How can I create a packet capture file on a headless server for a single process?
Solution 1
Yes, you can with iptables and dumpcap. Summary:
# iptables -A OUTPUT -m owner --pid-owner 1000 -j CONNMARK --set-mark 1
# iptables -A INPUT -m connmark --mark 1 -j NFLOG --nflog-group 30
# iptables -A OUTPUT -m connmark --mark 1 -j NFLOG --nflog-group 30
# dumpcap -i nflog:30 -w pid-1000.pcap
This will capture all traffic with process ID 1000. These command have to be run on the host itself (which is where the PID info is available).
Solution 2
Wireshark has a command line utility. I have used it on remote computers where I only had console access, it works quite well. Takes only a few minutes of reading the parameters to learn how to use it.
C:\Program Files (x86)\Wireshark>dumpcap.exe -h
Dumpcap 1.10.3 (SVN Rev 53022 from /trunk-1.10)
Capture network packets and dump them into a pcapng file.
See http://www.wireshark.org for more information.
Usage: dumpcap [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback),
or for remote capturing, use one of these formats:
rpcap://<host>/<interface>
TCP@<host>:<port>
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-B <buffer size> size of kernel buffer in MB (def: 2MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
-d print generated BPF code for capture filter
-k set channel on wifi interface <freq>,[<type>]
-S print statistics for each interface once per second
-M for -D, -L, and -S, produce machine-readable output
RPCAP options:
-r don't ignore own RPCAP traffic in capture
-u use UDP for RPCAP data transfer
-A <user>:<password> use RPCAP password authentication
-m <sampling type> use packet sampling
count:NUM - capture one packet of every NUM
timer:NUM - capture no more than 1 packet in NUM ms
Stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Output (files):
-w <filename> name of file to save (def: tempfile)
-g enable group read access on the output file(s)
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
-n use pcapng format instead of pcap (default)
-P use libpcap format instead of pcapng
Miscellaneous:
-N <packet_limit> maximum number of packets buffered within dumpcap
-C <byte_limit> maximum number of bytes used for buffering packets wi
thin dumpcap
-t use a separate thread per interface
-q don't report packet capture counts
-v print version information and exit
-h display this help and exit
Example: dumpcap -i eth0 -a duration:60 -w output.pcapng
"Capture packets from interface eth0 until 60s passed into output.pcapng"
Use Ctrl-C to stop capturing at any time.
Solution 3
Another option is to pipe dumpcap output over SSH into wireshark running in on your local machine.
wireshark -k -i <(ssh -l USER REMOTEHOST "dumpcap -i lo -P -w - -f 'not tcp port 22'")
This will open an instance of wireshark locally displaying traffic from the remote machine. You will likely want to amend the filter not tcp port 22 to prevent piping too much traffic across the network.
Manishearth
Updated on September 18, 2022Comments
-
Manishearth over 1 year
I'm writing a python script on a headless server, and I'd like to see the packet capture output for the script.
I can't run ettercap or Wireshark on the server as there is too much other noise (besides, wireshark is a GUI tool). I do have sudo access, however.
Is there any way that I can capture the packets generated by that script only? Preferably in a format that can be loaded into Wireshark (Not mandatory, however, I can trudge through the text if necessary)