I want to have tcpdump write raw packet data into a file and also display packet analysis into standard output as the packets are captured (by analysis I mean the lines it displays normally when -w is missing).
Can anybody please tell me how to do that?
Here's a neat way to do what you want:
tcpdump -w - -U | tee somefile | tcpdump -r -
What it does:
-w - tells tcpdump to write binary data to stdout
-U tells tcpdump to write each packet to stdout as it is received, rather than buffering them and outputting in chunks
tee writes that binary data to a file AND to its own stdout
-r - tells the second tcpdump to get its data from its stdin
Since tcpdump 4.9.3 4.99.0, the --print option can be used:
tcpdump -w somefile --print
Wednesday, December 30, 2020, by mcr#sandelman.ca, denis and fxl.
Summary for 4.99.0 tcpdump release
[...]
User interface:
[...]
Add --print, to cause packet printing even with -w.
tcpdump ${ARGS} &
PID=$!
tcpdump ${ARGS} -w ${filename}
kill $PID
If you want a way to do it without running tcpdump twice, consider:
sudo tcpdump port 80 -w $(tty) | tee /tmp/output.txt
From the interactive command prompt you could use $TTY instead of $(tty) but in a script the former wouldn't be set (though I'm not sure how common it is to run tcpdump in a script).
Side-note: it's not very Unix-y the way tcpdump by default makes you write to a file. Programs should by default write to stdout. Redirection to a file is already provided by the shell constructs. Maybe there's a good reason tcpdump is designed this way but I don't know what that is.
Related
I am looking for some solution to stop capturing the tcpdump packet after it capture a specified size .I am using the below command to achieve this but it looks like the tcpdump is not writing all the captured packet to the specified file(myfile.pcap).
sudo tcpdump -i en0 -C 10 -W 1 -z ./stop-tcpdump.sh -w myfile.pcap -K -n
cat stop-tcpdump.sh
#!/bin/sh
TCP_EXECUTABLE="tcpdump"
pid=$(pidof ${TCP_EXECUTABLE})
sudo kill -2 $pid
The easiest solution for tcpdump is probably just to increase -W 1 to -W 2. This will cause a 2nd capture file to begin to be written, but the 1st file of 10MB will remain fully intact instead of getting truncated, because the tcpdump instance won't necessarily be killed due to timing issues before that happens.
Alternatively, you could switch to using dumpcap or tshark, both of which support an explicit -a filesize:value option, so no post-rotate kill script is needed. Note that unlike tcpdump's -C option, this option expects the value in units of kB, not MB.
I have a command which out outputs certain data which i store in a ext file using a '>>' command.Now Instead of doing that I want to have a socket or a port on any server which will catch the output of the command.Basically i want to output all my script data to a socket or url which ever is possible.
Any help in this direction is most welcomed.
You can use socat to listening on a port 12345 and echo any data sent to it like this:
socat -u TCP-LISTEN:12345,keepalive,reuseaddr,fork STDOUT
If you want to capture it to a file as well (file.log), you can use the same command with tee:
socat -u TCP-LISTEN:12345,keepalive,reuseaddr,fork STDOUT | tee file.log
You can run your program to output to bash's TCP virtual device:
./prog > /dev/tcp/localhost/12345
If you don't want to use bash magic then you can also use socat to send the data:
./prog | socat - TCP-CONNECT:localhost:12345
The above example assume you are running your program and "logger" on the same system but you can replace "localhost" with the hostname or address of the system you wish to send to (where the socat is listening).
I am using linux pc and installed tshark . And have to capture packets in eth1 interface using TCL script. But tshark is running in root mode. Capturing and script running pc's are same. How to login as root and how to run tshark commands using TCL ? Please provide me a solution for this.
#!/usr/bin/tclsh
set out [exec tshark -V -i eth1 arp -c 1 ]
puts $out
Output
test#test:~$ tclsh pcap.tcl
Capturing on eth1
tshark: The capture session could not be initiated (eth1: You don't have permission to capture on that device (socket: Operation not permitted)).
Please check to make sure you have sufficient permissions, and that you have the proper interface or pipe specified.
0 packets captured
while executing
"exec tshark -V -i eth1 arp -c 1 "
invoked from within
"set out [exec tshark -V -i eth1 arp -c 1 ]"
(file "pcap.tcl" line 5)
test#test:~$
please try below steps and also refer this link http://packetlife.net/blog/2010/mar/19/sniffing-wireshark-non-root-user/
root#test:/usr/bin# setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
root#test:/usr/bin# getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
root#test:/usr/bin# exit
exit
test#test:/usr/bin$ tshark -V -i eth1
Capturing on eth1
Frame 1 (60 bytes on wire, 60 bytes captured)
Arrival Time: Aug 8, 2013 13:54:27.481528000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
You have to either elevate the privileges of your tshark process via sudo (or any other available means) or run your whole script with elevated privileges.
