Ok, So I think I managed to find a "workaround". You won't be able to get the filename using NFSv3 but you will be able to ge the inode.
Using Wireshark,
Go to Edit -> Preferences -> Protocols -> NFS -> check all boxes and
set "Decode nfs handles as: KNFSD_LE.
Save it. Now capture and filter by NFS protocol.
Search the packet GETATTR Reply (Call in #) Regular file mode: ???.
Open this packed and expand the following:
Network File System -> obj_attributes
check value fileid, this will be the inode number of the file.
on the server go to the nfs share and
find . -inum inode
With NFSv4 you see a call with the filename directly.
The tee
command writes data to the output file as it receives it, but scp
copies the file immediately and only copies it once. Since every command in the pipeline runs simultaneously (or nearly so), you only get a few (or no) packets output to the capture.txt file before the file gets copied by scp
.
There are a couple ways to do what you seem to want to do.
If you want to copy a few packets from tcpdump
, and then transfer the file to the remote host after it finishes, you can use the -c
option to terminate tcpdump
after it captures that number of packets. Separate your scp
command from the pipeline using a semi colon so it gets executed after the tcpdump
and tee
commands complete:
tcpdump -l -c 10 | tee /tmp/capture.txt; scp /tmp/capture.txt root@remotehost:/tmp
Or, if you want to see packets in real-time and also copy them in realtime, you could use tee
to output the packets to /dev/tty so you can see them, and them pipe them into an ssh
command that writes them to a file on the remote host:
tcpdump -l | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"
Note that without the -c
option here, tcpdump will run until you kill it.
If you wanted the packets stored in a local capture.txt file as well as the remote, you could use multiple tee
commands:
tcpdump -l | tee /tmp/capture.txt | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"
Best Answer
The closest two solutions I can find for this are these
Postprocess to remove the decoding.
This isn't perfect as the formats are a little different.
Write to a data file and use
tshark
to interpret it (possibly on another machine).Here, since we're using
tshark
to process the capture file, the output will be exactly as you want. You can do "nasty" things like runningtshark
remotely if necessary: