Re: tcpdump -i wlan0 port bootpc
On Sun, Dec 30, 2018 at 12:42:03PM +0100, Geert Stappers wrote: > On Sun, Dec 30, 2018 at 10:06:21AM +0100, Wouter Verhelst wrote: > > On Sun, Dec 30, 2018 at 12:12:01AM +0100, Geert Stappers wrote: > > > > > > Hoi, > > > > > > Op een laptop zie ik met `sudo tcpdump -i wlan0` allerlei broadcasts > > > voorbij komen. Onder andere ARP. > > > > > > Nu wil ik in zoomen op DHCP requests en zeg dan > > > `sudo tcpdump -i wlan port bootpc` > > > maar dan zie die broadcasts _niet_ voorbij komen. > > > > > > Is dat in jullie network ook zo? > > > > Dat is normaal. > > :-) > > > Als je vraagt om alleen requests te zien over de "bootpc" poort, > > dan zie je geen requests die die poort niet gebruiken. > > Vermits ARP geen TCP of UDP-requests zijn, krijg je natuurlijk ook geen > > ARP requests met zo'n filter. > > Net als de "ARP who has" is de "DHCP Discover" een ethernet broadcast. DHCP discover is dat inderdaad, maar DHCP request niet. Discover is gewoon om te zien waar de DHCP server zit; eens die zegt "hallo, ik ben hier", komt er de DHCP request, die een unicast-bericht is en vraagt om een IP-adres te krijgen. Wanneer een client reeds weet waar de DHCP server zit, moet die bij een expiry van de DHCP lease ook niet mer doen dan gewoon opnieuw een DHCP request -- dus een discover is dan niet meer nodig, en dus een broadcast ook niet. Normaal gezien is de communicatie dan ook als volgt: C: discover ("hallo, is hier iemand?") S: offer ("yo, ik ben hier, hier is een IP-adres") C: request ("hallo, mag ik dit adres gebruiken?") S: ack ("go ahead") ... C: request ("hallo, mag ik dit adres (blijven) gebruiken?") S: ack ("go ahead") ... enzovoort. Als een DHCP server bij een renew niet op tijd reageert, dan zal na een timeout de client wel opnieuw een discover uitsturen -- maar dat is een uitzonderlijke situatie die je dus normaal gezien niet zou mogen zien. > Eigenschap van een ethernernet broadcast is die "overal" te zien is. > > Dat ik gisterenavond op een wifi interface wel ARP zag, maar geen bootpc > vond ik dan ook vreemd. Is ook perfect normaal :-) > Ik zie nu wel de bootpc packetten. Verschil ten opzicht van gisteren > is dat nu de (test) DHCP Discover vanaf echt ethernet komt ( i.p.v. > een andere wifi computer) Als het een "test" discover is, dan heb je op die machine misschien nog geen eerdere DHCP lease staan? Dan is ook dat normaal. Bij een tweede dhcp zal je dat waarschijnlijk niet meer zien. > Waarom de "wifi to wifi broadcast" niet werkt is low prio voor mij. > Ik kan vooruit met de "ethernet originated DHCP Discover" > Dank > > > Persoonlijk vind ik tcpdump niet echt handig voor dit soort dingen, en > > gebruik ik liever wireshark om zaken te filteren en bekijken. Dat doe je > > zo: > > > } sudo tcpdump -i wlan0 -w PCAPfile > > [... wacht ...] > > ^C > } wireshark PCAPfile > > > > en dan kan je gewoon filteren in de uitvoer... > > > > Ja `wireshark PCAPfile` is fijner dan `tcpdump -r PCAPfile`. > > Wireshark kan overigens "on the fly" capturen en filteren. Uiteraard. -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
Re: tcpdump -i wlan0 port bootpc
On Sun, Dec 30, 2018 at 10:06:21AM +0100, Wouter Verhelst wrote: > On Sun, Dec 30, 2018 at 12:12:01AM +0100, Geert Stappers wrote: > > > > Hoi, > > > > Op een laptop zie ik met `sudo tcpdump -i wlan0` allerlei broadcasts > > voorbij komen. Onder andere ARP. > > > > Nu wil ik in zoomen op DHCP requests en zeg dan > > `sudo tcpdump -i wlan port bootpc` > > maar dan zie die broadcasts _niet_ voorbij komen. > > > > Is dat in jullie network ook zo? > > Dat is normaal. :-) > Als je vraagt om alleen requests te zien over de "bootpc" poort, > dan zie je geen requests die die poort niet gebruiken. > Vermits ARP geen TCP of UDP-requests zijn, krijg je natuurlijk ook geen > ARP requests met zo'n filter. Net als de "ARP who has" is de "DHCP Discover" een ethernet broadcast. Eigenschap van een ethernernet broadcast is die "overal" te zien is. Dat ik gisterenavond op een wifi interface wel ARP zag, maar geen bootpc vond ik dan ook vreemd. Ik zie nu wel de bootpc packetten. Verschil ten opzicht van gisteren is dat nu de (test) DHCP Discover vanaf echt ethernet komt ( i.p.v. een andere wifi computer ) Waarom de "wifi to wifi broadcast" niet werkt is low prio voor mij. Ik kan vooruit met de "ethernet originated DHCP Discover" Dank > Persoonlijk vind ik tcpdump niet echt handig voor dit soort dingen, en > gebruik ik liever wireshark om zaken te filteren en bekijken. Dat doe je > zo: > } sudo tcpdump -i wlan0 -w PCAPfile > [... wacht ...] > ^C } wireshark PCAPfile > > en dan kan je gewoon filteren in de uitvoer... > Ja `wireshark PCAPfile` is fijner dan `tcpdump -r PCAPfile`. Wireshark kan overigens "on the fly" capturen en filteren. Groeten Geert Stappers -- Leven en laten leven
