Example to capture tcpdump on remotehosts

[SachinGhagare]

can you give an examples to capture the tcpdump on two remote host simultaneously.

I may be wrong, i have tried following:
remotecap -w test.pcap 192.168.X.X

above command immediately stops, and doesn't capture the tcpdump. Please guide commands to capture

[evanfoster]

Sure thing, I'll write something up after work.

In the meantime, please check the following things:

• The version of remotecap you are using. You'll need to check that using pip
• That your ssh access is working:
  • Whether you are using ssh keys or a password
    • If you're using a password, you must enter that password using the -p option
  • That you are sshing as the correct user. The default is root unless you specify otherwise
    • If your user is not root, you probably need to escalate privileges with sudo on the remote system using the -e option
      • If this is the case, you must have sudo installed on the remote system
• That tcpdump is installed on the remote systems you're sshing to

There should be a file called test.log or test.pcap.log in the same folder where you ran remotecap. Could you post the contents of that file here in a code block?

[SachinGhagare]

Yes Please share the script to capture the tcpdump on multiple hosts.
Find the below inline answers for your questions.

The version of remotecap you are using. You'll need to check that using pip

pip3 show remotecap
Name: remotecap
Version: 2.2.0

pip3 --version
pip 9.0.1 from /usr/local/lib/python3.6/site-packages (python 3.6)

That your ssh access is working:
Yes, ssh access is working!

Whether you are using ssh keys or a password
I have tried using password also. But now i did passwordless login to remote host
Which upon doing passwordless access, am able to do ssh to remote host without password

If you're using a password, you must enter that password using the -p option
As i have did passwordless login access, not using "-p" option.

That you are sshing as the correct user. The default is root unless you specify otherwise
Am specifying the user by using "-u" option. Following is command

remotecap -w test.pcap  -u 'kodiak'  10.3.2.169
test

Done.

Note: from user 'kodiak' am able to capture tcpdump.

If your user is not root, you probably need to escalate privileges with sudo on the remote system using the -e option
i have enbaled the privileges for the sshing user, to capture tcpdump. manually i tried am able to capture tcpdump on remote machine (with user 'kodiak')

If this is the case, you must have sudo installed on the remote system
enbaled the privileges to capture tcpdump

That tcpdump is installed on the remote systems you're sshing to
Yes it is installed. Manually am able to capture tcpdump.

There should be a file called test.log or test.pcap.log in the same folder where you ran remotecap. Could you post the contents of that file here in a code block?
Both files are empty. please find the following , size is zero bytes. even i opened the file and checked both are empty.

-rw-r--r-- 1 root root    0 May  1 10:09 test.pcap
-rw-r--r-- 1 root root    0 May  1 10:09 test.log

[evanfoster]

Argh, I apologize for not looking at this yesterday. I can't work on this in the office, but I will try to remember to check it out today after work.

[SachinGhagare]

Hi Evanfoster, Not a problem at all. Please check when you are free. Thank you very much for responding.

…

On Thu 2 May, 2019, 12:04 AM Evan Foster, ***@***.***> wrote: Argh, I apologize for not looking at this yesterday. I can't work on this in the office, but I will try to remember to check it out today after work. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIARUBWR6DDCLMOMOCK3AJ3PTHPC5ANCNFSM4HI6YNBA> .

[evanfoster]

I've made some major changes. Would you like to try again?

EDIT: Actually, hold off, something's not right.

EDIT 2: Fixed, please give it a go if you'd like. Apologies for the delay on this, it's been a crazy year!

[SachinGhagare]

Sure I will check

…

On Mon, 7 Oct, 2019, 1:23 AM Evan Foster, ***@***.***> wrote: I've made some major changes. Would you like to try again? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1?email_source=notifications&email_token=AIARUBXE544QXZFUWCAON5DQNI62RA5CNFSM4HI6YNBKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAOSPZY#issuecomment-538781671>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIARUBWXSHS6Y7DHX6WTTT3QNI62RANCNFSM4HI6YNBA> .