Difference between revisions of "TCPDump"
m (Fixed grammar.) |
m |
||
Line 36: | Line 36: | ||
<pre>eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07</pre> | <pre>eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07</pre> | ||
− | Other usefull display filters are bootp (DHCP), tftp and http | + | Other usefull display filters are bootp (DHCP), tftp and http, for example: |
+ | <pre>bootp || tftp</pre> |
Revision as of 13:27, 26 January 2016
Looking at the packets.
Using TCPDump to capture all traffic going into and out of an interface on Linux:
sudo tcpdump -w issue.pcap -i eth0
You might need to change the interface name in the above command if you're interface is named differently. This command will list all available interfaces; pick the right one (not the loop-back interface):
ip link show
Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using ctrl+c. Then transfer the PCAP file to your PC and examine it using Wireshark.
You may get the issue.pcap file by a number of means. The most basic way is by placing the pcap file inside of the /tftpboot directory (or saving it there) and then using TFTP to transfer the file to a Windows machine.
This would save the file to your /tftpboot directory, but you still need to specify the correct interface:
sudo tcpdump -w /tftpboot/issue.pcap -i eth0
Then on a windows machine, you would issue this command to retrieve the file via TFTP:
tftp –i x.x.x.x get issue.pcap
Obviously you need the TFTP windows component installed, and you should turn off your windows firewall. Details about those things can be found here:
After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this: ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )
Example Filter (change the MAC addresses):
eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07
Other usefull display filters are bootp (DHCP), tftp and http, for example:
bootp || tftp