Re: tcpdump -i wlan0 port bootpc
On Sun, Dec 30, 2018 at 12:12:01AM +0100, Geert Stappers wrote: > > Hoi, > > Op een laptop zie ik met `sudo tcpdump -i wlan0` allerlei broadcasts > voorbij komen. Onder andere ARP. > > Nu wil ik in zoomen op DHCP requests en zeg dan > `sudo tcpdump -i wlan port bootpc` > maar dan zie die broadcasts _niet_ voorbij komen. > > Is dat in jullie network ook zo? Dat is normaal. Als je vraagt om alleen requests te zien over de "bootpc" poort, dan zie je geen requests die die poort niet gebruiken. Vermits ARP geen TCP of UDP-requests zijn, krijg je natuurlijk ook geen ARP requests met zo'n filter. Persoonlijk vind ik tcpdump niet echt handig voor dit soort dingen, en gebruik ik liever wireshark om zaken te filteren en bekijken. Dat doe je zo: sudo tcpdump -i wlan0 -w file.dump [... wacht ...] ^C wireshark file.dump en dan kan je gewoon filteren in de uitvoer... -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
tcpdump -i wlan0 port bootpc
Hoi, Op een laptop zie ik met `sudo tcpdump -i wlan0` allerlei broadcasts voorbij komen. Onder andere ARP. Nu wil ik in zoomen op DHCP requests en zeg dan `sudo tcpdump -i wlan port bootpc` maar dan zie die broadcasts _niet_ voorbij komen. Is dat in jullie network ook zo? Groeten Geert Stappers -- Leven en laten leven
Re: ulogd2-pcap - tcpdump unknown file format
Problem found! :) If you wait long enough tail will not include the file header and tcpdump will just die. tail -F -n +1 $my_pcap | tcpdump -nr - And you are happy again. Don't even think about not including -n... Depening on how many log entrys you have it will be slw. Cheers Flo signature.asc Description: OpenPGP digital signature
ulogd2-pcap - tcpdump unknown file format
Hi, I'm logging dropped packets with ulogd2 into a pcap file so that tcpdump should be able to read it. At some point tcpdump is not anymore able to read the file and quits with "unknown file format". The file command instead is printing a correct header: /var/log/ulog/ulogd.pcap: tcpdump capture file (little-endian) - version 2.4 (raw IP, capture length 65536) Also I still can have the file open and see packets beeing logged but when I try to open a new tcpdump in another shell I get the error. When I delete the file and start a new one everything is to be working again. Is anyone else also facing this error? Ideas for starting debugging which is causing the error? Packet details: tcpdump: 4.6.2-5+deb8u1 ulogd2: 2.0.4-2+deb8u1 ulogd2-pcap: 2.0.4-2+deb8u1 iptables: 1.4.21-2+b1 Kernel: 3.16.0-4-amd64 Cheers Flo signature.asc Description: OpenPGP digital signature
Re: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP
Olá, Faça o tcpdump sem colocar as opções de origem e destino, conforme abaixo: tcpdump -n net 192.168.3.0/24<http://192.168.2.0/24> and net 192.168.2.0/24<http://192.168.3.0/24> De: Rodrigo Cunha <rodrigo.root...@gmail.com> Enviado: domingo, 2 de outubro de 2016 18:04 Para: Rafhaeu Benedicto Cc: Debian-User Assunto: Re: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP Correto Benedito, mas a resposta q a origem envia ao destino deveria ser apresentada. Digo, se eu faço um ping para o ip da rede 192.168.2.0/24<http://192.168.2.0/24> para um ip da rede 192.168.3.0/24<http://192.168.3.0/24> o host da rede 192.168.2.0 tem que responder, e esse pacote de resposta eu não consigo capturar no tcpdump, acredito que seja um erro no output do software para o stdout do linux... é uma hipotese. Em 1 de outubro de 2016 08:55, Rafhaeu Benedicto <rafha...@gmail.com<mailto:rafha...@gmail.com>> escreveu: Rodrigo, Se prestar atenção no comando vc está colocando um filtro de origem e destino, 192.168.2.0 origem 192.168.3.0 destino Vc só vai pegar pacotes partindo do ip que vc está enviando os pings Para ver a resposta inverta as redes #tcpdump -n src net 192.168.3.0/24<http://192.168.2.0/24> and dst net 192.168.2.0/24<http://192.168.3.0/24> Em 30/09/2016 20:08, "Rodrigo Cunha" <rodrigo.root...@gmail.com<mailto:rodrigo.root...@gmail.com>> escreveu: Olá srs, uma curiosidade, eu em minhas analise de laboratorio descobri uma curiosidade do tcpdump e os pacotes icmp. Fiz o teste onde eu pingava para o ip 192.168.2.9 do ip 192.168.2.3 e consegui dados dessa pesquisa com o tcpdump com o comando: #tcpdump -n src net 192.168.2.0/24<http://192.168.2.0/24> and dst net 192.168.3.0/24<http://192.168.3.0/24> Consegui dados dessa naturesa: 19:57:22.079895 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 177, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 19:57:22.080061 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 241, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 Porém quando fiz o caminho inverso, do ip 192.168.3.9 para o ip 192.168.2.3 com o mesmo comando: tcpdump -n src net 192.168.2.0/24<http://192.168.2.0/24> and dst net 192.168.3.0/24<http://192.168.3.0/24> não recebi informações. Duvida: Quando eu envio um sinal icmp para um host esse host não deveria enviar uma resposta para quem solicitou o pacote. Desenho para ficar facil de entender: [cid:ii_itqdqjli0_1577d5a0a2fb32f7] -- Atenciosamente, Rodrigo da Silva Cunha -- Atenciosamente, Rodrigo da Silva Cunha
