LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-05-2009, 07:09 AM   #1
zeroXcool
LQ Newbie
 
Registered: Jun 2007
Posts: 4

Rep: Reputation: 0
[DD-WRT] Reading TCP-Packets via TCPDUMP trough SSH


Hi everyone
I've got a "little" Problem and hope anyone could tell me why it doesn't work...or find a solution with me

I want to get the tcpdump output (Packets) from my DD-WRT-Router via SSH on my Server to Pipe the Output to a Skript and it works somehow but:

I think it's the best to Print the Commands first:


1. Via SSH, tcpdump with "host"-expression - Works fine:
ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'"
2. Via SSH, tcpdump with "port"-expression - Does not work:
ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'"
3. directly on the dd-wrt console - WORKS:
/jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'
4. directly on the dd-wrt console - WORKS:
/jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'

So my Problem is that I need 2. (above) to work but there is just no Output, but if i do the same directly on the console (4.) it works. And I don't know why ;( Now working since Hours, and I also checked all Commands with dumping to a file, with the same result ;(

So I'am Happy for any Ideas
If someone needs additional Info, just ask

Oh and I know that there is Traffic on the Port when I Capture the dump

greetz z.c
 
Old 03-05-2009, 09:08 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well what doesn't work about it? you've not given us any error messages or anything. you aren't dumping port 22 are you?
 
Old 03-05-2009, 09:31 AM   #3
zeroXcool
LQ Newbie
 
Registered: Jun 2007
Posts: 4

Original Poster
Rep: Reputation: 0
oh I'am sorry

at first, no I'am not dumping port 22

about the error message, there is non, just no output, i'll try to post the output:

1.
<user>@<server>:~$ ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@<dd-wrt-router>'s password:
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 50000<much binary>
2.
<user>@<server>:~$ ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@<dd-wrt-router>'s password:
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
<nothing>
 
Old 03-05-2009, 10:00 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well IS there any traffic on this super secret mystery port number?
 
Old 03-05-2009, 10:14 AM   #5
zeroXcool
LQ Newbie
 
Registered: Jun 2007
Posts: 4

Original Poster
Rep: Reputation: 0
hey
It is no super mystery port , it's 5190

and there is traffic, i'am sure, when i use the "host"-expression or execute the command directly on the console of the wrt-router the traffic is there, any message i write, but with the "port"-expression (via SSH-Command 2.), nothing...

Last edited by zeroXcool; 03-05-2009 at 10:35 AM.
 
Old 03-05-2009, 12:51 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
ok, so show us the tcpdump output showing traffic on port 5190 when you use the host statement.
 
Old 03-05-2009, 01:14 PM   #7
zeroXcool
LQ Newbie
 
Registered: Jun 2007
Posts: 4

Original Poster
Rep: Reputation: 0
This is the TCPDump Output (i guess Binary-Dump is not needed):

1. directly on the DD-WRT-Router:
~ # /jffs/usr/sbin/tcpdump -s 50000 -i br0 port 5190
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
20:07:02.527895 IP 205.188.9.242.5190 > 192.168.###.###.2781: P 2736427840:2736427878(38) ack 955586305 win 16384
20:07:02.700681 IP 192.168.###.###.2781 > 205.188.9.242.5190: . ack 38 win 65345
20:07:02.744744 IP 205.188.9.242.5190 > 192.168.###.###.2781: P 38:76(38) ack 1 win 16384
20:07:02.901987 IP 192.168.###.###.2781 > 205.188.9.242.5190: . ack 76 win 65307
20:07:04.196115 IP <workstation>.34825 > 64.12.24.252.5190: P 2740339472:2740339565(93) ack 615897945 win 63246
20:07:04.308234 IP 64.12.24.252.5190 > <workstation>.34825: P 1:210(209) ack 93 win 16384
20:07:04.308736 IP <workstation>.34825 > 64.12.24.252.5190: . ack 210 win 63246
20:07:04.311430 IP 64.12.24.252.5190 > <workstation>.34825: P 210:245(35) ack 93 win 16384
20:07:04.311864 IP <workstation>.34825 > 64.12.24.252.5190: . ack 245 win 63246

9 packets captured
18 packets received by filter
0 packets dropped by kernel
2. via SSH
user@<server>:~$ ssh root@<router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 port 5190"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@zcwrt's password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
<nothing>
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tcpdump : Capturing TCP packets with particular flag combinations apit Linux - Networking 9 09-20-2008 09:45 PM
tcpdump does not capture all packets logicalfuzz Linux - Networking 1 03-19-2007 12:47 PM
Accessing TCP flags in TCP packets on Linux using C !! vishamr2000 Programming 2 10-16-2006 09:46 AM
encapsulating TCP packets in UDP packets... yoshi95 Programming 3 06-03-2004 02:53 PM
tcpdump and dropped packets Blindsight Linux - Networking 5 07-14-2003 10:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration