1 of 1 people found this helpful
It will fill /var/tmp, filling the temp filesystem, PIDs will no longer be created, and the system will fall over.
Not the anser I hoped for but definately good to know. Thank you!
Do you have a linux box on your network ?
I know there are funky ways to pipe data via netcat and others to get a tcpdump writing to a remote server.
No just windows... I've used Wireshark to capture on the server but capturing on the firewall has proven more useful since we can see VPN traffic, etc.
if you have an ssh client, this will give you all the traffic on the box
ssh root@utm-device "tcpdump -s1500 -ni any -w - ! port 22" > all.pcap
the port-22 bit avoid you logging the packets belonging to the ssh session itself.
ssh with blowfish is supposed to be faster: ssh -c blowfish ....
ssh for windows is easy to get via cygwin.org, or you can use putty, which provides the 'plink' command-line utility.
ie. crank a cmd.exe 'command' shell (Run -> cmd.exe) or similar.
plink root@utm-device "......." > capture.pcap
It may say "Using keyboard-interactive authentication" but not give you an actual password prompt as such - just type the password at that stage and it should be fine.
You could open a port on the device to spit out the relevant capture.
BEWARE - DANGER - CAREFUL!!!
This does require some care to make sure you are not providing tcpdump capabilities to the internet of course, so use some appropriate firewall rules with this.
2001 stream tcp nowait root /bin/tcpdump -n -i eth1 -w -
[put your favorite tcpdump command in there of course, this is just a sample]
then nc to the device:2001, tcpdump will be kicked off - voila!
'nc' is 'netcat' - but any similar tool will do. cygwin has netcat of course - but there are also other ways of getting it on windows I'm sure - google is your friend..
Please excuse my inexperience with this but I'm not getting very far here. Here's what I did:
C:\>plink -ssh email@example.com "tcpdump -s1500 -ni any -w - ! port 22"
I kept the >capture.pcap redirect off for now so I could see the output but after about 15 seconds I get this message:
FATAL ERROR: Network error: Network is unreachable
Not sure why it wouldn't be reachable... it's configured as my gateway and is pingable.
ssh firstname.lastname@example.org "tcpdump -s 1500 -ni any ! port 22"
works for me where 192.168.0.254 is the UTM LAN IP
ssh email@example.com "tcpdump -s 1500 -ni any -w - ! port 22" > all.pcap
writes out in pcap format so wireshark can read it if you prefer.
Try the lines above...I fixed a typo
Thank you for all your help... I still got the same error when it dawned on me that the firewall might be rejecting the connection. Checked the incoming access and sure enough SSH was off so I turned that on for LAN access and got further than I had before:
C:>plink -v -ssh firstname.lastname@example.org"tcpdump -s 1500 -ni any -w - ! port 22" > all.pcap
Server version: SSH-2.0-OpenSSH_3.7.1p2
We claim version: SSH-2.0-PuTTY_Release_0.60
Using SSH protocol version 2
Keyboard-interactive authentication refused
Opened channel for session
Started a shell/command
tcpdump: socket: Operation not permitted
Server sent command exit status 1
Disconnected: All channels closed
As highlighted in the output I'm getting this error: tcpdump: socket: Operation not permitted
I just tried to reproduce your problem without any success - are you using the actual root user, or a different username and sanitizing the output here? Using a different user could certainly lead to this sort of problem, even if they otherwise have admin access.
Incidentally, if you want to avoid having to type the password in without a prompt all the time, use the "-pw passwordgoeshere" switch for plink.