tcpdump – How to Send Captured Traffic Directly to an Interface on Linux

linux-networkingtcpdump

I can do it using an intermediate pcap file:

tcpdump -i lo -s 0 -w out.pcap 'tcp and port 12345'
^C
tcpreplay -i eth1 out.pcap

Is it possible to skip the pcap and forward all the traffic immediately? This would be extremely useful for long-running captures, where the pcaps can grow to gigabytes in size.

Best Answer

The solution is to write the tcpdump output to stdout and have tcpreplay read from stdin:

 tcpdump -i lo -w - 'tcp and port 12345' | tcpreplay -i eth1 -

It seems that tcpreplay doesn't exit on a broken pipe, so, after closing tcpdump with Ctrl-C, you'll have to kill tcpreplay separately.

Related Solutions

Iptables – how to monitor traffic at port 53 (DNS)

You can use this command: tcpdump -n -s 1500 -i eth0 udp port 53 (Replace 'eth0' with the name of your ethernet interface, e.g. 'fxp0') This shows all packets going in and out of your machine for UDP port 53 (DNS) Source:DNS exercise 1

Tcpdump How to use it to capture all traffic headers

My best bet would be to use something like:

 tcpdump -ieth0 -s96 -w traffic.dump 'ip or icmp or tcp or udp'

Where the "tricky" part will be to chose a correct value for the "-s" (snaplen) parameter (snaplen is the maximum length of the packet tcpdump will capture).

From the tcpdump man pages:

Snarf snaplen bytes of data from each packet rather than the default of 68 (with NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in.

In this example i'm using 96 to be "almost" sure that I would capture 100% of ethernet+ip+(icmp || udp || tcp) header values.

In case your traffic have IP or TCP options (i.e. timestamps) and you want to also capture this info, then you will have to play with the snaplen parameter (i.e. increase/decrease it).

In case the length of the headers of your packet is less than snaplen, you may also capture part of the payload.

Finally, to read the traffic captured, I would use something like:

tcpdump -e -nn -vv -r traffic.dump

Where the important part is to use the "-e" option so you can get the ethernet headers printed.

This page gives you an idea about the size of the ethernet/tcp/udp headers under different circumstances and may help you to arrive to a "correct" value for the snaplen parameter.

Best Answer

Related Solutions

Iptables – how to monitor traffic at port 53 (DNS)

Tcpdump How to use it to capture all traffic headers

Related Topic