3

I have a situation where I want to capture all of the network traffic on one Linux box (currently using tcpdump) but have that data transferred in real time to another Linux on a separate (but connected) network. Essentially I have 

[network i'm curious about]---[eth0. Linux box eth1]----[separate network]---[eth0 monitoring Linux box]

What I'm doing now is saving everything to a pcap and periodically transferring the pcap over to the monitoring Linux box. This works, but is highly inefficient and definitely not real time. Is there a way to make tcpdump save the pcap to a data stream I can proxy over to the monitoring box without setting up something like NFS or SMB? I consider the Linux box that is doing the tcpdump suspect at best and don't want to offer up a writable share on the monitoring box.

Any ideas?

tjac
  • 133
  • 3
  • Thanks everyone for your suggestions! This really helps me out a lot. I hope I can return the favor someday. – tjac Nov 22 '13 at 02:30

3 Answers3

4

On monitoring_Linux_box: # nc -l -k -p 1234 > /var/tmp/pcap

On Linux box: # tcpdump -U -w - | nc monitoring_Linux_box 1234

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • I think this one is my best bet given that it has less of a security concern (no need to log in to the monitoring box from the recording box). Thanks!! – tjac Nov 22 '13 at 02:30
  • How does this avoid an infinite loop? Capture data, send it, capture that sent data, send it again, capture all that sent data, send it yet again... – TheLQ Nov 26 '13 at 13:03
  • Add `not port 1234` to tcpdump command line. – Mark Wagner Nov 26 '13 at 21:11
3

From the monitoring box:

# ssh root@otherbox tcpdump -n -i eth0 -w - | program_that_takes_pcap_on_input
MikeyB
  • 39,291
  • 10
  • 105
  • 189
1

Will a live capture over SSH work? 

ssh -t remotehost 'sudo tcpdump [options]'

or if you use root..

ssh root@remotehost 'tcpdump [options]'

(Make sure to exlude your SSH traffic from the capture.)

If you want to watch it on-screen and save the output to a file, pipe to tee.

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • It isn't actually required to ignore SSH. A much cleaner solution would be to listen only on eth0. – Tim Brigham Nov 21 '13 at 19:47
  • May not be what you always want. Since you might be looking for SSH traffic from others. You should be able to part out the **SSH_CONNECTION** environment variable, which will include the client IP, client port, destination host, and destination port. Then only exclude the traffic unique to that individual connection. – Zoredache Nov 21 '13 at 20:02
  • 1
    I am not suggesting to filter all SSH traffic. I think you've misunderstood. I can't imagine why you'd want to capture the SSH session of the host you are forwarding the `tcpdump` to... The question was to monitor another network remotely. – Aaron Copley Nov 21 '13 at 20:16