Using tcpdump to capture traffic remotely but save output to a local file

jonathanbaird · Feb 29, 2016, 1:30 PM

Hi,

I have set up SSH and can successfully SSH into my pfSense machine. I can also run tcpdump no problem. My question is, would it be possible to run tcpdump remotely over either a VPN/WAN but save the output to a local machine using a ring buffer?

I need to leave tcpdump running to try and capture an intermittent issue we are running into, and the packet capture GUI doesn't offer me the functionality I need to perform this.

Any help or guidance would be great.

Thank you in advance.

Jonathan.

GruensFroeschli · Feb 29, 2016, 3:49 PM

Even better:
You can directly capture traffic remote with wireshark

On your PC you start:


nc -l -p 12345 | wireshark -k -i -

This will start wireshark, with netcat listening on port 12345 and forwarding anything directly to wireshark.

On the pfSense you start:


tcpdump -i vr0 -U -w - | nc 10.0.42.2 12345

This will capture traffic on the interface vr0 and forward everything to the PC at the address 10.0.42.2 on port 12345.
Replace 10.0.42.2 with the IP of the PC running the wireshark and listening on port 12345

_Edit:
Instead of running wireshark you can also directly pipe into a file:


nc -l -p 12345 > /home/user/somefile.pcap

```_

2chemlud · Feb 29, 2016, 2:44 PM

Very cool! 8-)

jonathanbaird · Feb 29, 2016, 4:54 PM

This does look interesting! I'll take a look - thanks for your help.

jonathanbaird · May 23, 2016, 1:16 PM

@GruensFroeschli:

Even better:
You can directly capture traffic remote with wireshark

On your PC you start:
nc -l -p 12345 | wireshark -k -i -
This will start wireshark, with netcat listening on port 12345 and forwarding anything directly to wireshark.

On the pfSense you start:
tcpdump -i vr0 -U -w - | nc 10.0.42.2 12345
This will capture traffic on the interface vr0 and forward everything to the PC at the address 10.0.42.2 on port 12345.
Replace 10.0.42.2 with the IP of the PC running the wireshark and listening on port 12345

_Edit:
Instead of running wireshark you can also directly pipe into a file:
nc -l -p 12345 > /home/user/somefile.pcap
Hi,

Thanks for your help with this. With the below command, can we add a ring buffer to this so that files are a total of 100MB in size?
nc -l -p 12345 > /home/user/somefile.pcap
I've done some testing with this but cannot seem to get this to work. I'm also using a Windows Server for this, if that makes any difference!?

Regards,

Jonathan._

GruensFroeschli · May 25, 2016, 11:15 AM

I gave the answer to this in your other thread where you originally asked this question.
https://forum.pfsense.org/index.php?topic=108668.msg605967#msg605967