Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Capturing TCPDUMP
Operating Systems Linux Capturing TCPDUMP Post 302222645 by buffoonix on Thursday 7th of August 2008 09:00:54 AM
Old 08-07-2008
There's another issue with your dump command
I would guess by merely looking at it.
Quote:
tcpdump -s0 -vv -w /home/osuresh/test_tcp_dump host 10.12.10.22 && port 161
If you insist on using && I would think you will have to escape each ampersand,
or single quote the entire tcpdump logical expression
to prevent the probably non-existing command port 161 from being tried to be executed by the shell after the preceding tcpdump has finished successfully.
If you are too lazy to escape you could as well replace && by and.
Also, as far as I remember tcpdump will grab the first NIC if you don't explicitly tell it
by -i ethN which one to use.
You could as well use -i any to let it sniff on every available NIC
but then it wouldn't set them into promiscuous mode,
which probably anyway would be wiser altogether because you are generally only interested in packets destined for your host.
So it's save to add -p.
Quote:
I could observe tcpdump in /usr/sbin/
but not sure if I need to execute:
tcpdump -s0 -vv -w /usr/sbin/tcpdump host 10.12.10.22 && port 161
Please no, (I'm not even sure if tcpdump would allow such stupid abuse)
but by that you would tell it to overwrite its own executable with the dump it filtered!
What the others meant was to give the full path to the command
in case your root user hadn't /usr/sbin in his $PATH
which seems quite unlikely anyway.
e.g.
Code:
# /usr/sbin/tcpdump -p -i eth0 -s0 -w /home/osuresh/test_tcp_dump 10.12.10.22 and port 161

Given the difficulties you already encounter properly executing the command
I am afraid I am a bit suspicious if you know what to do with the dump in the end?
 

10 More Discussions You Might Find Interesting

1. Programming

How To Use tcpdump

I have two net-card. one is 172.16.24.99(ENG) ,another is 172.16.25.99(ENG-B). Both masks is 255.255.255.0. I will monitor data on the tcp port 8055 in ENG, How do I set option of tcpdump command (2 Replies)
Discussion started by: chenhao_no1
2 Replies

2. UNIX for Dummies Questions & Answers

tcpdump

does anybody know what the -d -dd and -ddd options are used for ? thanks (2 Replies)
Discussion started by: ant04
2 Replies

3. Cybersecurity

i would like to know about tcpdump

i would like to know about tcpdump i would like to use tcpdump to get information about these - Date - time - source hostname - source mac address - source ip address - destination ip address - see outbound only then i use command like this tcpdump -i le0 -n -q -tttt -e src net... (0 Replies)
Discussion started by: chamnanpol
0 Replies

4. IP Networking

i would like to know about tcpdump

i would like to know about tcpdump i would like to use tcpdump to get information about these - Date - time - source hostname - source mac address - source ip address - destination ip address - see outbound only then i use command like this tcpdump -i le0 -n -q -tttt -e src net... (2 Replies)
Discussion started by: chamnanpol
2 Replies

5. IP Networking

tcpdump -w file is not capturing all the packets

I am trying to capture tcpdump for traffic to a port in a file but this does not seem to capture all the packets. Command I use is : tcpdump -w tdump.dat port 22 Why is it not capturing all the packets ? Here is my experiment: root@pmode-client6 adc-demo]# tcpdump port 22 tcpdump:... (5 Replies)
Discussion started by: radiatejava
5 Replies

6. Shell Programming and Scripting

TCPdump script

I'm new to the Unix/Linux world. I have taken classes and played with a few simple scripts but never had a real world application. Here is my problem. What I need to do is every 15min between 8am and 5pm, run tcpdump -s 2000 -w flowroute-0000.pcap where the "0000" is the current time. ... (4 Replies)
Discussion started by: Nasasdge
4 Replies

7. Debian

Tcpdump Help !

Hi. Need Help with TcpDump Trying to sniff associatio-request with tcpdump but when i run this tcpdump -i eth0 wlan subtype assoc-req i get this error can anyone help me with this error ? Thanks alot !!:) (1 Reply)
Discussion started by: SoulZB
1 Replies

8. Cybersecurity

Need Help with this TCPDUMP output...

Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean.. 19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313... (4 Replies)
Discussion started by: Lost in Cyberia
4 Replies

9. UNIX for Dummies Questions & Answers

How to update tcpdump?

I would like to update tcpdump on my computer (CentOS 6.5) which is currently old. I download the zip file from TCPDUMP/LIBPCAP public repository already but I don't know how to update with this file. I have to delete tcpdump on my computer first? Would you please provide the step for me? (0 Replies)
Discussion started by: thsecmaniac
0 Replies

10. IP Networking

TCPdump

I've recently started learning to use TCPdump, and I find it pretty interesting. There's one thing I don't understand. When I tell it to capture packets on, say, the WiFi interface en1, it often captures packets sent or received by other hosts on the network. How can it do this? My... (3 Replies)
Discussion started by: Ultrix
3 Replies

LEARN ABOUT DEBIAN

if_enc

ENC(4)							   BSD Kernel Interfaces Manual 						    ENC(4)

NAME

     enc -- Encapsulating Interface

SYNOPSIS

     To compile this driver into the kernel, place the following line in your kernel configuration file:

	   device enc

DESCRIPTION

     The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that
     hooks in via the pfil(9) framework.

     The enc interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by
     ipsec(4) via tcpdump(1).

     The ``enc0'' interface inherits all IPsec traffic.  Thus all IPsec traffic can be filtered based on ``enc0'', and all IPsec traffic could be
     seen by invoking tcpdump(1) on the ``enc0'' interface.

     What can be seen with tcpdump(1) and what will be passed on to the firewalls via the pfil(9) framework can be independently controlled using
     the following sysctl(8) variables:

     Name			      Defaults	    Suggested
     net.enc.out.ipsec_bpf_mask       0x00000003    0x00000001
     net.enc.out.ipsec_filter_mask    0x00000001    0x00000001
     net.enc.in.ipsec_bpf_mask	      0x00000001    0x00000002
     net.enc.in.ipsec_filter_mask     0x00000001    0x00000002

     For the incoming path a value of 0x1 means ``before stripping off the outer header'' and 0x2 means ``after stripping off the outer header''.
     For the outgoing path 0x1 means ``with only the inner header'' and 0x2 means ``with outer and inner headers''.

     incoming path					    |------|
     ---- IPsec processing ---- (before) ---- (after) ----> |	   |
							    | Host |
     <--- IPsec processing ---- (after) ----- (before) ---- |	   |
     outgoing path					    |------|

     Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer head-
     ers.

EXAMPLES

     To see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:

	   tcpdump -i enc0

SEE ALSO

     tcpdump(1), bpf(4), ipf(4), ipfw(4), ipsec(4), pf(4), tcpdump(8)

BSD
								 November 28, 2007							       BSD
All times are GMT -4. The time now is 06:56 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy