2 tcpdumps from a remote host

Question

I need to collect tcpdump from different interfaces from a remote host.
Currently I do it in the following way:

ssh remotehost "tcpdump -i iface1 -w - " > iface1_dump.pcap &
ssh remotehost "tcpdump -i iface2 -w - " > iface2_dump.pcap

I wonder if there a way to realize it in single ssh connect (maybe some complex shell redirect is a cure) to minimize packets loss while second ssh command is on its way
2 conditions:
remote host has really limited disk space, so I can't tcpdump locally on that host
tcpdump -i any affects Ethernet headers, so I can't use it

Answer 1

You create a file "SEND_DATA" on the target machine, in which you put these 2 lines:

tcpdump -i iface1 -w - | nc <IP> <PORT1>
tcpdump -i iface2 -w - | nc <IP> <PORT2>

Every machine has netcat, so it works. You mark SEND_DATA executable

Next, you open a listening port on your PC, and run the script on remote machine:

> OUT1 nc -l -p PORT1
> OUT2 nc -l -p PORT1
ssh remotehost SEND_DATA

In this moment, the files OUT1 & OUT2 will start receiving data.

You also need to consult the manuals from 2 versions of nc, because I saw that the parameters differ sometimes.

Answer 2

The two ssh's is probably the nicest method, but you could also sed 's/^/one /' on the first one, in the background, and sed 's/&/two /' on the second, and then pull them apart on the local host with "egrep '^one ' | sed 's/one //'" for example.

You could also save the output in a pair of files, and scp them back when "done".

Answer 3

ssh remotehost "tcpdump -iiface1 -w- &
                tcpdump -iiface2 -w- >&2 2>/dev/null" >iface1_dump.pcap 2>iface2_dump.pcap