Remote Network Capture with Tcpdump and NetCat

Ever need to do a tcpdump but stream the packets to a file on a remote device. This can come in handy if you are capturing from a device with a small or limited disk.

On Remote Server:

Run nc -l 32000 > /my/file/thefile.pcap
That command tell netcat to listen on port 32000 and write everything it receives to /my/file/thefile.pcap

On Device Doing The Network Capture:

Run tcpdump -s 0 -U -n -w - -i eth1 | nc <IP> <PORT>
That command will start a TCPDUMP session on interface eth1

  • -s 0: tells TCPDUMP to capture the whole packet
  • -U: tells TCPDUMP to not wait for the buffer to fill up before sending the packet down the pipe
  • -n: tells TCPDUMP no to resolve to host names
  • -w -:tells TCPDUMP to write the data to stdout in the same format as if it was writing directly to a pcap file
  • |: redirects the TCPDUMP stdout to nc or netcat application
  • nc <IP> <PORT>: Has an outbound connection to the IP and PORT you give this should be the remote servers nc session you setup.


If we wanted to stream all the SIP packets from one device to our remote netcat session we would run the following.

tcpdump -s 0 -U -w - -i eth1 port 5060 | nc 32000
That will send all packets on port 5060 to our netcat session on the remote server.