tcpdump

[shazzam1]

using this command to troubleshoot a problem.

tcpdump -vv -t -i eth0 host 192.168.1.100 and port 80

no information is displayed no output anyone knows why?

Want to gather information from one of the clients on port 80

 

[QatQat]

because of the "w" flag. -w will write output to file to be specified.

Try removing it.


QaTQat

Life is what happens when you are making other plans.

 

[Grub3r]

QatQat:
I noticed that your "w" is not the same as in shazzam69s post: "vv"


-vv and -w, it looks same but it's not.

-vv flag is for more verbose output.

Regards Dan

 

[Grub3r]

maybe this could help:

http://www.die.net/doc/linux/man/man8/tcpdump.8.html

Regards Dan

 

[QatQat]

Sorry guys,

not enough coffee yet today. I read W instead of VV.

Apologies.

QaTQat

Life is what happens when you are making other plans.

 

[Annihilannic]

Does it display any output if you remove the and port 80 part?

Annihilannic.

 

[Grub3r]

I think it's users comment and

port 80

I don't think there is "and" option in tcpdump.




Regards Dan

 

[Annihilannic]

Correct, Grub3r.

[tt]
Primitives may be combined using:

A parenthesized group of primitives and
operators (parentheses are special to the
Shell and must be escaped).

Negation (`!' or `not').

Concatenation (`&&' or `and').

Alternation (`||' or `or').
[/tt]

Annihilannic.

 

[Annihilannic]

Err, I mean.. actually, it does use 'and' as well. I should read before I paste...

Annihilannic.

 

[Grub3r]

Right, would've been more easier to understand when used with

[code]

in first post.

Thanks for correcting me.

Regards Dan

 

[shazzam1]

Need more mojo. I know I am entering the correct command don't know why there is no output.

 

[shazzam1]

By the way no Annihilannic, no output is displayed even when I remove the port obtion which does not make any sense.

 

[Annihilannic]

And if you specify no expression at all?

Annihilannic.

 

[shazzam1]

noisy netbios that is all

 

[shazzam1]

need to monitor internet activity.

 

[Annihilannic]

How about just monitoring port 80?

Do that and try connecting to a web page on the server yourself... do you see any traffic?

Is something performing NAT on the incoming traffic? If so maybe tcpdump is filtering based on the external IP rather than the internal.

Annihilannic.

 

[shazzam1]

Yes I do see traffic when I do it on my system, however, want to monitor another computer's port 80

Thanks Annihilannic.

 

[Annihilannic]

Ahhh... you won't necessarily see all (or any) of the traffic destined for another computer if you are on a switched network, you would be best monitoring it from that computer itself.

I'm no networking guru so someone might be able to clarify the above...

Annihilannic.

 

[LawnBoy]

Annihilannic is correct. Any network sniffer must be on the same physical segment as the desired datastream, which can be a bit tricky on switched networks.

If your switches are managed, they usually will have the option to 'monitor' or 'mirror' a port whereby all traffic from one port is echoed to another port (where you place your sniffer).

Or you can place a cheapo 4-port hub between the pc in question and the switch, and then hook your sniffer up on that hub as well.

Otherwise, all you're going to see is broadcast traffic.