Prev   Next

How to dump network traffic? 

Newsgroups: comp.os.linux.misc
Date: 2001-07-18 11:40:26 PST
> I have setup a linux machine as a gateway for my windows boxes. Now I suspect
> some software to send out data I don't want it to. How can I dump the entire
> traffic that is going over my linux box? I tried to use tcpdump but that gives
> only the first n bytes from each package and also doesn't provide the actual
> data, only hexvalues. I don't need to have the protocol interpreted (though it
> wouldn't hurt) but I want the raw binary data.

You'll like ethereal. I also like snort.

Silviu Minut

How to dump network traffic? 

[ethereal]
> Thanks. I just downloaded it, but I don't know how to handle it. How do
> I specify that I want all data that is going over eth0 dumped to a file?
> Even better would be if I could specify that this is only to be done to
> certain adresses.

Fire up ethereal (with root priviliges).

Select Start… from the Capture menu; a dialog box entitled Capture Preferences should pop up.

Select eth0 in the interface selector at the top of the dialog and type a tcpdump compatible filter in the Filter field. For example:

host myhostname and host 192.168.1.1 and host www.linux.com

You can extend the filter to do all sorts of stuff; have a read of the tcpdump man page for more info. Test your filters with tcpdump itself; it's faster to play with them.

Now you just specify a filename to write the output into in the File field. I just did a test and called mine capture.pcap. I set the packet capture length to the maximum 65535 bytes. The output is in tcpdump format.

$ file capture.pcap
capture.pcap: tcpdump capture file (little-endian) - version 2.4
(Ethernet, capture length 65535)
> I don;t know much about networking so these question may sound dumb but
> I read the man pages and I can't make much of it.

No probs. Keep posting. A very useful feature of ethereal is the Follow TCP Stream tool (from the Tools menu). Select a TCP packet that is part of a TCP conversation you're interested in and then select it. You get a new window with the conversation that took place between client and server; especially handy for text based protocols. Note - it creates a view filter so when you're done with a stream click the Reset button at the bottom of the main window to show all packets again…

Another tip; you can actually do the capturing with tcpdump (see the documentation for the -s option for setting packet capture length) and get it to write the output to a file. Then you can load it into ethereal for viewing…

The tcpdump man page also says

Note  that  taking  larger snapshots both increases
the amount of time it takes to process packets and,
effectively, decreases the amount of packet buffer-
ing.  This may  cause  packets  to  be  lost.   You
should  limit  snaplen  to the smallest number that
will capture the protocol information you're inter-
ested in.

Probably not a problem for you if your traffic is not enormous, but worth bearing in mind.

Graham


SourceForge.net LogoXpt.SourceForge.netCreative Commons Attribution-ShareAlike License Del.icio.us digg FURL blinklist reddit Feed Me Links Technorati Stumble Upon Google Bookmarks Yahoo My Web Newsvine Socializer Ma.gnolia RawSugar Squidoo Spurl BlinkBits Netvouz Rojo Blogmarks Shadows Simpy Co.mments Scuttle Bloglines Tailrank Wists FARK smarking Segnalo
Single file version available here.
Last updated on 2008-06-28.
To discuss, comment here.
Prev   Next
 Home