Difference between revisions of "TCPDump"

From FOG Project
Jump to: navigation, search
(Created page with "'''Looking at the packets.''' Using TCPDump to capture all traffic going into and out of an interface on Linux: <pre>sudo tcpdump -w issue.pcap -i eth0</pre> You might nee...")
 
Line 14: Line 14:
  
 
After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this:  ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )
 
After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this:  ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )
 +
  
 
Example Filter (change the MAC addresses):
 
Example Filter (change the MAC addresses):
 
<pre>eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07</pre>
 
<pre>eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07</pre>

Revision as of 19:29, 16 April 2015

Looking at the packets.


Using TCPDump to capture all traffic going into and out of an interface on Linux:

sudo tcpdump -w issue.pcap -i eth0


You might need to change the interface name in the above command if you're interface is named differently. This command will list all available interfaces; pick the right one (not the loop-back interface):

ip link show


Run the above tcpdump command on the FOG machine, then start the remote target host. Wait until the remote target host fails, then stop tcpdump using ctrl+c, transfer the PCAP file to your PC and examine it using Wireshark.


After the capture is completed and you've opened the PCAP file, please use the MAC address of the target host as the filter for sender & receiver. The below example filter basically does this: ( Show packet if Sending MAC equals xxxxxxx OR Receiving MAC equals xxxxxx )


Example Filter (change the MAC addresses):

eth.dst == 00:0C:CC:76:4E:07 || eth.src==00:0C:CC:76:4E:07