One way to do that which might be simpler than sudo as it would require zero customizations is to write a super-simple C program which would just run /usr/bin/tshark with the necessary arguments and then make that program setuid root and distribute along with your Tcl program. That is only needed if you need portability. Otherwise sudo is much simpler.
Running in bash under Ubuntu:
I have a source that generates me some output, but not straight away. Let's assume it is a first netcat listening on a socket: netcat -l 12345.
And I would like to pipe it to an outgoing netcat (connecting over TCP), e.g. netcat -l 12345 | netcat localhost 54321. But the tricky bit is, that I know there is nothing listening for that incoming connection on localhost 54321 when I run the command, but I know there will be one when the first actual character arrives through the pipe.
So my question is: is there a way either:
to delay the execution of the outgoing netcat until the first character arrives into the pipe, or
to delay the outgoing netcat from trying to establish the TCP connection until it receives the first character on its standard input? (no straight option for that in man, switching to UDP is not acceptable)
Thanks in advance!
Edit: In reality, the source is more complex than a netcat, namely it is a listening netcat piped through all sort of stream modification.
Using the research you already did and that I commented to (by not knowing it was an answer to your own question), here is the full delayed_netcat.sh:
#!/bin/bash
read line
netcat "${#}" < <(echo $line ; cat)
This first waits for a line of input and later prepends that line using a simple echo to the "newly generated" input to the actual netcat. The rest of stdin is just redirected using cat which slurps it from stdin and adds it to the input of netcat. It also supports passing commandline options and arguments to the "real" netcat.
The usage is as follows:
netcat -l 12345 | cmd1 | cmd2 | ... | ./delayed_netcat.sh localhost 54321
The netcat is delayed till the first line is read. If you really want to start it after the first character is read the parts with read and echo need some rewrite.
Port Forwarding or Port Mapping with netcat:
ncat -l -p 12345 -c 'ncat localhost 54321'
Using socat:
socat TCP4-LISTEN:12345 TCP4:localhost:54321
This command exits after the first connection is done.
I have found an answer to my question, but it is awful... so still looking for something better.
netcat -l 12345 | gawk '(NR==1){print""}{print;fflush()}' | ./delayed_netcat.sh
where ./delayed_netcat.sh:
#!/bin/sh
read line
netcat localhost 12345
So the read line delays the netcat localhost 12345 by waiting for and consuming the first input line, and I use gawk '(NR==1){print""}{print;fflush()}' to insert an empty line just before the first record... I'm sure there is room for much improvement to that!
I'm creating a TCP/IP interface to a serial device on a redhat linux machine. netcat in a bash script was used to accomplish this with out to much trouble.
nc -l $PORT < $TTYDEVICE > $TTYDEVICE
The problem is that the serial device uses carriage returns('\r') for line ends in its responses. I want to translate this to ("\r\n") so windows machines telneting in can view the response without any trouble. I'm trying to figure out how to go about this with a simple bash solution. I also have access to stty to configure the serial device, but there is no "\r" to "\r\n" translate on the input side(from what I can tell).
I did try to use tr on the input side of netcat, but it didn't work.
#cat $TTYDEVICE | tr '\r' '\r\n' | nc -l $PORT > $TTYDEVICE
Any ideas?
Your problem is that the client that connects to $PORT probably does not have a clue that it is working with a tty on the other side, so you will experience issues with tty-specific "features", such as ^C/^D/etc. and CRLF.
That is why
socat tcp-listen:1234 - | hexdump -C
telnet localhost 1234
[enter text]
will show CRLFs, while
ssh -t localhost "hexdump -C"
[enter text]
yields pure LFs. Subsequently, you would e.g. need
ssh -t whateverhost "screen $TTYDEVICE"
tl;dr: netcat won't do it.
This is overly difficult with standard tools, but pretty easy in perl (although perl is pretty much a standard tool these days):
perl -pe 's/\r/\r\n/g'
The version above will likely read the entire input into memory before doing any processing (it will read until it finds '\n', which will be the entire input if the input does not contain '\n'), so you might prefer:
perl -015 -pe '$\="\n"'
There are a number of versions of netcat (GNU and BSD) but you might want to try:
-C Send CRLF as line-ending