Re: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP
Correto Benedito, mas a resposta q a origem envia ao destino deveria ser apresentada. Digo, se eu faço um ping para o ip da rede 192.168.2.0/24 para um ip da rede 192.168.3.0/24 o host da rede 192.168.2.0 tem que responder, e esse pacote de resposta eu não consigo capturar no tcpdump, acredito que seja um erro no output do software para o stdout do linux... é uma hipotese. Em 1 de outubro de 2016 08:55, Rafhaeu Benedicto <rafha...@gmail.com> escreveu: > Rodrigo, > > Se prestar atenção no comando vc está colocando um filtro de origem e > destino, > 192.168.2.0 origem > 192.168.3.0 destino > Vc só vai pegar pacotes partindo do ip que vc está enviando os pings > Para ver a resposta inverta as redes > #tcpdump -n src net 192.168.3.0/24 <http://192.168.2.0/24> and dst net > 192.168.2.0/24 <http://192.168.3.0/24> > > Em 30/09/2016 20:08, "Rodrigo Cunha" <rodrigo.root...@gmail.com> escreveu: > >> Olá srs, uma curiosidade, eu em minhas analise de laboratorio descobri >> uma curiosidade do tcpdump e os pacotes icmp. >> Fiz o teste onde eu pingava para o ip 192.168.2.9 do ip 192.168.2.3 >> e consegui dados dessa pesquisa com o tcpdump com o comando: >> >> #tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 >> >> Consegui dados dessa naturesa: >> 19:57:22.079895 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack >> 177, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 >> 19:57:22.080061 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack >> 241, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 >> >> Porém quando fiz o caminho inverso, do ip 192.168.3.9 para o ip >> 192.168.2.3 com o mesmo comando: >> tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 >> não recebi informações. >> >> Duvida: >> Quando eu envio um sinal icmp para um host esse host não deveria enviar >> uma resposta para quem solicitou o pacote. >> Desenho para ficar facil de entender: >> >> >> >> >> >> >> >> >> -- >> Atenciosamente, >> Rodrigo da Silva Cunha >> >> -- Atenciosamente, Rodrigo da Silva Cunha
Re: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP
Rodrigo, Se prestar atenção no comando vc está colocando um filtro de origem e destino, 192.168.2.0 origem 192.168.3.0 destino Vc só vai pegar pacotes partindo do ip que vc está enviando os pings Para ver a resposta inverta as redes #tcpdump -n src net 192.168.3.0/24 <http://192.168.2.0/24> and dst net 192.168.2.0/24 <http://192.168.3.0/24> Em 30/09/2016 20:08, "Rodrigo Cunha" <rodrigo.root...@gmail.com> escreveu: > Olá srs, uma curiosidade, eu em minhas analise de laboratorio descobri uma > curiosidade do tcpdump e os pacotes icmp. > Fiz o teste onde eu pingava para o ip 192.168.2.9 do ip 192.168.2.3 > e consegui dados dessa pesquisa com o tcpdump com o comando: > > #tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 > > Consegui dados dessa naturesa: > 19:57:22.079895 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 177, > win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 > 19:57:22.080061 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 241, > win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 > > Porém quando fiz o caminho inverso, do ip 192.168.3.9 para o ip > 192.168.2.3 com o mesmo comando: > tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 > não recebi informações. > > Duvida: > Quando eu envio um sinal icmp para um host esse host não deveria enviar > uma resposta para quem solicitou o pacote. > Desenho para ficar facil de entender: > > > > > > > > > -- > Atenciosamente, > Rodrigo da Silva Cunha > >
Re: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP
