TCPDump On an External Hard Drive

Source

Introduction

I'm using tcpdump to store packets and thought that it might be a good idea to put it on an external drive. It turned out to be a little more complicated than I thought it would be so here are my notes.

Setting Up The Drive

The first thing I wanted to do was format the drive. First I needed to get the name.

sudo lshw -C disk

Gave me this

*-disk
      description: SCSI Disk
      product: Elements 25A1
      vendor: WD
      physical id: 0.0.0
      bus info: scsi@1:0.0.0
      logical name: /dev/sda
      version: 1014
      serial: WX71D186F83C
      size: 3725GiB (4TB)
      capabilities: gpt-1.00 partitioned partitioned:gpt
      configuration: ansiversion=6 guid=7ff8067e-6905-4746-a8ec-f3a1f90f99d0 logicalsectorsize=512 sectorsize=4096

So it's named /dev/sda. Now let's see if it's mounted.

lsblk -f

NAME        FSTYPE LABEL    UUID                                 MOUNTPOINT
sda
└─sda1      ntfs   Elements A4F2DF7DF2DF5262
mmcblk0
├─mmcblk0p1 vfat   PI_BOOT  EAD0-90DA                            /boot
└─mmcblk0p2 ext4   PI_ROOT  9d97a4df-a4eb-4b09-92b6-bb1ccfade0ee /

So you can see that there is a partition named sda1 and it's formatted using ntfs and it isn't mounted. Since I'm running it with linux I'll reformant the drive using ext4. I'm also going to give it the label westerndigital.

sudo mkfs -t ext4 -L westerndigital /dev/sda1

mke2fs 1.42.13 (17-May-2015)
/dev/sda1 contains a ntfs file system labelled 'Elements'
Proceed anyway? (y,n) y

Apparently Western Digital named the partition Elements. I entered y and continued.

Creating filesystem with 976745728 4k blocks and 244187136 inodes
Filesystem UUID: 00fb2543-edc3-4f84-874b-fc36c485f362
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
        4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
        102400000, 214990848, 512000000, 550731776, 644972544

So checking it again.

lsblk -f

NAME        FSTYPE LABEL          UUID                                 MOUNTPOINT
sda
└─sda1      ext4   westerndigital cd10dc9f-7420-4b85-87ff-b8dfbf57f031
mmcblk0
├─mmcblk0p1 vfat   PI_BOOT        EAD0-90DA                            /boot
└─mmcblk0p2 ext4   PI_ROOT        9d97a4df-a4eb-4b09-92b6-bb1ccfade0ee /

Shows that it's now ext4 and it has the label westerndigital. According to this page the Hardware Abstraction Layer (HAL) will auto-mount drives that have labels, although I haven't tested this yet.

Mounting It

First make a directory for it.

sudo mkdir /media/westerndigital

Then mount it.

sudo mount /dev/sda1 /media/westerndigital/

Now we can check on it.

lsblk

NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda           8:0    0  3.7T  0 disk
└─sda1        8:1    0  3.7T  0 part /media/westerndigital
mmcblk0     179:0    0 29.8G  0 disk
├─mmcblk0p1 179:1    0   63M  0 part /boot
└─mmcblk0p2 179:2    0 29.8G  0 part /

So we can see that it's mounted at /media/westerndigital/.

Running TCP Dump with Rotating files

First I needed to put the wireless interface into monitor mode.

iwconfig wlx00c0ca967afb mode monitor

Then I ran tcpdump.

sudo tcpdump -n -w /media/westerndigital//channel_6.pcap -C 1000 -W 10 --snapshot-length 0 --interface wlx00c0ca967afb -z gzip --relinquish-privileges erysichthon

Which gave me this.

tcpdump: /media/westerndigital//channel_6.pcap0: Permission denied

On my desktop the solution was in the comments of this StackOverflow post.

sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump

But on my raspberry pi this raised an error.

Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

The solution was in the same post. I just made the permissions wide open.

sudo chmod 777 /media/westerndigital

This is probably a security risk, but it works.