tcpdump help

[tolstoy]

Ok, I've been tumping a lot of traffic with the command: tcpdump -i eth1 -s 1500 -X -vvv -w packetlog.

Now, when I try to read the capture into Etherreal (on Windows) it crashes the app and tells me the file is corrupt. Also, when I read the file back into tcpdump using tcpdump -i eth1 -s 1500 -X -vvv -r packetlog, it takes forever to read, pausing over certain packets for a very long time. Is this mornal. Am I adding a CLI switch to tcpdump that I can do without?

Advice please for a tcpdumo newbie.

[thehorse13]

Have you looked at this page?

http://www.tcpdump.org/tcpdump_man.html

You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.

--TH13

[tolstoy]

Originally posted here by thehorse13
Have you looked at this page?

http://www.tcpdump.org/tcpdump_man.html

You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.

--TH13

Thanks for the link. I did browse the good old man page from the cli. I guess you are probably right and I'll try being a little less verbose and see if that helps some.

[U George]

this appears to not work on redhat/linux:
tcpdump -v -nn -i eth1 port 25

it just does not print (capture) out anything for port 25. On another window this:

/usr/sbin/tcpdump -nn -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

does print out port 25 connections:
2

:43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8

I dont understand whats wrong

[IKnowNot]

Well, first off, you did not specify what version of RedHat you are using: would be nice to know.

My guess is it is a path problem.

is /usr/sbin in your path?

try
echo $PATH
to find out

My guess also is you are using not using the root account ( GOOD ! ) to do this, but used some means to gain root access.
if you used
su
to utilize root access, maybe try instead
su -
to utilize the root's paths as well?

[SirDice]

/usr/sbin/tcpdump -nn -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

does print out port 25 connections:
2

:43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8

I dont understand whats wrong

Err.. That's not port 25 traffic. You're looking at PPPoE traffic.
http://en.wikipedia.org/wiki/Point-t..._over_Ethernet

You need to capture the traffic on the PPPoE interface.