Não é obrigadoJorge Quiterio | https://jquiterio.euFrom: Rodrigo CunhaSent: Saturday, October 1, 2016 00:08To: Debian-UserSubject: Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMPOlá srs, uma curiosidade, eu em minhas analise de laboratorio descobri uma curiosidade do tcpdump e os pacotes icmp.Fiz o teste onde eu pingava para o ip 192.168.2.9 do ip 192.168.2.3e consegui dados dessa pesquisa com o tcpdump com o comando: #tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24Consegui dados dessa naturesa:19:57:22.079895 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 177, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 019:57:22.080061 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 241, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0Porém quando fiz o caminho inverso, do ip 192.168.3.9 para o ip 192.168.2.3 com o mesmo comando:tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24não recebi informações.Duvida:Quando eu envio um sinal icmp para um host esse host não deveria enviar uma resposta para quem solicitou o pacote.Desenho para ficar facil de entender:-- Atenciosamente,Rodrigo da Silva Cunha
Curiosidade : Rede Pacotes ICMP(Ping) e TCPDUMP
Olá srs, uma curiosidade, eu em minhas analise de laboratorio descobri uma curiosidade do tcpdump e os pacotes icmp. Fiz o teste onde eu pingava para o ip 192.168.2.9 do ip 192.168.2.3 e consegui dados dessa pesquisa com o tcpdump com o comando: #tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 Consegui dados dessa naturesa: 19:57:22.079895 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 177, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 19:57:22.080061 IP 192.168.2.3.33324 > 192.168.3.9.22: Flags [.], ack 241, win 362, options [nop,nop,TS val 3527610 ecr 2704381], length 0 Porém quando fiz o caminho inverso, do ip 192.168.3.9 para o ip 192.168.2.3 com o mesmo comando: tcpdump -n src net 192.168.2.0/24 and dst net 192.168.3.0/24 não recebi informações. Duvida: Quando eu envio um sinal icmp para um host esse host não deveria enviar uma resposta para quem solicitou o pacote. Desenho para ficar facil de entender: -- Atenciosamente, Rodrigo da Silva Cunha
Usando o tcpdump
Amigos e Amigos da lista, Tenho observado tráfego de pacotes pela conexão ppp0 mesmo quando não estou abrindo uma página. Pedi ajuda na lista e me sugeriram várias ferramentas, das quais eu resolvi experimentar o tcpdump. Hoje, por exemplo, ao rodar tcpdump -i ppp0 pude perceber alguns pacotes referentes a newsrss.bbc.co.uk Não faço idéia o que é responsável por este tráfego. Como localizo a aplicação responsável por este tráfego? E como bloqueio isso? Obrigado, Jose
Re: Usando o tcpdump
você testou com 0 aplicaçoes abertas? ou navegando em algum site? pode ser algum iframe que chame esse site. Atenciosamente, *Gabriel Ricardo.* www.tinotapa.com.br Em 25 de junho de 2012 10:15, Instruisto Jose instr...@yahoo.com.brescreveu: Amigos e Amigos da lista, Tenho observado tráfego de pacotes pela conexão ppp0 mesmo quando não estou abrindo uma página. Pedi ajuda na lista e me sugeriram várias ferramentas, das quais eu resolvi experimentar o tcpdump. Hoje, por exemplo, ao rodar tcpdump -i ppp0 pude perceber alguns pacotes referentes a newsrss.bbc.co.uk Não faço idéia o que é responsável por este tráfego. Como localizo a aplicação responsável por este tráfego? E como bloqueio isso? Obrigado, Jose
Re: Usando o tcpdump
Em 25-06-2012 10:15, Instruisto Jose escreveu: Amigos e Amigos da lista, Tenho observado tráfego de pacotes pela conexão ppp0 mesmo quando não estou abrindo uma página. Pedi ajuda na lista e me sugeriram várias ferramentas, das quais eu resolvi experimentar o tcpdump. Hoje, por exemplo, ao rodar tcpdump -i ppp0 pude perceber alguns pacotes referentes a newsrss.bbc.co.uk Não faço idéia o que é responsável por este tráfego. Como localizo a aplicação responsável por este tráfego? E como bloqueio isso? Bom dia! Para saber as conexões ativas TCP e os processos, rode netstat -tp (t de TCP e p de Processos). Para bloquear, veja se no programa que efetuou a conexão não tem como parar, senão use o iptables: iptables -A OUTPUT -o ppp0 -d ip ou nome do site -j REJECT []'s Junior Polegato
RES: Usando o tcpdump
Não tem nenhum cliente email ou navegador com RSS configurado? Pela URL, dá pra perceber que é para receber notícias por RSS da BBC. Att. Leandro de Lima Camargo Analista de Redes e Suporte Técnico Axtelecom Telecomunicações Ltda lean...@axtelecom.com.br skype: leandro.zoio F: + 55 35 32959779 SAC: 0800 727 9779 De: Instruisto Jose [mailto:instr...@yahoo.com.br] Enviada em: segunda-feira, 25 de Junho de 2012 10:15 Para: debian-user-portuguese@lists.debian.org Assunto: Usando o tcpdump Amigos e Amigos da lista, Tenho observado tráfego de pacotes pela conexão ppp0 mesmo quando não estou abrindo uma página. Pedi ajuda na lista e me sugeriram várias ferramentas, das quais eu resolvi experimentar o tcpdump. Hoje, por exemplo, ao rodar tcpdump -i ppp0 pude perceber alguns pacotes referentes a newsrss.bbc.co.uk Não faço idéia o que é responsável por este tráfego. Como localizo a aplicação responsável por este tráfego? E como bloqueio isso? Obrigado, Jose
tcpdump y MySQL
Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Un Saludo.
