Remote Network Capture with Tcpdump and NetCat

Ever need to do a tcpdump but stream the packets to a file on a remote device. This can come in handy if you are capturing from a device with a small or limited disk.

On Remote Server:

Run nc -l 32000 > /my/file/thefile.pcap
That command tell netcat to listen on port 32000 and write everything it receives to /my/file/thefile.pcap

On Device Doing The Network Capture:

Run tcpdump -s 0 -U -n -w - -i eth1 | nc <IP> <PORT>
That command will start a TCPDUMP session on interface eth1

  • -s 0: tells TCPDUMP to capture the whole packet
  • -U: tells TCPDUMP to not wait for the buffer to fill up before sending the packet down the pipe
  • -n: tells TCPDUMP no to resolve to host names
  • -w -:tells TCPDUMP to write the data to stdout in the same format as if it was writing directly to a pcap file
  • |: redirects the TCPDUMP stdout to nc or netcat application
  • nc <IP> <PORT>: Has an outbound connection to the IP and PORT you give this should be the remote servers nc session you setup.

Example:

If we wanted to stream all the SIP packets from one device to our remote netcat session we would run the following.

tcpdump -s 0 -U -w - -i eth1 port 5060 | nc 192.168.1.2 32000
That will send all packets on port 5060 to our netcat session on the remote server.