Remote packet capture with tcpdump and nc

Posted on by Andrei Agape

A while back I saw IppSec performing a remote packet capture using tcpdump and pipeing it to wireshark for live analysis. I thought that could be useful to do on a home router and save the packets to a raspberry pi on the same LAN for later analysis. There are 2 reasons why I wanted to save the packets remotely:

  1. if the pcap file grows too big, the router may not have enough space to handle it and it may stop recording, it may reboot or even brick
  2. if the ISP pushes an update and the router is rebooted, I may loose the capture file, or even the access to the router; bonus I can see what the update is about

The setup is straight-forward but I couldn’t find an exact answer for it. I needed to be able to send and listen for this packets on multiple interfaces, with multiple capture rules, while in the background, indefinite amount of time and without having to stop the capture to be able to analyze the results.

1. RaspberryPi

On the raspberry pi, open a new screen and start a nc listener to an arbitrary port (4444 for example) and then detach the screen. Create as many screen listeners for each pcap file that needs to be recorded.

pi@raspberrypi:~ $ screen 
pi@raspberrypi:~ $ nc -l -v -p 4444 > /home/pi/router_traffic/ISP
pi@raspberrypi:~ $ ctrl + a + d

pi@raspberrypi:~ $ screen 
pi@raspberrypi:~ $ nc -l -v -p 4445 > /home/pi/router_traffic/WAN_cleartext
pi@raspberrypi:~ $ ctrl + a + d

Once done, we can check all the active listeners 

pi@raspberrypi:~ $ ps aux | grep nc
root        65  0.0  0.0      0     0 ?        S<   Apr10   0:00 [vchiq-sync/0]
systemd+   299  0.0  0.5  22368  5488 ?        Ssl  Apr10   0:07 /lib/systemd/systemd-timesyncd
pi        2963  0.0  0.0   7348   484 pts/0    S+   13:02   0:00 grep --color=auto nc
pi        4032  0.0  0.0   2704   612 pts/1    S+   Apr10   1:06 nc -lvnp 4444
pi        4221  0.0  0.0   2704   620 pts/2    S+   Apr10   0:16 nc -lvnp 4445

2. Router

On the router, we echo the tcpdump command in a temporary file and start it in the background. We pipe the tcpdump packets to nc, which sends them to the raspberry pi (192.168.0.73) on previously opened port

bash-3.2# cd /tmp
bash-3.2# echo "tcpdump -l -nn -i privbr -U -w - | /tmp/tools/nc -vv -n 192.168.0.73 4444" > dump_isp.sh
bash-3.2# bash dump_isp.sh &

bash-3.2# cd /tmp
bash-3.2# echo "tcpdump -l -nn -i wanbridge -U -w - port '(80 or 53)' | /tmp/tools/nc -vv -n 192.168.0.73 4445" > dump_cleartext.sh
bash-3.2# bash dump_cleartext.sh &

Once done, we can check all active tcpdump sessions running

bash-3.2# ps ax| grep tcpdump
Unknown HZ value! (94) Assume 100.
17296 ?        S      4:28 tcpdump -l -nn -i wanbridge -U -w - port (80 or 53)
18140 ?        S      3:56 tcpdump -l -nn -i privbr -U -w -

3. Wireshark

Now, at any moment in time we can open the pcap files from the Raspberry Pi in Wireshark and analyze the traffic up until that moment. This has the advantage that can run indefinite, and it does not require maintenance at all (unless the router is rebooted, in which case the tcpdump processes are killed).

Here we can see some SNMP (management protocol) traffic between ISP and the router.

Published by Andrei Agape

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s