Re: tcpdump y MySQL
El 27/04/11 18:09, GarZa escribió: Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Un Saludo. Hola, mysql -u root -p -h localhost o mysql usará un socket unix para conectarse. Por otra parte si en el filtro pcap usas port 3306 implica el dst o src, quita l strings y añade -A tcpdump -i lo -n -A port 3306 Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4db84222.2000...@limbo.ari.es
Re: tcpdump y MySQL
El Wed, 27 Apr 2011 18:09:10 +0200, GarZa escribió: Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Según esto: Unobtrusive viewing of MySQL queries with tcpdump http://jetpackweb.com/blog/2009/09/16/unobstrusive-viewing-of-mysql-queries-with-tcpdump/ Mira a ver qué protocolo usas cuando ejecutas el cliente mysql (tcp o socket de unix). Con netstat podrás verlo. Saludos, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.04.27.16.26...@gmail.com
Re: tcpdump y MySQL
El mié, 27-04-2011 a las 18:19 +0200, Juan Antonio escribió: El 27/04/11 18:09, GarZa escribió: Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Un Saludo. Hola, mysql -u root -p -h localhost o mysql usará un socket unix para conectarse. Por otra parte si en el filtro pcap usas port 3306 implica el dst o src, quita l strings y añade -A tcpdump -i lo -n -A port 3306 Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho Hola Juan Antonio, he hecho lo que has comentado y tampoco captura nada :-( Gracias de todos modos.
Re: tcpdump y MySQL
El 27/04/11 18:33, GarZa escribió: El mié, 27-04-2011 a las 18:19 +0200, Juan Antonio escribió: El 27/04/11 18:09, GarZa escribió: Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Un Saludo. Hola, mysql -u root -p -h localhost o mysql usará un socket unix para conectarse. Por otra parte si en el filtro pcap usas port 3306 implica el dst o src, quita l strings y añade -A tcpdump -i lo -n -A port 3306 Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho Hola Juan Antonio, he hecho lo que has comentado y tampoco captura nada :-( Gracias de todos modos. Hola, vale, prueba esto entonces mysql -u root -p -h localhost --protocol=tcp estaba convencido que bastaba con especificarle -h pero al parecer no. Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4db8474a.5090...@limbo.ari.es
Re: [SOLUCIONADO] tcpdump y MySQL
El mié, 27-04-2011 a las 18:41 +0200, Juan Antonio escribió: El 27/04/11 18:33, GarZa escribió: El mié, 27-04-2011 a las 18:19 +0200, Juan Antonio escribió: El 27/04/11 18:09, GarZa escribió: Hola, estoy tratando de ver el tráfico de MySQL con tcpdump, y por algún motivo no captura ningún paquete, MySql lo tengo configurado para que escuche en 127.0.0.1 y el puerto 3306, por ejemplo, hago un $ sudo tcpdump -l -i lo -w - src or dst port 3306 | strings tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes Después hago un $ mysql -u root -p Interactúo con MySQL (hago consultas, etc) y tcpdump no captura nada. También he probado con Wireshark con el mismo resultado. ¿Alguna sugerencia? Un Saludo. Hola, mysql -u root -p -h localhost o mysql usará un socket unix para conectarse. Por otra parte si en el filtro pcap usas port 3306 implica el dst o src, quita l strings y añade -A tcpdump -i lo -n -A port 3306 Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho Hola Juan Antonio, he hecho lo que has comentado y tampoco captura nada :-( Gracias de todos modos. Hola, vale, prueba esto entonces mysql -u root -p -h localhost --protocol=tcp estaba convencido que bastaba con especificarle -h pero al parecer no. Un saludo. -- Tanto en los deportes como en todo lo demás, soy un experto. Pero para mantener viva mi inteligencia natural y fuera de serie, tengo que comer mucho Ahora si, también funciona con -h 127.0.0.1 (mysql -u root -p -h 127.0.0.1). Gracias Juan Antonio, y también a Camaleón por el enlace, muy útil. Llevaba varios días dándoles vueltas a esto, parecía tan simple que me daba hasta vergüenza preguntarlo. Un Saludo.
