Difference between revisions of "TCPDump"

From FOG Project
Jump to: navigation, search
m
m (Added TFTP example because it wasn't clear enough for some people.)
Line 12: Line 12:
 
Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using '''ctrl+c''', transfer the PCAP file to your PC and examine it using [https://www.wireshark.org/ Wireshark].
 
Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using '''ctrl+c''', transfer the PCAP file to your PC and examine it using [https://www.wireshark.org/ Wireshark].
  
You may get the issue.pcap file by a number of means. You may use TFTP (place the file inside /tftpboot) or FTP (place the file inside /images) or NFS (place the file inside /images) and then use the appropriate commands to transfer the files.  
+
You may get the issue.pcap file by a number of means. The most basic way is by placing the pcap file inside of the /tftpboot directory and then using TFTP to transfer the file to a Windows machine.
  
You can find examples of these transfer commands in these articles:
+
This would save the file to your /tftpboot directory, but you still need to specify the correct interface:
 +
 
 +
<pre>sudo tcpdump -w /tftpboot/issue.pcap -i eth0</pre>
 +
 
 +
Then on a windows machine, you would issue this command to retrieve the file via TFTP:
 +
 
 +
<pre>tftp –i x.x.x.x get issue.pcap</pre>
 +
 
 +
Obviously you need the TFTP windows component installed, and you should turn off your windows firewall.
 +
Details about those things can be found here:  
 +
 
 +
[[Troubleshoot_TFTP]]
  
*[[Troubleshoot TFTP]]
 
*[[Troubleshoot FTP]]
 
*[[Troubleshoot NFS]]
 
  
  

Revision as of 22:20, 24 July 2015

Looking at the packets.


Using TCPDump to capture all traffic going into and out of an interface on Linux:

sudo tcpdump -w issue.pcap -i eth0


You might need to change the interface name in the above command if you're interface is named differently. This command will list all available interfaces; pick the right one (not the loop-back interface):

ip link show


Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using ctrl+c, transfer the PCAP file to your PC and examine it using Wireshark.

You may get the issue.pcap file by a number of means. The most basic way is by placing the pcap file inside of the /tftpboot directory and then using TFTP to transfer the file to a Windows machine.

This would save the file to your /tftpboot directory, but you still need to specify the correct interface:

sudo tcpdump -w /tftpboot/issue.pcap -i eth0

Then on a windows machine, you would issue this command to retrieve the file via TFTP:

tftp –i x.x.x.x get issue.pcap

Obviously you need the TFTP windows component installed, and you should turn off your windows firewall. Details about those things can be found here:

Troubleshoot_TFTP



After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this: ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )


Example Filter (change the MAC addresses):

eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07

Other usefull display filters are bootp (DHCP), tftp and http!