0

I want to get all traffic on an embedded system, using tcpdump. I will send those files via sftp or ssh to my server.

Can it happen, that tcpdump "sees" the transfer of the pcap files to my server? This would result in a unwanted recursive transfer loop.

Is there a way to just save the metadata of the connection without saving the pcap data again? Or do I have to filter out the connection? If you, what would be the easiest way?

I need to see 100% of the traffic in those the dumps.

bjoster
  • 4,805
  • 5
  • 25
  • 33
Standard
  • 53
  • 7

1 Answers1

1

You do not need to save all the data that goes through your device to have an idea of what's going on. Hence you can limit the amount of data collected per packet with the -s option of tcpdump. E.g:

tcpdump -i eth0 -s 150 -w my_log_file

Since your sftp session will consist of mainly full size (1500 bytes probably) packets, it will leave a small trace in your log file: if you have 100 MiB of captured data, capturing the transfer of captured data will add another 10 MiB, capturing the transfer of the capture of the transfer of the captured data another 1 MiB, and so on.

Filtering

If you do not need a capture of the ssh session you might filter it out:

tcpdump -i eth0 not host <server_ip> and not port 22

You didn't explain why you need to capture all the traffic on the embedded device, but depending on your network topology you may be able to capture the same traffic on the server (hence without copying the logs).

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
  • thank you, looks good. sadly I have to send all the traffic from the embedded device, because of its location and functions. – Standard Nov 12 '19 at 09:03
  • Mathematically you cannot send all the traffic: if `tcpdump` dumps 1 MiB of data and you start your transfer, the size of the log file will always be 1 MiB more than what you transferred. – Piotr P. Karwasz Nov 13 '19 at 13:45
  • I used the solution where I just cut out ssh traffic :) – Standard Nov 13 '19 at 13:49