Long term traffic capture with tcpdump over netcat

jonathanbaird · Mar 22, 2016, 3:25 PM

Hi,

I am looking to set up some long term traffic capture with tcpdump. I will need tcpdump to run when pfSense boots and I need it to write the output to a remote file over a netcat session. I am using the following command on the pfSense machine.

tcpdump -s 0 -U -n -i em0 -w - 'not port 9999' | nc 82.70.8.X 9999

And I am using the following command on a Windows machine receiving the output from tcpdump.

netcat-1.11>nc -l -p 9999 > tcpdump.pcap

This is working fine, and I am successfully saving the traffic to a pcap file on the Windows machine. The only problem I have is as I need to leave this running, the pcap file will simply get bigger and bigger. I have tried the -C option but as the file is not being written locally, it seems to be ignored. Is there any way I can set a file size limit on this so that once a file reaches say 100MB, a new file is generated? I assume the limit would need to be set on the destination side, in this instance on the Windows machine but I am not sure exactly how to achieve this.

Any help would be much appreciated.

Thank you in advance.

Jonathan.

heper · Mar 22, 2016, 3:43 PM

No answer for you question but wouldnt it be easier to setup a SPAN port on your switch, then capture directly on the windows device?

jonathanbaird · Mar 22, 2016, 3:54 PM

@heper:

No answer for you question but wouldnt it be easier to setup a SPAN port on your switch, then capture directly on the windows device?

This would be a lot easier, the problem is I am running this in a VMware vCloud Director environment which is located at a datacentre and I have no access to any physical hardware at all.

jimp · Mar 25, 2016, 3:47 PM

The problem here is more of a standard UNIX utility and not specific to pfSense.

That said, you might want to utilize something like tee(1), split(1) or some combination to achieve the desired result.

GruensFroeschli · Mar 25, 2016, 5:34 PM

As in the original thread:
https://forum.pfsense.org/index.php?topic=107605.msg599270#msg599270

You can pipe the output of nc on your receiving machine into wireshark.
Wireshark has the option to store a capture directly to a file and split the files at given intervals.
Take a look at the wireshark man page: https://www.wireshark.org/docs/man-pages/wireshark.html
you need arguments along the line of:


nc -l -p 12345 | wireshark -k -i - -w /path/to/some/file -b filesize:100000

Guest · Mar 31, 2016, 1:03 AM

I am looking to set up some long term traffic capture with tcpdump.

Only if needed

the pcap file will simply get bigger and bigger.

I would recommend not to go over a limit of 2 GB for each file either you have a really strong and
good sorted PC or Server where the files have to be viewed.

NOYB · Mar 31, 2016, 1:50 AM

plink, ssh , wireshark and tcpdump remote auto start.

https://forum.pfsense.org/index.php?topic=89917.msg497700