Re: formation TCPdump et WireShark
On Fri, Apr 01, 2011 at 07:44:28PM +0200, cor...@free.fr cor...@free.fr wrote a message of 44 lines which said: Je ne connaissais pas tshark. C'est bien dommage. WireShark : http://fr.wikipedia.org/wiki/Fichier:Wireshark_screenshot.png ça semble être en mode graphique :-) tshark reprend les dissecteurs (les analyseurs de protocole) de Wireshark et décode donc les mêmes protocoles. Étant en mode texte, il facilite la communication des résultats des analyses avec des collègues ou sur des listes de diffusion (avec Wireshark, c'est la copie d'écran, méthode très Windowsienne). Voici un exemple : % tshark -c 1 -V -i eth1 host machine.example.net ... Frame 1 (94 bytes on wire, 94 bytes captured) Arrival Time: Apr 2, 2011 12:10:25.319093000 ... Frame Length: 94 bytes Capture Length: 94 bytes [Protocols in frame: eth:ipv6:tcp] Ethernet II, Src: AsustekC_76:29:b6 (00:1e:8c:76:29:b6), Dst: FreeboxS_c3:83:23 (00:07:cb:c3 :83:23) Destination: FreeboxS_c3:83:23 (00:07:cb:c3:83:23) Address: FreeboxS_c3:83:23 (00:07:cb:c3:83:23) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Source: AsustekC_76:29:b6 (00:1e:8c:76:29:b6) Address: AsustekC_76:29:b6 (00:1e:8c:76:29:b6) ...0 = IG bit: Individual address (unicast) ..0. = LG bit: Globally unique address (factory default) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 = Version: 6 [0110 = This field makes the filter ip.version == 6 possible: 6] = Traffic class: 0x = Flowlabel: 0x Payload length: 40 Next header: TCP (0x06) Hop limit: 64 Source: 2a01:e35:8bd9:8bb0:a0b5:bc12:40bf:935f (2a01:e35:8bd9:8bb0:a0b5:bc12:40bf:935f) Destination: 2001:660:3003:2::4:8 (2001:660:3003:2::4:8) Transmission Control Protocol, Src Port: 51258 (51258), Dst Port: connect-server (3442), Seq : 0, Len: 0 Source port: 51258 (51258) Destination port: connect-server (3442) [Stream index: 0] Sequence number: 0(relative sequence number) Header length: 40 bytes Flags: 0x02 (SYN) 0... = Congestion Window Reduced (CWR): Not set .0.. = ECN-Echo: Not set ..0. = Urgent: Not set ...0 = Acknowledgement: Not set ... Pendant qu'on y est, ne pas rater pcapr, le Flickr des paquets http://www.bortzmeyer.org/pcapr.html. -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/20110402101227.ga15...@sources.org
formation TCPdump et WireShark
Une formation TCPdump et WireShark aura lieu demain : Samedi 2 avril 2011 http://www.agendadulibre.org/showevent.php?id=5957 Pour rejoindre le lieu de formation, rendez-vous à 13h30 ce samedi 2 avril 2011, au niveau du 74 rue Dulong, 75017 Paris. La salle de formation vous accueille par l'entrée gauche du bâtiment. Pour pouvoir participer dans de bonnes conditions, deux conditions sont exigées : - posséder une maîtrise courante du shell bash, - venir avec son ordinateur portable. Rappel : Tcpdump est un Packet sniffer en ligne de commande. Il permet d'obtenir le détail du trafic visible depuis une interface réseau. WireShark fait la même chose mais en mode graphique. -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/201104011855.37009.cor...@free.fr
Re: formation TCPdump et WireShark
Le 01/04/2011 18:55, cor...@free.fr a écrit : Une formation TCPdump et WireShark aura lieu demain : Samedi 2 avril 2011 http://www.agendadulibre.org/showevent.php?id=5957 Pour rejoindre le lieu de formation, rendez-vous à 13h30 ce samedi 2 avril 2011, au niveau du 74 rue Dulong, 75017 Paris. La salle de formation vous accueille par l'entrée gauche du bâtiment. Pour pouvoir participer dans de bonnes conditions, deux conditions sont exigées : - posséder une maîtrise courante du shell bash, - venir avec son ordinateur portable. Rappel : Tcpdump est un Packet sniffer en ligne de commande. Il permet d'obtenir le détail du trafic visible depuis une interface réseau. WireShark fait la même chose mais en mode graphique. Et tshark c'est quoi alors ;-)? Je reprends: tshark et wireshark sont la même chose, l'un en graphique l'autre en ligne de commande. tcpdump ne fait que de la ligne de commande tshark/wireshark et tcpdump sont basés sur la libpcarp mais ne sont pas identiques. -- Daniel -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/4d960c06.2040...@tootai.net
Re: formation TCPdump et WireShark
