tcpdump

Kevin Martin kevintm at ameritech.net
Fri Jul 11 13:48:22 UTC 2008



tony.chamberlain at lemko.com wrote:
> -----Original Message-----
> From: fedora-list-request at redhat.com [mailto:fedora-list-request at redhat.com]
> Sent: Wednesday, July 9, 2008 03:38 PM
> To: fedora-list at redhat.com
> Subject: fedora-list Digest, Vol 53, Issue 75
>
>
>
> Message: 5
> Date: Wed, 09 Jul 2008 14:39:38 -0500
> From: Kevin Martin <kevintm at ameritech.net>
> Subject: Re: tcpdump
> To: For users of Fedora <fedora-list at redhat.com>
> Message-ID: <487513FA.9010809 at ameritech.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
>
> tony.chamberlain at lemko.com wrote:
>   
>> I want to look at all the traffic coming to my web browser (192.168.5.191)
>> (tomcat on port 80) using tcpdump.
>>
>> If I say  tcpdump port 80
>>
>> that will get 80 coming and going.  Also if I say
>> tcpdump dst port 80
>> I will still get any traffic I have to other web sites.
>>
>> I thought  tcpdump (dst port 80) and (dst host 192.168.5.191)
>> would work but that does not seem to get anything.  I went to
>> 192.168.5.191/~chamberl  from another machine, got my web page
>> but nothing in the tcp dump.
>>
>> What is the correct way to do this (all incoming to my web browser)?
>> Theoretically besdies 192.168.5.191 I would also like 127.0.0.1
>>
>>
>>   
>>     
>
> Are you listening on the correct device?  I just tried:
>
> tcpdump dst port 22 and dst host 10.10.20.20
>
> and didn't get anything but when I added the "-i <device>" that 
> 10.10.20.20 is bound to then I got the correct information.
>
> Kevin
>
>
>
> ==================================================
>
>
> Actually it doesn't really matter I think.  On my machine it doesn't work
> but it works fine on some other ones.  I want to monitor a different machine
> anyway.
>
> Here is a tcpdump/bash question though.  (The following works if I don't
> use the port filter stuff).
>
> I do something like this (I abbreviate it hwere for space):
>
>
>     while :
>     do
>         mytotlen=0
>         nowdate=$(date +"%s")
>         ((stopdate=nowdate+60))
>         tcpdump -nne -i eth0 '(dst port 80)' and '(dst host 10.0.0.10)' |
>               while [  $(date +"%s") -lt $stopdate
>               do
>                  tim=""
>                  # I leave out some names in this message
>                  # to save space. I actually read everything
>                  read -t4 tim ... length REST    
>                  [ "$tim" != "" ] && ((mytotlen+=length))  
>               done
>               echo "Total TCP length in the last minute is $mytotlen"
>     done
>                   
> The loop is executed fine (for debugging I print out the value of tim and 
> length).  Problem is, once the while loop is completed it locks up and
> never echoes the total tcp length.  I think this is because the tcpdump
> is still running and blocking.  I don't believe before the echo I could put
> something like pkill tcpdump.  But what can I do to get this to work?
> (Actually there is another problem here too that mytotlen inside the loop
> is a local variable in a different scope than when I echo it but I solved 
> this by inside the loop echoing it to a file, and then reading the file
> outside the loop, but that is irrelevant).
>
>
>
>
>   
Questions: does the tcpdump arguments for dst port and dst host need to 
be enclosed in '()'?  I did it without those and it worked ok for me.
                 Are you trying to monitor machine A from machine B?  
This will only work if both machine A and machine B are on a hub or have 
linked ethernet ports with a crossover cable, not a switch (unless you 
are doing some port mirroring).

As to the loop, you need to close the while statement, and then how 
about this:

tcpdump -nne -i eth0 '(dst port 80)' and '(dst host 10.0.0.10)' |
               while [  $(date +"%s") -lt $stopdate ]
              do
                 tim=""
                 # I leave out some names in this message
                 # to save space. I actually read everything
                 read -t4 tim ... length REST    
                 [ "$tim" != "" ] && ((mytotlen+=length))  
                 if [ $(date +"%s") -ge  $stopdate ]  ; then
                  echo "Total TCP length in the last minute is $mytotlen"
                 fi
              done 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080711/c975892e/attachment-0001.htm>


More information about the fedora-list mailing list