Wednesday, April 21, 2010

Monitoring remote traffic with tcpdump and netcat

Need to sniff traffic on a remote interface? Working with limited resources? (e.g. no hard drive, 133mhz processor, ect..) tcpdump and netcat are here to help.

on the remote machine:
[root@haxed]# tcpdump -s 0 -U -n -w - -i eth0 not host local_ip | nc local_ip 9999
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

on a local machine:
[root@haxor]# nc -l -p 9999 > temp.pcap

The "-s" tells tcpdump how many bytes into a packet to record (0 being the entire packet)

"-U" tells tcpdump to not wait for the output buffer to fill before sending it across the pipe.

"-n" prevents tcpdump from converting addresses (i.e., host addresses, port numbers, etc.) to names.

Then, instead of writing to an output file "-w - |" redirects that into netcat. Meaning the same binary format normally saved to a file comes out the other end of the netcat session, making it easy to fire up Wireshark or something similar on temp.pcap.. It should be said you can run Wireshark on temp.pcap while netcat is still writing to it. You won't end up with a streaming remote capture, but clicking the refresh button once in a while is a small price to pay for convenience. This is also handy that since you're piping it out through netcat, little to nothing gets written to disk, making this possible on very modest hardware (e.g. dd-wrt routers).

The "not host your_ip" will filter out any traffic between the two machines. Including the traffic neccessary to send the dump across. sometimes you'll want some of this traffic, just not the dump (no one likes redundancy).

In these situations narrow down
tcpdump's BPF expressions to something like:
[root@haxor]#tcpdump -i eth0 not dst port 8888 and not src port 8888 | nc local_ip 8888

That's alright usually.. (connections to/from any port 8888 get filtered)
If finer-grain control over traffic filtering is needed. Luckily, tcpdump's BPF expressions can get pretty specific..

It should be said though:
  • Traffic is not encrypted
If you're trying to sniff sensitive data and would prefer everyone in the middle to remain clueless, consider using socat or redirection over ssh.

No comments:

Post a Comment