-
July 24th, 2003, 05:02 PM
#1
Member
tcpdump help
Ok, I've been tumping a lot of traffic with the command: tcpdump -i eth1 -s 1500 -X -vvv -w packetlog.
Now, when I try to read the capture into Etherreal (on Windows) it crashes the app and tells me the file is corrupt. Also, when I read the file back into tcpdump using tcpdump -i eth1 -s 1500 -X -vvv -r packetlog, it takes forever to read, pausing over certain packets for a very long time. Is this mornal. Am I adding a CLI switch to tcpdump that I can do without?
Advice please for a tcpdumo newbie.
-
July 24th, 2003, 05:25 PM
#2
Have you looked at this page?
http://www.tcpdump.org/tcpdump_man.html
You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 24th, 2003, 05:55 PM
#3
Member
Originally posted here by thehorse13
Have you looked at this page?
http://www.tcpdump.org/tcpdump_man.html
You can craft a granular dump and then view it. My guess is that you are dumping too much crap with the -vvv switch. Try -v or -vv and see if that helps.
--TH13
Thanks for the link. I did browse the good old man page from the cli. I guess you are probably right and I'll try being a little less verbose and see if that helps some.
-
July 30th, 2008, 05:48 PM
#4
Junior Member
tcpdump -v -nn -i eth1 port 25
this appears to not work on redhat/linux:
tcpdump -v -nn -i eth1 port 25
it just does not print (capture) out anything for port 25. On another window this:
/usr/sbin/tcpdump -nn -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
does print out port 25 connections:
2:43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8
I dont understand whats wrong
-
July 30th, 2008, 08:26 PM
#5
Well, first off, you did not specify what version of RedHat you are using: would be nice to know.
My guess is it is a path problem.
is /usr/sbin in your path?
try
echo $PATH
to find out
My guess also is you are using not using the root account ( GOOD ! ) to do this, but used some means to gain root access.
if you used
su
to utilize root access, maybe try instead
su -
to utilize the root's paths as well?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
July 31st, 2008, 07:50 AM
#6
Originally Posted by U George
/ usr/sbin/tcpdump -nn -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
does print out port 25 connections:
2 :43:04.204926 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 11, Magic-Num 0x90013b4f, length 12
12:43:04.205640 PPPoE [ses 0xea20] LCP, Echo-Reply (0x0a), id 11, Magic-Num 0x6b50a930, length 12
12:43:06.584410 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:09.547613 PPPoE [ses 0xea20] [length 50 (4 extra bytes)] IP 91.124.204.37.2122 > 71.247.232.63.25: S 909181318:909181318(0) win 65535 <mss 1452,nop,nop,sackOK>
12:43:12.683181 PPPoE [ses 0xea20] LCP, Echo-Request (0x09), id 165, Magic-Num 0x6b50a930, length 8
I dont understand whats wrong
Err.. That's not port 25 traffic. You're looking at PPPoE traffic.
http://en.wikipedia.org/wiki/Point-t..._over_Ethernet
You need to capture the traffic on the PPPoE interface.
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|