Overview:You need to have supervisor rights to run tcpdump, then you will need to run tcpdump specifying which port to sniff. The following will sniff traffic from interface hme1 and cat it to the display. > sudo -s # /usr/local/sbin/tcpdump -i hme1 That is ok for the most basic needs but there are many other flags you can use to get just the right information out of the sniffer. To find out on the details, check the man page. I have a couple of special ones that I will point out below, because I use them allot. I should point out that I like to save the data to disk and then view it later, rather then have it quickly scroll of the screen. The -w flag specifies what file to save the dump file as. Also tcpdump will by default only grab a part of each packet to save space. The -s flag specifies how many bytes for each packet to save. Since ethernet packets can only be a max of 1500 bytes (not including tagging), saving 2000 bytes should be enough. Examples:Dumping to a file:To get the host to dump all data (don't drop any data): /usr/local/sbin/tcpdump -i hme1 -s 2000 -w dump Where
/usr/local/sbin/tcpdump -i hme1 -s 2000 -w dump host 10.11.128.20 Where
/usr/local/sbin/tcpdump -i hme1 -s 2000 -w dump host 10.11.128.20 and 172.22.1.129 Where
/usr/local/sbin/tcpdump -i hme1 -s 2000 -w dump host 10.11.128.20 and 172.22.1.129 and icmp Where
tcpdump -l -i fxp1 -w - | gzip > /tmp/bar.gz Where
Cating to the Console:view interfaces that you can sniff: [root@web01 ~]# tcpdump -D 1.eth0 2.bond0 3.eth1 4.any (Pseudo-device that captures on all interfaces) 5.lo only capture the first 10 packets ( c 10 ), show it in human readable format (A ), and only show traffic over port 443 (port 443 )tcpdump -Ac 10 port 443 buffer output ( l ), don't resolve dns names (N ), stop after 50 packets (c 50 ), dont collect traffic from host 10.120.81.17 (not host 10.120.81.17 ) and (and ) don't collect ssh traffic (not port 22 ). Also only collect from the bond0 interface (-i bond0 )tcpdump -lNc 50 not host 10.120.81.17 and not port 22 -i bond0 Grabbing multiple hosts and ports:You can capture multiple hosts and you can write it over multiple lines for clarity with the following: /usr/sbin/tcpdump -i eth2 \ host 10.120.128.252 or host 10.120.128.253 or \ host 10.55.128.252 or host 10.55.128.253 or \ host 212.111.45.154 or \ host 199.233.203.69 \ -s 0 -w border_net.pcap Examples:Only show numbers in flows. (dont' decode hostnames or port names)
sudo /usr/sbin/tcpdump -p -nnq 16:58:19.989187 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989268 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989349 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989429 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989510 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989591 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989672 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 16:58:19.989763 IP 10.50.176.32.22 > 10.50.34.129.11922: tcp 48 Log Rotation:You run a TCP dump running continuously, and have it create files of a specific size. You can also define how many files can be stored on the server at a time before being written over. Save files of 100MB: tcpdump -s 0 -C 100 -w dump.pcap Save only 10 100MB files, and FIFO out the rest. tcpdump -s 0 -C 100 -W 10 -w dump.pcap dump.pcap1 .... dump.pcap10 . Once "10" is written to, tcpdump will clear dump.pcap1 and write to it. Running the dump in the background, and having all output logged to the file " nohup.out ". nohup tcpdump -s 0 -C 100 -W 10 -w dump.pcap & Tracking Interfaces:What switch port is your sniffer plugged into? If your remote to the sniffer, this can sometimes be tricky to figure out. One easy method is to shut the interface on the switch, and then check if the link went down on the server. To check link status on the server, cat the contents of the carrier file. If the value is 1, then the interface has link, if it's 0 then the interface has no link. [sniff01 ~]$ sudo cat /sys/class/net/eth2/carrier 0 [sniff01 ~]$ sudo cat /sys/class/net/eth2/carrier 1 References:
|
Home > unix/linux >