Results 1 to 6 of 6

Thread: tcpdump help

  1. #1

    tcpdump help

    Ok, I've been tumping a lot of traffic with the command: tcpdump -i eth1 -s 1500 -X -vvv -w packetlog.

    Now, when I try to read the capture into Etherreal (on Windows) it crashes the app and tells me the file is corrupt. Also, when I read the file back into tcpdump using tcpdump -i eth1 -s 1500 -X -vvv -r packetlog, it takes forever to read, pausing over certain packets for a very long time. Is this mornal. Am I adding a CLI switch to tcpdump that I can do without?

    Advice please for a tcpdumo newbie.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Have you looked at this page?

    http://www.tcpdump.org/tcpdump_man.html

    You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Originally posted here by thehorse13
    Have you looked at this page?

    http://www.tcpdump.org/tcpdump_man.html

    You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.

    --TH13
    Thanks for the link. I did browse the good old man page from the cli. I guess you are probably right and I'll try being a little less verbose and see if that helps some.

  4. #4
    Junior Member
    Join Date
    Jul 2008
    Posts
    1

    tcpdump -v -nn -i eth1 port 25

    this appears to not work on redhat/linux:
    tcpdump -v -nn -i eth1 port 25

    it just does not print (capture) out anything for port 25. On another window this:

    /usr/sbin/tcpdump -nn -i eth1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

    does print out port 25 connections:
    2
    :43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
    12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
    12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
    12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
    12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8

    I dont understand whats wrong

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Well, first off, you did not specify what version of RedHat you are using: would be nice to know.

    My guess is it is a path problem.

    is /usr/sbin in your path?

    try
    echo $PATH
    to find out

    My guess also is you are using not using the root account ( GOOD ! ) to do this, but used some means to gain root access.
    if you used
    su
    to utilize root access, maybe try instead
    su -
    to utilize the root's paths as well?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by U George
    /usr/sbin/tcpdump -nn -i eth1
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

    does print out port 25 connections:
    2
    :43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
    12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
    12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
    12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
    12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8

    I dont understand whats wrong
    Err.. That's not port 25 traffic. You're looking at PPPoE traffic.
    http://en.wikipedia.org/wiki/Point-t..._over_Ethernet

    You need to capture the traffic on the PPPoE interface.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •