6

I'm using following code for capturing incoming and outgoing tcp packets by ports:

tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 -w /home/admin/dump1.cap

But tcpdump captures only incoming packets, I need incoming and outgoing packets at the same time. Anybody know where my mistake?

Thanks in advance.

mr.boyfox
  • 12,894
  • 5
  • 51
  • 75
  • Your command should work. Have you tried only capturing outgoing packets to test if there are any outgoing packets on these ports? – Lukas Isselbächer Jul 15 '17 at 20:29
  • @Lukas yes work but just for incoming packets. But not exists outgoing packets. I can capture outgoing packets, but can't capture incoming and together thereof in the same time with same line command why? – mr.boyfox Jul 17 '17 at 04:10
  • this is my capture outgoing packets command: tcpdump -s0 -vvv -A -n src host 80.81.110.111 -w /home/admin/aaa_tmp/dump3.cap : this command works just for outgoing packets – mr.boyfox Jul 17 '17 at 04:12
  • tcpdump -i eth1 -vvv -s 0 -w /home/sunetadmin/aaa_tmp/dmp7.pcap - this command works to both packets, but here i can't add ports, if i will add ports it is works only for incoming packets – mr.boyfox Jul 17 '17 at 04:13
  • I need tcpdump command by ports for capturing incoming and outgoing packets in the same time – mr.boyfox Jul 17 '17 at 04:14
  • The command should work fine. You must update your question with the following details: 1. What trafic (TCP, UDP, application layer protocols) are you trying to capture? 2. How do you read your results? What command/script? Show details. – Fabien Jul 21 '17 at 18:44

2 Answers2

6
tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 --direction=in --direction=out -w /home/admin/dump1.cap

--direction=in for the incoming traffic --direction=out for the outgoing traffic.

More you can find on the manual page of tcpdump. http://www.tcpdump.org/tcpdump_man.html

Uddhav Gautam
  • 6,052
  • 3
  • 39
  • 54
  • hi, thank you for answer, tried your answer but not works 0 packets did capture. – mr.boyfox Jul 23 '17 at 07:25
  • @mr.boyfox, in my computer it captures, probably, you should find your firewall settings or something. I ran via root. – Uddhav Gautam Jul 23 '17 at 13:53
  • Maybe, i did run with root, too. Because, just a root can start tcpdump in our server, i will searching firewall settings and other problems related to tcpdump – mr.boyfox Jul 24 '17 at 04:31
2

This can happen if your traffic is going through an ipsec tunnel (check whether this is the case by running ipsec statusall). To capture decrypted packets you can add IPtables rules to forward ipsec traffic to the nflog interface:

iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Then tcpdump the nflog interface:

tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724

Remember to remove the nflog rules when you're done!

iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump

Don Sarratt
  • 36
  • 1