tcpdump

tony.chamberlain at lemko.com tony.chamberlain at lemko.com
Fri Jul 11 11:45:31 UTC 2008 

-----Original Message-----
From: fedora-list-request at redhat.com [mailto:fedora-list-request at redhat.com]
Sent: Wednesday, July 9, 2008 03:38 PM
To: fedora-list at redhat.com
Subject: fedora-list Digest, Vol 53, Issue 75



Message: 5
Date: Wed, 09 Jul 2008 14:39:38 -0500
From: Kevin Martin <kevintm at ameritech.net>
Subject: Re: tcpdump
To: For users of Fedora <fedora-list at redhat.com>
Message-ID: <487513FA.9010809 at ameritech.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed



tony.chamberlain at lemko.com wrote:
> I want to look at all the traffic coming to my web browser (192.168.5.191)
> (tomcat on port 80) using tcpdump.
>
> If I say  tcpdump port 80
>
> that will get 80 coming and going.  Also if I say
> tcpdump dst port 80
> I will still get any traffic I have to other web sites.
>
> I thought  tcpdump (dst port 80) and (dst host 192.168.5.191)
> would work but that does not seem to get anything.  I went to
> 192.168.5.191/~chamberl  from another machine, got my web page
> but nothing in the tcp dump.
>
> What is the correct way to do this (all incoming to my web browser)?
> Theoretically besdies 192.168.5.191 I would also like 127.0.0.1
>
>
>   

Are you listening on the correct device?  I just tried:

tcpdump dst port 22 and dst host 10.10.20.20

and didn't get anything but when I added the "-i <device>" that 
10.10.20.20 is bound to then I got the correct information.

Kevin



==================================================


Actually it doesn't really matter I think.  On my machine it doesn't work
but it works fine on some other ones.  I want to monitor a different machine
anyway.

Here is a tcpdump/bash question though.  (The following works if I don't
use the port filter stuff).

I do something like this (I abbreviate it hwere for space):


    while :
    do
        mytotlen=0
        nowdate=$(date +"%s")
        ((stopdate=nowdate+60))
        tcpdump -nne -i eth0 '(dst port 80)' and '(dst host 10.0.0.10)' |
              while [  $(date +"%s") -lt $stopdate
              do
                 tim=""
                 # I leave out some names in this message
                 # to save space. I actually read everything
                 read -t4 tim ... length REST    
                 [ "$tim" != "" ] && ((mytotlen+=length))  
              done
              echo "Total TCP length in the last minute is $mytotlen"
    done
                  
The loop is executed fine (for debugging I print out the value of tim and 
length).  Problem is, once the while loop is completed it locks up and
never echoes the total tcp length.  I think this is because the tcpdump
is still running and blocking.  I don't believe before the echo I could put
something like pkill tcpdump.  But what can I do to get this to work?
(Actually there is another problem here too that mytotlen inside the loop
is a local variable in a different scope than when I echo it but I solved 
this by inside the loop echoing it to a file, and then reading the file
outside the loop, but that is irrelevant).

More information about the fedora-list mailing list