I have a situation where I want to capture all of the network traffic on one Linux box (currently using tcpdump) but have that data transferred in real time to another Linux on a separate (but connected) network. Essentially I have
[network i'm curious about]---[eth0. Linux box eth1]----[separate network]---[eth0 monitoring Linux box]
What I'm doing now is saving everything to a pcap and periodically transferring the pcap over to the monitoring Linux box. This works, but is highly inefficient and definitely not real time. Is there a way to make tcpdump save the pcap to a data stream I can proxy over to the monitoring box without setting up something like NFS or SMB? I consider the Linux box that is doing the tcpdump suspect at best and don't want to offer up a writable share on the monitoring box.
Any ideas?
Best Answer
On monitoring_Linux_box:
# nc -l -k -p 1234 > /var/tmp/pcapOn Linux box:
# tcpdump -U -w - | nc monitoring_Linux_box 1234