0

I need to monitor TCP networking between two hosts which does not have tcpdump installed, and I cannot install on them.

Is it possible to do so with tcpdump using some known rule ?

xyx
  • 111
  • 2
  • 1
    Whut? So you need to sniff the traffic but have no sniffer? Do you have physical access to the machine? What are you trying to accomplish? – Marki Jan 04 '16 at 19:39

2 Answers2

1

Yes, you have several options:

  1. Place a hub between the two hosts. Then you can connect your tcpdump machine and just sniff traffic (please note, performance will be quite bad. hubs only go up to 100mbit, and even then they can be massively slower than switched 100mbit)
  2. If you have a managed switch: Add a mirror port for those two interfaces, connect tcpdump machine to mirror port.
  3. Two interfaces on tcpdump machine: Bridge the two interfaces together (http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html), and sniff on the bridge interface
Dominik R
  • 436
  • 3
  • 8
0

If you cannot have tcpdump on any of the hosts, or modify their configuration in any way, then to dump packets you need to take them off the network. The normal "enterprise" way to do that is with port mirroring, but of course you need a network switch with that feature and a third server with tcpdump installed. Otherwise a hub can do it if that's all you have.

If you have other software installed, like netcat, and you only need one port or two, you could probably send your traffic off-host to be sniffed and back again, but if you are analyzing network problems this would be more of a problem than a problem-solver. Why can you not install tcpdump?

The other way around the problem is to ask what you really want to do. If you do not need to see the packet contents, maybe you can gather enough information using tools normally installed by default, such as netstat, route, lsof, ss . . .

Law29
  • 3,557
  • 1
  • 16
  • 28