1 2 Previous Next 14 Replies Latest reply on Feb 3, 2010 12:52 PM by jpm12345

    Packet Capture

      Device: SecureComputing/SG570 Version 3.1.5u4

       

      I need to do a long running packet capture to watch for an event... obviously there is limited memory for capturing packets.  My question is if I start to fill that RAM will:

       

      a. The capture stop.

      b. The capture discard old packets and accept new packets.

      c. The capture step all over memory used for other things.

      d. Something else

       

      Thanks - J

        • 1. Re: Packet Capture

          option c

           

          It will fill /var/tmp, filling the temp filesystem, PIDs will no longer be created, and the system will fall over.

          1 of 1 people found this helpful
          • 2. Re: Packet Capture

            Not the anser I hoped for but definately good to know.  Thank you!

             

             

            Message was edited by: jpm12345 on 1/20/10 4:02:22 PM CST
            • 3. Re: Packet Capture

              Do you have a linux box on your network ?

               

              I know there are funky ways to pipe data via netcat and others to get a tcpdump writing to a remote server.

              • 4. Re: Packet Capture

                No just windows... I've used Wireshark to capture on the server but capturing on the firewall has proven more useful since we can see VPN traffic, etc.

                • 5. Re: Packet Capture

                  if you have an ssh client, this will give you all the traffic on the box

                     ssh root@utm-device "tcpdump -s1500 -ni any -w - ! port 22" > all.pcap

                  the port-22 bit avoid you logging the packets belonging to the ssh session itself.

                  ssh with blowfish is supposed to be faster: ssh -c blowfish ....

                   

                  ssh for windows is easy to get via cygwin.org, or you can use putty, which provides the 'plink' command-line utility.

                  ie. crank a cmd.exe 'command' shell (Run -> cmd.exe) or similar.

                  then

                    plink root@utm-device "......." > capture.pcap

                  It may say "Using keyboard-interactive authentication" but not give you an actual password prompt as such - just type the password at that stage and it should be fine.

                   

                  You could open a port on the device to spit out the relevant capture.

                  BEWARE - DANGER - CAREFUL!!!

                  This does require some care to make sure you are not providing tcpdump capabilities to the internet of course, so use some appropriate firewall rules with this.

                   

                  edit /etc/config/inetd.conf
                      2001 stream tcp nowait root /bin/tcpdump -n -i eth1 -w -

                  [put your favorite tcpdump command in there of course, this is just a sample]

                   

                  then nc to the device:2001, tcpdump will be kicked off - voila!

                   

                  'nc' is 'netcat' - but any similar tool will do. cygwin has netcat of course - but there are also other ways of getting it on windows I'm sure - google is your friend..

                   

                  Enjoy.

                  • 6. Re: Packet Capture

                    Please excuse my inexperience with this but I'm not getting very far here.  Here's what I did:

                     

                    C:\>plink -ssh root@192.168.1.1 "tcpdump -s1500 -ni any -w - ! port 22"

                     

                    I kept the >capture.pcap redirect off for now so I could see the output but after about 15 seconds I get this message:


                    FATAL ERROR: Network error: Network is unreachable

                     

                    Not sure why it wouldn't be reachable... it's configured as my gateway and is pingable.

                    • 7. Re: Packet Capture

                      ssh root@192.168.0.254 "tcpdump -s 1500 -ni any ! port 22"

                       

                      works for me where 192.168.0.254 is the UTM LAN IP

                       

                      Toms's example

                       

                      ssh root@192.168.0.254 "tcpdump -s 1500 -ni any -w - ! port 22" > all.pcap

                       

                      writes out in pcap format so wireshark can read it if you prefer.

                       

                      Try the lines above...I fixed a typo

                      • 8. Re: Packet Capture

                        Thank you for all your help... I still got the same error when it dawned on me that the firewall might be rejecting the connection.  Checked the incoming access and sure enough SSH was off so I turned that on for LAN access and got further than I had before:

                         

                        C:>plink -v -ssh root@192.168.1.1"tcpdump -s 1500 -ni any -w - ! port 22" > all.pcap
                        Server version: SSH-2.0-OpenSSH_3.7.1p2
                        We claim version: SSH-2.0-PuTTY_Release_0.60
                        Using SSH protocol version 2
                        Keyboard-interactive authentication refused
                        Sent password
                        Access granted
                        Opened channel for session
                        Started a shell/command
                        tcpdump: socket: Operation not permitted
                        Server sent command exit status 1
                        Disconnected: All channels closed

                         

                        As highlighted in the output I'm getting this error: tcpdump: socket: Operation not permitted

                         

                        Any thoughts?

                        • 9. Re: Packet Capture

                          Hi there,

                           

                          I just tried to reproduce your problem without any success - are you using the actual root user, or a different username and sanitizing the output here?  Using a different user could certainly lead to this sort of problem, even if they otherwise have admin access.

                           

                          Incidentally, if you want to avoid having to type the password in without a prompt all the time, use the "-pw passwordgoeshere" switch for plink.

                           

                          Regards,


                          Danny

                          1 2 Previous Next