Remote Sniffertrace with tcpdump and netcat

sometimes there is the need to capture network traffic on a remote host, but the host hasn't got enough disk space or resources to handle the traffic. for this issue we can work with a remote capture host using netcat and tcpdump!

Situation: 1x Client ( local ) - 1x Server ( remote )

netcat has to be installed on the local client and the syntax should be as follow:

root@local# nc -l -p 9999 > temp.pcap

Port 9999 has to be opened on the client or through the firewall / router! on the remote site:

root@remote# tcpdump -s 0 -U -n -w - -i "interface_name" not host "local_ip" | nc "local_ip" 9999

example ( in my case ):
tcpdump -s 0 -U -n -w - -i en1 not host 10.10.10.2 | nc 10.10.10.2 9999

• -s tells tcpdump how many bytes to write in one packet, 0 means that it should record all of them.
• -U tells tcpdump, it shouldn't wait to send data until the buffer is full.
• -n means that there is no hostname / port lookup over dns.
• "-w - |" says that the data will directly sent to netcat and not into a file.