on the remote machine:
[root@haxed]# tcpdump -s 0 -U -n -w - -i eth0 not host local_ip | nc local_ip 9999
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
on a local machine:
[root@haxor]# nc -l -p 9999 > temp.pcap
The "-s" tells tcpdump how many bytes into a packet to record (0 being the entire packet)
"-U" tells tcpdump to not wait for the output buffer to fill before sending it across the pipe.
"-n" prevents tcpdump from converting addresses (i.e., host addresses, port numbers, etc.) to names.
Then, instead of writing to an output file "-w - |" redirects that into netcat. Meaning the same binary format normally saved to a file comes out the other end of the netcat session, making it easy to fire up Wireshark or something similar on temp.pcap.. It should be said you can run Wireshark on temp.pcap while netcat is still writing to it. You won't end up with a streaming remote capture, but clicking the refresh button once in a while is a small price to pay for convenience. This is also handy that since you're piping it out through netcat, little to nothing gets written to disk, making this possible on very modest hardware (e.g. dd-wrt routers).
The "not host your_ip" will filter out any traffic between the two machines. Including the traffic neccessary to send the dump across. sometimes you'll want some of this traffic, just not the dump (no one likes redundancy).
In these situations narrow down
tcpdump's BPF expressions to something like:
[root@haxor]#tcpdump -i eth0 not dst port 8888 and not src port 8888 | nc local_ip 8888
That's alright usually.. (connections to/from any port 8888 get filtered)
If finer-grain control over traffic filtering is needed. Luckily, tcpdump's BPF expressions can get pretty specific..
It should be said though:
- Traffic is not encrypted