Why won't tcpdump write a pcap file?
You might want to check out the behaviour of tcpdump with strace, to see if it's doing anything odd like chrooting, if it's in gentoo or another distribution that might suid the binaries.
Ok, I have solved the mystery. Follow along with me as we unravel Funtoo's TCPDump and the Mystery of the Missing pcap File.
I used strace to see what's going on and the relevant lines are:
chroot("/var/lib/tcpdump") = 0
chdir("/") = 0
--- SNIP ---
open("/tmp/lol.wat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
So...
lance ~ # ls /var/lib/tcpdump/
blah blah.cap irc.cap pyhole
Hey look! All the cap files I tried to create!
After taking a look at the use flags tcpdump is built with by default, I see this:
lance ~ # grep tcpdump /usr/portage/profiles/use*desc
use.local.desc:net-analyzer/tcpdump:chroot - Enable chrooting when dropping privileges
So why do it this way? My theory goes something like this:
- Many applications that interact with raw network traffic have to run as root.
- Raw network traffic has a wide variety of valid and invalid values in the wild.
- Many exploits exist for those applications. (Wireshark, Ethereal, tcpdump, et al)
- Therefore, tcpdump grabs access to the network interface while root, jails itself into
/var/lib/tcpdump
, then drops root privileges and commences capturing.
As a result, when I specified ./blah
or blah
it worked fine. But /tmp/blah
didn't because /var/lib/tcpdump/tmp
doesn't exist.
A neat side feature of all this is: when using the suid flag to install tcpdump SetUID, you can grant users access with the tcpdump
group without giving them sudo or root access. Possible uses include a capture box for your network engineers or researchers.
I just wish Gentoo/Funtoo would have had a message on installation that said all this.
tl;dr: Gentoo/Funtoo put your pcap files in /var/lib/tcpdump
.
The syntax is correct: I just tried it (albeit on port 80) and it generated a pcap file in the current working directory, given the same options you're using.
Could it have something to do with your home directory, that you're trying to write to as root (because of the sudo)? Is it possible you're using NFS-mounted home directories with root-squashing? sudo touch ~akraut/pcaps/foo
?
Can you try writing out the pcap to /tmp/ or something?