, if that makes any difference!?

Regards,

Jonathan._

GruensFroeschli

I gave the answer to this in your other thread where you originally asked this question.
https://forum.pfsense.org/index.php?topic=108668.msg605967#msg605967