Le vendredi 1 avril 2011, daniel huhardeaux a écrit : Le 01/04/2011 18:55, cor...@free.fr a écrit : Une formation TCPdump et WireShark aura lieu demain : Samedi 2 avril 2011 http://www.agendadulibre.org/showevent.php?id=5957 Pour rejoindre le lieu de formation, rendez-vous à 13h30 ce samedi 2 avril 2011, au niveau du 74 rue Dulong, 75017 Paris. La salle de formation vous accueille par l'entrée gauche du bâtiment. Pour pouvoir participer dans de bonnes conditions, deux conditions sont exigées : - posséder une maîtrise courante du shell bash, - venir avec son ordinateur portable. Rappel : Tcpdump est un Packet sniffer en ligne de commande. Il permet d'obtenir le détail du trafic visible depuis une interface réseau. WireShark fait la même chose mais en mode graphique. - Et tshark c'est quoi alors ;-)? Je reprends: tshark et wireshark sont la même chose, l'un en graphique l'autre en ligne de commande. tcpdump ne fait que de la ligne de commande tshark/wireshark et tcpdump sont basés sur la libpcarp mais ne sont pas identiques. Daniel - Je ne connaissais pas tshark. WireShark : http://fr.wikipedia.org/wiki/Fichier:Wireshark_screenshot.png ça semble être en mode graphique :-) -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/201104011944.28233.cor...@free.fr
Re: I've got a problem with tcpdump, HELP
Answer from tcpdump devels: On 1 apr 2011, at 03:49, Benimaur Gao wrote: The info in this one is quite little!! without request parameter, without http headers, and even without the essential data return by the server!! [...] can anyone give me some clue? I suspect it is cause by different version of tcpdump? if so, can I get the same detailed info by the older one? Different systems use different snaplengths by default. If you want the output the be the same, you have to set the snaplength yourself. As you seem to want to view the whole packets, you can use '-s0' on both systems. Cheers, Sake - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. == // I should have checked the man page more carefully, thank you all! On Fri, Apr 1, 2011 at 2:35 AM, Camaleón noela...@gmail.com wrote: El 2011-04-01 a las 01:02 +0800, Benimaur Gao escribió: (resending to the list) On Fri, Apr 1, 2011 at 12:49 AM, Camaleón wrote: (...) Sure... I also noted the URI was recorded differently. First one is: GET /misc/ccs/deleteClubThread.html?id=20162669type=MAINTYPEoperator=Hmd5Code=072fa43b87b31865e60aa6fceb24 And the second one has been shorted somehow: GET /misc/ccs/deleteClubThread Maybe a different client request or you visited the same page? :-? I suspect that it is caused by different version of tcpdump? The dilemma is I've no permission to upgrade the software :( I also think so... but even if different releases produce different output (it could be understandable), the date format coming from the older one looks to be really broken, date is completely cutted and so useless :-/ I guarantee that the two request URI should be the same.. Thanks for you suggestion! Okay, I just was poiting out the differences between two outputs O:-) I think I should also post in the mailing list from tcpdump proj. :) That's a very good idea. Devels will provide accurate information on this issue. Should you finally find the culprit, post it back, it's quite interesting. Greetings -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110331183540.ga8...@stt008.linux.site -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTinV-0C+sZ_7Gmf8oW1pKKJ=KW74dYM2xS5=x...@mail.gmail.com
I've got a problem with tcpdump, HELP
Hi, all I've encountered a problem in using tcpdump. I tried to capture http traffic by using the following command: # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' (notes: the web application serves at 9003 port, not the conventional 80 instead) but different results was given by two hosts: skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:26:01.166216 IP 10.16.2.60.53837 10.20.156.9.9003: Flags [P.], seq 1867639697:1867639908, ack 2460048481, win 92, options [nop,nop,TS val 9412788 ecr 2507947432], length 211 E...K%@.@.c .. ...M#+oQ\a...\.b. .|=.GET /misc/ccs/deleteClubThread.html?id=20162669type=MAINTYPEoperator=Hmd5Code=072fa43b87b31865e60aa6fceb24 HTTP/1.1 User-Agent: Jakarta Commons-HttpClient/2.0.2 Host: club-dev.myhost.com:9003 20:26:01.179225 IP 10.20.156.9.9003 10.16.2.60.53837: Flags [P.], seq 1:363, ack 211, win 54, options [nop,nop,TS val 2507947436 ecr 9412788], length 362 E...a.@..)( .. ..#+.M..\aoQ.d...6%.. .