Compression for Remote "Live" packet capturing

hunter86_bg · 07-29-2015, 08:13 AM

Hi guys,
frequently I have to solve some problems by capturing packets on the client's machine.The problem is that the client's Internet Connection is very , very slow. Most of the time I have to create huge pcap files which later I upload to my machine for "debugging" with wireshark.
But sometimes the time is very limited and I issue the following commands to create a "Live" capture:

Code:

#mkfifo /tmp/pipe1
#ssh root@<server> "tcpdump -s 0 -U -n -w - -i <server's network device> not port 22" > /tmp/pipe1
#wireshark -k -i /tmp/pipe1

I'm looking for a way to further compress the output from tcpdump. I tried "-z gunzip" to a file to test compression - but it doesn't do anything (same as without -z). If you know a working way to even compress further the tcpdump output, I would be very happy.

schneidz · 07-29-2015, 08:28 AM

maybe this will work:

Code:

tcpdump -s 0 -U -n -w - -i <server's network device> not port 22" | bzip2 > /tmp/pipe1
bunzip2 -c /tmp/pipe1 | wireshark -k #-i /tmp/pipe1

hunter86_bg · 07-29-2015, 08:48 AM

I've never thought about bzip2... Thanks mate.