Difference between revisions of "TCPDump"

Looking at the packets.

Using TCPDump to capture all traffic going into and out of an interface on Linux:

sudo tcpdump -w issue.pcap -i eth0

You might need to change the interface name in the above command if you're interface is named differently. This command will list all available interfaces; pick the right one (not the loop-back interface):

ip link show

Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using ctrl+c, transfer the PCAP file to your PC and examine it using Wireshark.

You may get the issue.pcap file by a number of means. You may use TFTP (place the file inside /tftpboot) or FTP (place the file inside /images) or NFS (place the file inside /images) and then use the appropriate commands to transfer the files.

You can find examples of these transfer commands in these articles:

• Troubleshoot TFTP
• Troubleshoot FTP
• Troubleshoot NFS

After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this: ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )

Example Filter (change the MAC addresses):

eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07

Other usefull display filters are bootp (DHCP), tftp and http!