Re: [Nolug] Re: Help with tcpdump

From: Shannon Roddy <sroddy_at_gmail.com>
Date: Thu, 11 Aug 2011 10:35:28 -0500
Message-ID: <CA+TyHBthKreCPJn8UFkvaWJbb-UmAWu=F+2ysEr_QW9WGLXCow@mail.gmail.com>

Comments inline below. That said, you probably want to be careful about the
legalities of capturing this person's traffic. You could easily be breaking
federal laws. Standard disclaimer: I am not a lawyer.

On Thu, Aug 11, 2011 at 7:13 AM, Gilberto Martins
<gsilva.martins@gmail.com>wrote:

> Does anybody can help me with this tcpdump issue ?
>
> Gilberto Martins
>
>
>
> On Mon, Jul 18, 2011 at 1:53 PM, Gilberto Martins <
> gsilva.martins@gmail.com> wrote:
>
>> Hi guys.
>>
>> I need a help with tcpdump, which is the tool I think works finest for
>> that. But I guess that if I present you my structure, maybe one of you
>> come out with a better solution.
>>
>> My structure is composed by a Linux Firewall with interfaces to an
>> User Net (10.8.0.0/22) and two external access. In this net, there is
>> a server from another company. We have no access to it, but we allow
>> them the use of our infrastructure. His communication is not
>> encripted.
>> Now, my boss desires to know:
>> 1 - The percentage of its use, faced to our use;
>>
>
This can usually be done with ntop/iptraf/iftop fairly easily. More below.

> 2 - The hosts that communicate to him
>>
>
> I really don't know if there is any already made tool that could solve
>> this out, but I found that I could colect the whole stream with
>> tcpdump, and split the collection with many other tools. So what I
>> did:
>>
>> To collect the whole stream:
>>
>> # sudo tcpdump -tttt -vn -i eth1 host <server> > ~/ServerStream.txt
>>
>>
Generally when storing a packet capture for later analysis, you do NOT want
to store the human readable output of tcpdump. Instead use the -w option to
store to a file in the native libpcap format, and you can then use the
various other tools to do analysis, whether it be for usage stats, IDS
analysis, troubleshooting, replay, whatever. To capture the entire payload
of the packet use -s0. Otherwise the packets will be truncated.

Once you have a pcap, you can also use wireshark to generate statistics with
a GUI if that suits you, but not if you store the traffic the way you are.

> After that, I will use sed, cut, grep to split it in the way I need.
>> My doubt is about the packet's size. A line from the capture is like:
>>
>> 2011-07-18 13:46:36.774050 IP (tos 0x10, ttl 64, id 32738, offset
>> 0, flags [DF], proto TCP (6), length 1500) 10.8.0.1.22 >
>> 10.8.2.6.54747: . 1758048:1759496(1448) ack 433 win 305
>> <nop,nop,timestamp 799795676 1961885>
>>
>> The size of this packet is 1500 bytes, extracted from "length 1500" ?
>>
>> Thanks, people!
>>
>> Gilberto Martins
>>
>
>

___________________
Nolug mailing list
nolug@nolug.org
Received on 08/11/11

This archive was generated by hypermail 2.2.0 : 08/14/11 EDT