8

In the process of debugging a python irc bot that can't seem to connect, I thought "I know, I'll just tcpdump it and see what it's doing." So I ran tcpdump like I usually do and it says it's captured packets, but doesn't actually write the cap file.

akraut@lance ~/pcaps $ sudo tcpdump -w pyhole -s 0 "port 6667"
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C17 packets captured
17 packets received by filter
0 packets dropped by kernel
4294966881 packets dropped by interface
akraut@lance ~/pcaps $ ls -la
total 8
drwxr-xr-x 2 akraut akraut 4096 Feb  6 11:50 .
drwxr-xr-x 8 akraut akraut 4096 Feb  6 11:50 ..
akraut@lance ~/pcaps $
akraut
  • 311
  • 1
  • 3
  • 17

3 Answers3

11

You might want to check out the behaviour of tcpdump with strace, to see if it's doing anything odd like chrooting, if it's in gentoo or another distribution that might suid the binaries.

Justin Lynn
  • 406
  • 3
  • 5
  • Ah, yes. Looking at the ebuild, it appears to drop privs and chroot into `/var/lib/tcpdump`. And lo, there lie all my cap files. – akraut Feb 06 '12 at 22:17
10

Ok, I have solved the mystery. Follow along with me as we unravel Funtoo's TCPDump and the Mystery of the Missing pcap File.

I used strace to see what's going on and the relevant lines are:

chroot("/var/lib/tcpdump")              = 0
chdir("/")                              = 0
--- SNIP ---
open("/tmp/lol.wat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)

So...

lance ~ # ls /var/lib/tcpdump/
blah  blah.cap  irc.cap  pyhole

Hey look! All the cap files I tried to create!

After taking a look at the use flags tcpdump is built with by default, I see this:

lance ~ # grep tcpdump /usr/portage/profiles/use*desc
use.local.desc:net-analyzer/tcpdump:chroot - Enable chrooting when dropping privileges

So why do it this way? My theory goes something like this:

  1. Many applications that interact with raw network traffic have to run as root.
  2. Raw network traffic has a wide variety of valid and invalid values in the wild.
  3. Many exploits exist for those applications. (Wireshark, Ethereal, tcpdump, et al)
  4. Therefore, tcpdump grabs access to the network interface while root, jails itself into /var/lib/tcpdump, then drops root privileges and commences capturing.

As a result, when I specified ./blah or blah it worked fine. But /tmp/blah didn't because /var/lib/tcpdump/tmp doesn't exist.

A neat side feature of all this is: when using the suid flag to install tcpdump SetUID, you can grant users access with the tcpdump group without giving them sudo or root access. Possible uses include a capture box for your network engineers or researchers.

I just wish Gentoo/Funtoo would have had a message on installation that said all this.

tl;dr: Gentoo/Funtoo put your pcap files in /var/lib/tcpdump.

akraut
  • 311
  • 1
  • 3
  • 17
3

The syntax is correct: I just tried it (albeit on port 80) and it generated a pcap file in the current working directory, given the same options you're using.

Could it have something to do with your home directory, that you're trying to write to as root (because of the sudo)? Is it possible you're using NFS-mounted home directories with root-squashing? sudo touch ~akraut/pcaps/foo ?

Can you try writing out the pcap to /tmp/ or something?

cjc
  • 24,916
  • 3
  • 51
  • 70
  • With `sudo tcpdump -w /tmp/blah -s 0 "port 6667"` it looks like it's working, but if I do `sudo su -` first then run `tcpdump -w /tmp/blah -s 0 "port 6667"` as root it says "No such file or directory". The mystery deepens... – akraut Feb 06 '12 at 22:15
  • 1
    Looks like Justin helped you find the answer. Can I ask you what distro you're using, and whether that's a standard tcpdump installation for that distro? – cjc Feb 06 '12 at 22:39
  • I'm running Funtoo, which is a variant of Gentoo. Yes, by default, it sets the chroot "use" flag (a Gentoo method of enabling/disabling optional compile-time functionality). I've actually prepared a more lengthy write-up to post here shortly. – akraut Feb 06 '12 at 22:45