Re: tcpdump: file.pcap0: Permission denied

[Jerome Yanga <jerome.yanga () gmail com>]

No dice.  :(  The chmod did not change anything.

I started with and this worked.

tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1

As soon as I added the "-C", I got the same error.

tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap1 -C 4

jerome

On Mon, Feb 6, 2012 at 5:54 AM, Mark W. Jeanmougin
<mark.jeanmougin () cchmc org> wrote:
> On 02/03/2012 07:04 PM, Jerome Yanga wrote:
> > The permissions on the /data directory is ...
> > # ls -alh /data/
> > total 4.1M
> > drwxr-xr-x   2 root root 4.0K Feb  3 15:21 .
> > dr-xr-xr-x. 23 root root 4.0K Feb  3 06:49 ..
> > -rw-r--r--   1 root root 4.0M Feb  3 07:29 502_capture-seed.txt
>
>
> Try running 'chmod a+w /data/'. When I've done this, tcpdump drops root
> permissions before it starts writing.
>
> For example, on my Fedora boxes, all of my tcpdump captures are owned by
> tcpdump:tcpdump. So, you could also do something with that information.
>
> In my environment, any box that's setup doing the kind of packet capturing
> you're talking about is locked down so that the only people with access to
> that box also have root access to read the output files. So, blowing the
> permissions wide open isn't a big deal.
>
> > FYI, I am running the command as root.
> >
> > The first command does not work even without the shell expansion date
> > command.
> >
> > I created the seed file using the following command.
> >
> > dd if=/dev/zero of=/data/502_capture-seed.txt bs=$(( 1024 * 1024 ))
> > count=4
> >
> > All I am doing is trying to run tcpdump so that it will create another
> > file once it has reached 4MB (-C 4).  I also want it to be limited to
> > just 10 files(-W 10), to rotate to the next file every 5 minutes (-G
> > 300), and to be compressed everytime it creates a new file (-z bzip2).
>
>
> I'd start with something simple and work my way up. Start with this:
>
> tcpdump -i eth0 -s 0 -w /data/capture_rotate_1.pcap
>
> Then, add your other parameters one by one (see when things break) until you
> get back to your original:
>
>
> tcpdump -i eth0 -s 65535 -w /data/capture_rotate_`date +%Y_%m_%d`.pcap\
> -C 4 -W 10 -G 300 -z bzip2 -F /data/capture-seed.txt
>
> Hopefully, the permission change on the data directory will be all you need!
> My gut tells me that the "-F" option is going to throw you. I've never used
> it before, so I'm not sure...
>
> Finally, depending on your hardware, take a look at the pbzip2 package. It
> is a parallel implementation of bzip2. It scales pretty linearly on
> multicore x86_64 CPU's. I've been very happy with it. It's also pretty easy
> to shoot yourself in the foot by overdoing the CPU utilization.
>
> MJ
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.