I was looking for some command like this, it achieves:
- redirect the tcpdump generated pcap file to another server
- during the process of 1., using a python script or some tool to analyze each packet.
So from the point of the system user, when packets are being captured, s/he could both view the packets like in wireshark, and download a pcap file. Because the analyzing procedure could consume quite a some system resources, so I hope the pcap file could be redirected to another server, and run analysis on that server. Now the problem is, nc listener quits when tcpdump is killed (I have tried -15), while I hope the listener could still be running, because there may be several servers running tcpdump.
tcpdump -i eth0 port 8801 -w a.pcap | nc 192.168.12.5 9901
Best Answer
Set tcpdump to output raw PCAP data to standard out and utilize SSH as your transport mechanism to have that data written to a remote file on the remote analysis host, as a continuous stream.
Example:
In the above example, I've used
$(hostname)to evaluate the hostname of the server (where the tcpdump is being run) to intelligently name the remote file, but of course, adapt this to your needs (maybe include a timestamp in the name, if that's useful).Alternative example with UNIX timestamp remote file naming: