[SOLVED] How to capture udp packet with tcpdump started by xinetd?

shroman · 12-15-2017, 08:41 AM

Hi,
I am trying to set up a xinetd for running shell script by receiving a udp packet on port 8012. It works. But in shell script I want to extract data from packet with tcpdump. But tcpdump recieve only second packet.

By first packet xinetd starts my script and only second packet go to tcpdump.

Maybe there is another way to do this?

Code:

# /etc/xinetd.d/stream_control
service stream_control
{
    disable = no
    type = UNLISTED
    port = 8012
    socket_type = dgram
    protocol = udp
    flags = IPv4
    wait = yes
    user = root
    server = /home/user/test.sh
    log_type = SYSLOG daemon
}

test.sh:

Code:

#!/bin/bash
tcpdump -Q in udp port 8012 -A -c 1 >> /home/user/test.txt

Turbocapitalist · 12-15-2017, 09:31 AM

Make sure that the tcpdump settings work on their own before putting them in a script.

Code:

tcpdump -w /home/user/test.txt -A -c 1 -Q in udp port 8012

The option to write raw packets to a file is -w.

shroman · 12-18-2017, 05:18 AM

Quote:

Originally Posted by Turbocapitalist

Make sure that the tcpdump settings work on their own before putting them in a script.

Code:

tcpdump -w /home/user/test.txt -A -c 1 -Q in udp port 8012

The option to write raw packets to a file is -w.

Thank you, but the same behavior.
If I run tcpdump -w /home/user/test.txt -A -c 1 -Q in udp port 8012 in terminal, tcpdump captures 1-st packet. But runned from xinetd captures only second packet.

DavideDG · 12-28-2017, 11:19 AM

Quote:

Originally Posted by shroman

Thank you, but the same behavior.
If I run tcpdump -w /home/user/test.txt -A -c 1 -Q in udp port 8012 in terminal, tcpdump captures 1-st packet. But runned from xinetd captures only second packet.

Hi,

the reason the 1st packet is not being captured is that you are discarding it

The 1st packet makes xinetd call your script, which in turn fires up tcpdump on default interface waiting to capture a total of 1 packet.
Meanwhile, the 1st packet is on STDIN, waiting to be used, but you are not telling anyone to use it, you are just preparing tcpdump ... for the next packet, which arrives shortly after, causing:
- the 1st tcpdump process to capture on eth0, and write to file
- another tcpdump process to spawn, ready for yet another packet (what will be the 3rd packet)

Also, xinetd will actually mask all the connection details, giving you (on STD-in!) only the payload.

So if you want to still use xinetd and inspect the payload, you might want to use simply this in your script:

Code:

#!/bin/bash
cat - >> /home/user/test.txt

HTH!
Bye!

shroman · 12-29-2017, 09:41 AM

Quote:

Originally Posted by DavideDG

xinetd will actually mask all the connection details, giving you (on STD-in!) only the payload.

So if you want to still use xinetd and inspect the payload, you might want to use simply this in your script:

Code:

#!/bin/bash
cat - >> /home/user/test.txt

Thank you DavideDG. It works!