TCPDUMP – Fast and Easy

TCPDump is a fine way to find out what a system is doing with another system, but generally you will see so much noise unless you limit the traffic that it will be difficult to see what’s happening.  This command did the trick for me when analyzing a problem with FTP

tcpdump src net 10.1.1.73 or dst net 10.1.1.73 -e -vv -w FTP_from_73.cap

Sometimes you may just want to look at dhcp information.

tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc

I ran this on the FTP server to capture the bare minimum of frames.  We wanted to get both sides of the conversation, the source (src) and the destination (dst) so that we have all the communication between the two systems.  One thing that you may be missing in this scenario is when one or both of these system call out to a third server, like a DNS server.  If you need to do that, just tcpdump everything.

So how do you view this.  Well, I creates a .cap file that is visible and filterable in wireshark which you can load with yum or apt-get.

About Jay Farschman - Jay currently works as a Senior Systems Administrator for an asset management company in Colorado where he works with companies that produce hardware, telecommunications software and financial services.  Jay previously owned a consulting company and provided training and consulting services for three Fortune 500 companies and numerous small businesses where he leveraged Linux to provided exceptional value.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>