Ever need to do a tcpdump but stream the packets to a file on a remote device. This can come in handy if you are capturing from a device with a small or limited disk.
On Remote Server:
Run nc -l 32000 > /my/file/thefile.pcap
That command tell netcat to listen on port 32000 and write everything it receives to /my/file/thefile.pcap
On Device Doing The Network Capture:
Run tcpdump -s 0 -U -n -w - -i eth1 | nc <IP> <PORT>
That command will start a TCPDUMP session on interface eth1
- -s 0: tells TCPDUMP to capture the whole packet
- -U: tells TCPDUMP to not wait for the buffer to fill up before sending the packet down the pipe
- -n: tells TCPDUMP no to resolve to host names
- -w -:tells TCPDUMP to write the data to stdout in the same format as if it was writing directly to a pcap file
- |: redirects the TCPDUMP stdout to nc or netcat application
- nc <IP> <PORT>: Has an outbound connection to the IP and PORT you give this should be the remote servers nc session you setup.
Example:
If we wanted to stream all the SIP packets from one device to our remote netcat session we would run the following.
tcpdump -s 0 -U -w - -i eth1 port 5060 | nc 192.168.1.2 32000
That will send all packets on port 5060 to our netcat session on the remote server.