Why won't tcpdump write a pcap file?

networking filesystems tcpdump

You might want to check out the behaviour of tcpdump with strace, to see if it's doing anything odd like chrooting, if it's in gentoo or another distribution that might suid the binaries.


Ok, I have solved the mystery. Follow along with me as we unravel Funtoo's TCPDump and the Mystery of the Missing pcap File.

I used strace to see what's going on and the relevant lines are:

chroot("/var/lib/tcpdump")              = 0
chdir("/")                              = 0
--- SNIP ---
open("/tmp/lol.wat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)

So...

lance ~ # ls /var/lib/tcpdump/
blah  blah.cap  irc.cap  pyhole

Hey look! All the cap files I tried to create!

After taking a look at the use flags tcpdump is built with by default, I see this:

lance ~ # grep tcpdump /usr/portage/profiles/use*desc
use.local.desc:net-analyzer/tcpdump:chroot - Enable chrooting when dropping privileges

So why do it this way? My theory goes something like this:

  1. Many applications that interact with raw network traffic have to run as root.
  2. Raw network traffic has a wide variety of valid and invalid values in the wild.
  3. Many exploits exist for those applications. (Wireshark, Ethereal, tcpdump, et al)
  4. Therefore, tcpdump grabs access to the network interface while root, jails itself into /var/lib/tcpdump, then drops root privileges and commences capturing.

As a result, when I specified ./blah or blah it worked fine. But /tmp/blah didn't because /var/lib/tcpdump/tmp doesn't exist.

A neat side feature of all this is: when using the suid flag to install tcpdump SetUID, you can grant users access with the tcpdump group without giving them sudo or root access. Possible uses include a capture box for your network engineers or researchers.

I just wish Gentoo/Funtoo would have had a message on installation that said all this.

tl;dr: Gentoo/Funtoo put your pcap files in /var/lib/tcpdump.


The syntax is correct: I just tried it (albeit on port 80) and it generated a pcap file in the current working directory, given the same options you're using.

Could it have something to do with your home directory, that you're trying to write to as root (because of the sudo)? Is it possible you're using NFS-mounted home directories with root-squashing? sudo touch ~akraut/pcaps/foo ?

Can you try writing out the pcap to /tmp/ or something?

Related

Can anyone monitor my ssh (scp) file transfers
Linux: how to send new lines in log files to remote syslog?
Bad idea to jump two versions in a server OS upgrade?
Retrieve internet proxy server address via PowerShell
Is it possible to synchronize contents of a directory only?
Reverse DNS Setup for an IP with multiple domains
Do not allow domain computers to communicate with each other
Tips for remote work?
Defragmenters useful for *nix?
Best way to create a vpn between two windows machines?
How to prevent normal users from shutting down the system?
Good book for building high performance web sites?