1

I have a hardware device that hosts two separate TCP modules. One is for receiving commands from other machines, while the other is a TCP stream server that sends data based on the commands received. (It’s not my hardware. I can’t open or change it. I know the design is kinda stupid.)

The issue is, when I try to use tcpdump to listen to the TCP stream, no packets are captured.

I use the sudo tcpdump -i eth0 -n port 9101 command. It simply lists:

0 packets captured;
0 packets received by filter;
0 packets dropped by kernel.

However when I use netcat nc -v <ip address> 9101 then I get the full stream in real time. The problem is I want to capture the stream to a file in binary format. That’s why I’m going with tcpdump.

Any idea how I can solve this?

Improve this question
4
  • 1) Are you sure the packets are arriving through eth0 and not through some other interface? 2) Is IPsec involved in any way?
    – grawity_u1686
    Commented Jun 26 at 11:24
  • 1) Yes, the hardwares only connected via eth0 (one of the machines is not even wifi capable) 2) Nope, these are really basic machines sort of prototypes. No security whatsoever
    – Gergely Lévai
    Commented Jun 26 at 12:29
  • Ah, hold on, are you running nc and tcpdump at the same time or separately?
    – grawity_u1686
    Commented Jun 26 at 12:33
  • Separately. First i tried with nc and when i saw that okay, i get some data then i closed nc and tried the same with tcpdump. Also after several reboots and whatever tcpdump still returns empty :s
    – Gergely Lévai
    Commented Jun 26 at 12:40

1 Answer 1

Reset to default
0

Unlike UDP streams, TCP is strictly connection-oriented – data cannot be sent unsolicited but needs to be part of an active connection, such as the one your nc creates. As soon as you close nc the OS will close its TCP connections and the source will stop sending data; i.e. there is no TCP stream when you try to do the capture after closing nc.

Meaning, even if you want to have the data in .pcap format, you still must have netcat or some other TCP client program running the entire time.

(But since TCP doesn't preserve packet boundaries and a TCP-based protocol cannot rely on them, i.e. it's a single continuous stream, there shouldn't be any practical difference between capturing the data as a .pcap and just letting nc write its output to a file – that would generally be easier.)

Improve this answer
1
  • Yeah, I just came to the same conclusion. I used nc <ip> <port> > file.bin to capture the data and then used xxd file.bin to open it in a normal readable format. Thanks for the help!
    – Gergely Lévai
    Commented Jun 26 at 13:05

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .