TOC
| Summary Information >> User Tools |
TOC
|
Tcpdump is a packet capture tool. ONL has made it possible for ordinary users to run tcpdump through the sudo facility and made it accessible via the executable /usr/local/bin/tcpdumpW.
TcpdumpW records packets going to and coming from the data network interface (eth1) and puts them into the dump file /tmp/onl.tcpdump. The default snaplen of 96 bytes of data is used. You can change the snaplen to 200 using the -s 200 command argument, but no other values are allowed.
Once you have the dump file, you can run the normal tcpdump command to read that file and filter it in whatever way you want. In the example below, I am trying to capture the packets going through the n1p2 interface. An iperf server is running on onl006 (n1p3):
onl006> iperf -s
In a second window, I log into onl007 where the sender will be run, and I start the capture of packets going across the n1p2 interface:
onl007> /usr/local/bin/tcpdumpW # create tcpdump file tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
In a third window I start the iperf client running on onl007 to generate one second of TCP traffic:
onl007> iperf -c n1p3 -t 1
When the client finishes sending traffic, I terminate the iperf client by entering ctrl-c in the window where I ran tcpdumpW command:
onl007> ^-c # terminate dump (ctrl-c) 23235 packets captured 23235 packets received by filter 0 packets dropped by kernel
onl007> tcpdump -r /tmp/onl.tcpdump -nn -q # quick output (less output) 16:56:54.288482 arp who-has 192.168.1.63 tell 192.168.1.48 16:56:54.288561 arp reply 192.168.1.63 is-at 44:00:5e:04:01:02 16:56:54.288574 IP 192.168.1.48.34251 > 192.168.1.64.5001: tcp 0 16:56:54.338513 IP 192.168.1.64.5001 > 192.168.1.48.34251: tcp 0 16:56:54.338571 IP 192.168.1.48.34251 > 192.168.1.64.5001: tcp 0 16:56:54.338726 IP 192.168.1.48.34251 > 192.168.1.64.5001: tcp 24 16:56:54.338847 IP 192.168.1.48.34251 > 192.168.1.64.5001: tcp 1448 . . .
In summary, I used tcpdumpW to create the dump file /tmp/onl.tcpdump and then tcpdump to read the dump file (-r /tmp/onl.tcpdump) and output a text file to stdout. In practice, I would have redirected the output to a file:
onl007> tcpdump -r /tmp/onl.tcpdump -nn -q > sndr.txt
In this next example, I filter the dump file so that only the packets from n1p2 are shown (src n1p2) and output in normal output length form (not -q):
onl007> tcpdump -r /tmp/onl.tcpdump -nn src n1p2 # filter on src 16:56:54.288482 arp who-has 192.168.1.63 tell 192.168.1.48 16:56:54.288561 arp reply 192.168.1.63 is-at 44:00:5e:04:01:02 16:56:54.288574 IP 192.168.1.48.34251 > 192.168.1.64.5001: S 1421461992:1421461992(0) win 5840 <mss 1460,nop,nop,timestamp 4942703 0,nop,wscale 10> 16:56:54.338571 IP 192.168.1.48.34251 > 192.168.1.64.5001: . ack 1419217117 win 6 <nop,nop,timestamp 4942754 4941841> 16:56:54.338726 IP 192.168.1.48.34251 > 192.168.1.64.5001: P 0:24(24) ack 1 win 6 <nop,nop,timestamp 4942754 4941841> 16:56:54.338847 IP 192.168.1.48.34251 > 192.168.1.64.5001: . 24:1472(1448) ack 1 win 6 <nop,nop,timestamp 4942754 4941841> 16:56:54.388816 IP 192.168.1.48.34251 > 192.168.1.64.5001: . 1472:2920(1448) ack 1 win 6 <nop,nop,timestamp 4942804 4941892> . . .
Revised: Fri, Mar 28, 2008
| Summary Information >> User Tools |
TOC
|