-   Linux - Software (
-   -   tcpdump error (

g_mf_spot 11-29-2006 06:51 PM

tcpdump error
When I try to append my dump to a tracefile:

tcpdump -i eth0 -W port 8080 MyTraceFile

I get:

permission denied...

I am root when using this command.

tcpdump -i eth0 -w mytracefile

I have tried different methods with the same results.

This is my first post... Hello everyone.


chort 11-29-2006 08:30 PM

It works fine for me. Are you sure you're not on a read-only file system, like a LiveCD or something like that? The file system needs to be mounted rw in order to save a file to it.

g_mf_spot 11-30-2006 07:45 PM

I am using Fedora Core 4 and I am logged in as root. I even changed the settings:

chmod 777 filename. I am not sure where to go from here.

Thank you for the response.


matthewg42 11-30-2006 07:56 PM

I tried to copy-paste your command and get a syntax error (command modified to reflect that my active network device is eth1):

tcpdump -i eth1 -W port 8080 MyTraceFile
tcpdump: syntax error

...which was corrected by quoting the last three arguments (back to your network interface for this one, so you can copy-paste if you wish):

tcpdump -i eth0 -W "port 8080 MyTraceFile"
I'm not sure this will do what you want though. No dumping to file here.

Assuming that's not the issue you're having, there is still scope for permissions problems: If the filesystem to which you are trying to write mounted read-only, not even root can write to it. You can find out by entering this command in the directory which you are trying to write to:

mount |fgrep $(df . |cut -d" " -f1 |tail -n 1)
Paste the output of that command here.

matthewg42 11-30-2006 08:00 PM

Aha, is this what you wanted to do:

tcpdump -i eth0 -W "port 8080" > MyTraceFile

chort 11-30-2006 08:08 PM


# tcpdump -i eth0 -w mytracefile
Is what I did and it works fine.

The question about how the file system is mounted still hasn't been answered, though. What directory are you in when you execute the above command? What is the output of

# mount

g_mf_spot 12-01-2006 01:57 PM

I am not mounting any file system guys. I am just logging on as root and in the home directory I am just using the commands.

I can use the append command which works fine. If I want to save a whois for later research:

whois > myfile

I see you you used the command:

tcpdump -i eth0 -W port 8080 > myfile

I have tried the append sign and when I do I do not get an error however no data is recorded.

When I try just

tcpdump -i eth0 -W port 8080 myfile

I get permission denied.

I am sure that it is some sort of mount issue but not sure what to mount....

I am sorry that I am a bit confused. What do I mount to? I am not using any mountable media like a disk or anything. The file I would like to trace to resides on the file system. like the root directory /home...

matthewg42 12-01-2006 03:19 PM

Please do these commands from the directory in which you are trying to run tcpdump and paste the output:

ls -ld .
cat /etc/mtab |fgrep $(df . |cut -d" " -f1 |tail -n 1)
ls -l `which tcpdump`

g_mf_spot 12-01-2006 03:48 PM

[root@TOOL ~]# pwd
[root@TOOL ~]# ls -ld
drwxr-x--- 21 root root 4096 Dec 1 15:28 .
[root@TOOL ~]# cat /etc/mtab |fgrep $(df . |cut -d " " -f1 |tail -n 1)
Usage: fgrep [OPTION]... PATTERN [FILE]...
Try `fgrep --help' for more information.
[root@TOOL ~]# cat /etc/mtab |fgrep $(df . |cut -d " " -f1 |tail -n 1) lsmod
[root@TOOL ~]# ls -l dump
-rw-r--r-- 1 root root 0 Dec 1 15:28 dump
[root@TOOL ~]#

What did the long command you had my type in do? No error or anything but it must have done
something... I really hope you are a nice guy... lol.

as you can see the dump file has rw for root. let me show you what happens ---

[root@TOOL ~]# tcpdump -i eth0 -w port 8080 dump
tcpdump: syntax error
[root@TOOL ~]# tcpdump -i eth0 port 8080 -w dump
tcpdump: dump: Permission denied
[root@TOOL ~]#
[root@TOOL ~]# ls -l dump
-rw-r--r-- 1 root root 0 Dec 1 15:28 dump
[root@TOOL ~]#
[root@TOOL ~]# chmod 755 dump
[root@TOOL ~]# ls -ld dump
-rwxr-xr-x 1 root root 0 Dec 1 15:28 dump
[root@TOOL ~]# tcpdump -i eth0 port 8080 -w dump
tcpdump: dump: Permission denied
[root@TOOL ~]#
[root@TOOL ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
74275968 21225344 49216768 31% /
/dev/hda1 101086 11786 84081 13% /boot
/dev/shm 322660 0 322660 0% /dev/shm
[root@TOOL ~]#

Thank you for the time. Again let me know what that command did please. Thanks.

g_mf_spot 12-01-2006 03:51 PM

Hey just so you know when I type this:

[root@TOOL ~]# tcpdump -i eth0 -w port 8080 dump
tcpdump: syntax error
[root@TOOL ~]# tcpdump -i eth0 port 8080 -W dump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

it is listening but no data ever comes through... Is this the correct command?


matthewg42 12-01-2006 04:07 PM

The command which failed (cat /etc/mtab |...) is probably the crucial one. OK, lets do it manually. Please paste the results of these commands:

cat /etc/mtab
df .

g_mf_spot 12-01-2006 04:35 PM

[root@TOOL ~]# cat /etc/mtab
/dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0
/dev/proc /proc proc rw 0 0
/dev/sys /sys sysfs rw 0 0
/dev/devpts /dev/pts devpts rw,gid=5,mode=620 0 0
/dev/hda1 /boot ext3 rw 0 0
/dev/shm /dev/shm tmpfs rw 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0
automount(pid2642) /misc autofs rw,fd=4,pgrp=2642,minproto=2,maxproto=4 0 0
automount(pid2683) /net autofs rw,fd=4,pgrp=2683,minproto=2,maxproto=4 0 0
[root@TOOL ~]#

I noticed that when I type:

tcpdump port 8080 -W dump

This begins to listen and when something begins to show up in the terminal I control C and less the dump file however nothing is in it. So I guess for some reason the way I type it which seems to be the best way, I get a permission denied. And the way I type it as above it half works. hmmmmm.

chort 12-01-2006 04:52 PM

Try reordering the arguments:

# tcpdump -i eth0 -w dump port 8080
I guess Fedora uses some crazy, custom build of tcpdump because on SuSE there is no -W option--it fails with a syntax error.

If all else fails, you can always do:

# tcpdump -i eth0 -l port 8080 | tee dump
Of course, you won't be able to read that later with tcpdump since it's the printed output rather than the binary packet data, but if you just want to view that data later by hand, it works fine.

All times are GMT -5. The time now is 08:10 PM.