This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with capture filter when standard input is specified as the interface.

0

Hi All,

I am trying to do SSH tunnelling from remote machine and redirect that message to dumpcap which is running on local machine, as shown below.

ssh [email protected] "/upapps/ptc/cbtcpa/bin/dumpcap -i eth0 -w -" | /upapps/ptc/cbtcpa/bin/dumpcap -i - -f "port not 22" -a duration:60 -b duration:60 -w test.pcap

But i am facing problem in the capture filter "-f "port not 22"", when i capture from the standard input. It is not filtering the desired packets. The file contains all the packets.

Does the capture filter not work with the above syntax, that is when capturing packets with interface specified as "-" standard input.

So, request your help to solve this.

Thanks in advance. Kiran Kumar G

asked 04 Jun '11, 20:46

Kiran%20Kumar%20G's gravatar image

Kiran Kumar G
21111415
accept rate: 0%

One Answer:

2

IIRC capture filters in dumpcap don't work when reading from a file or a pipe. But even if it did, you want to filter on the capturing host, not on saving host. And the syntax is "not port 22" instead of "port not 22".

So you would want to use something like:

ssh [email protected] "/upapps/ptc/cbtcpa/bin/dumpcap -i eth0 -f "not port 22" -w -" |\
    /upapps/ptc/cbtcpa/bin/dumpcap -i - -b duration:60 -w test.pcap

Please note that combining -a and -b options might give you unexpected results. You have to use either the -a options or the -b options.

answered 05 Jun '11, 00:33

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi SYNbit,

Thanks for your answer.

Actually there is a requirement to use tcpdump on the remote machine to capture the data and send over SSH tunnel to the local dumpcap to store packets on the remote machine. As given below.


ssh [email protected] "tcpdump -i eth0 (not port 22 and tcp port 80) -w -" | /upapps/ptc/cbtcpa/bin/dumpcap -i - -f "port not 22" -a duration:60 -b duration:60 -w test.pcap

But i am facing issue with this, which is, if there are no packets captured for the above given capture command with the capture filter criteria then there will be no packets (file) dumped on the local machine. This is not the case with dumpcap, it will start dumping the packets into the file even if there are no packets captured.

I want the file to be created on the local machine even if there are no packets captured. Is there a way through tcpdump to achieve this.


I am using -a and -b option because, -a specifies the total duration of the capture and -b is the resolution time for which the dumpcap should create the file. Ex: for 2 minutes capture, if -b is with 60 seconds then 2 files will be created.


Request your help on this.
  • Thanks and Regards, Kiran Kumar G
(07 Jun ‘11, 06:58) Kiran Kumar G

Sorry there is a mistake in the sentence, plese find below the correct sentence.

Actually there is a requirement to use tcpdump on the remote machine to capture the data and send over SSH tunnel to the local dumpcap to store packets on the local machine. As given below.

(07 Jun ‘11, 10:41) Kiran Kumar G