|=.HTTP/1.1 200 OK Date: Thu, 31 Mar 2011 12:16:04 GMT Expires: Thu, 01-Jan-1970 00:00:00 GMT Content-Language: cn,zh-cn Content-Type: text/html; charset=GBK Set-Cookie: JSESSIONID=1v9ac7714fmdc1447aj3eyhqxu;Path=/ Set-Cookie: ali_apache_tracktmp=c_c_signed=N;Version=1;Path=/;Domain=. myhost.com;Discard Vary: Accept-Encoding Content-Length: 7 SUCCESS ^C 2 packets captured 3 packets received by filter 0 packets dropped by kernel the info in this result is in detail, and it's what I want. the tcpdump version is: # tcpdump -h tcpdump version 4.1.1 libpcap version 1.1.1 then I ran the same command on another host, the different result was given [Intranet root@ccbuqa141064 /root] #tcpdump -Ani eth0 'host 10.20.141.138 and tcp port 6100 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 20:14:55.063351 IP 10.20.141.64.35246 10.20.141.138.synchronet-db: P 3812316275:3812316488(213) ack 3651694786 win 46 nop,nop,timestamp 1778729508 1105987604 E.. .X@.@... ..@ ;Ts..p..J. j.B$A...GET /misc/ccs/deleteClubThread 20:14:55.127121 IP 10.20.141.138.synchronet-db 10.20.141.64.35246: P 1:363(362) ack 213 win 54 nop,nop,timestamp 1105987621 1778729508 E...x.@.@... ... ..@..p..;UH...6.k. A..%j.B$HTTP/1.1 200 OK Date: Thu, 31 2 packets captured 2 packets received by filter 0 packets dropped by kernel you see? the info in this one is quite little!! without request parameter, without http headers, and even without the essential data return by the server!! the tcpdump version on this host is: [Intranet root@ccbuqa141064 /root] #tcpdump -h tcpdump version 3.9.4 libpcap version 0.9.4 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -Z user ] [ expression ] can anyone give me some clue?? thanks!
Re: I've got a problem with tcpdump, HELP
On Thu, 31 Mar 2011 20:49:03 +0800, Benimaur Gao wrote: I've encountered a problem in using tcpdump. I tried to capture http traffic by using the following command: # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' (notes: the web application serves at 9003 port, not the conventional 80 instead) but different results was given by two hosts: (...) Date: Thu, 31 Mar 2011 12:16:04 GMT Expires: Thu, 01-Jan-1970 00:00:00 GMT Content-Language: cn,zh-cn Content-Type: text/html; charset=GBK then I ran the same command on another host, the different result was given (...) Date: Thu, 31 ^^^ ?? Indeed, the latter output seems to be broken as if had been unexpectedly interrupted. How did you manage to stop the capture in both cases? Ctrl +C? :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.03.31.15.54...@gmail.com
Re: I've got a problem with tcpdump, HELP
Yes, I stop the capture by Ctrl C, but actually, there is no more output.. ;Ts..p..J. j.B$A...GET /misc/ccs/deleteClubThread ~~ With this request packet, It's also supposed to have more info, such as Content-Type, Date, Set-Cookie, etc. just as the first case. Why were they discarded here? I suspect that it is caused by different version of tcpdump? The dilemma is I've no permission to upgrade the software :( 20:14:55.127121 IP 10.20.141.138.synchronet-db 10.20.141.64.35246: P 1:363(362) ack 213 win 54 nop,nop,timestamp 1105987621 1778729508 On Thu, Mar 31, 2011 at 11:54 PM, Camaleón noela...@gmail.com wrote: On Thu, 31 Mar 2011 20:49:03 +0800, Benimaur Gao wrote: I've encountered a problem in using tcpdump. I tried to capture http traffic by using the following command: # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]0xf)2)) - ((tcp[12]0xf0)2)) != 0)' (notes: the web application serves at 9003 port, not the conventional 80 instead) but different results was given by two hosts: (...) Date: Thu, 31 Mar 2011 12:16:04 GMT Expires: Thu, 01-Jan-1970 00:00:00 GMT Content-Language: cn,zh-cn Content-Type: text/html; charset=GBK then I ran the same command on another host, the different result was given (...) Date: Thu, 31 ^^^ ?? Indeed, the latter output seems to be broken as if had been unexpectedly interrupted. How did you manage to stop the capture in both cases? Ctrl +C? :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.03.31.15.54...@gmail.com
Re: I've got a problem with tcpdump, HELP
On Fri, 01 Apr 2011 00:31:20 +0800, Benimaur Gao wrote: (please, avoid using html messages, they're very hard to read) On Thu, Mar 31, 2011 at 11:54 PM, Camaleón wrote: Indeed, the latter output seems to be broken as if had been unexpectedly interrupted. How did you manage to stop the capture in both cases? Ctrl +C? :-? Yes, I stop the capture by Ctrl C, but actually, there is no more output.. ;Ts..p..J. j.B$A...GET /misc/ccs/deleteClubThread ~~ With this request packet, It's also supposed to have more info, such as Content-Type, Date, Set-Cookie, etc. just as the first case. Why were they discarded here? Sure... I also noted the URI was recorded differently. First one is: GET /misc/ccs/deleteClubThread.html?id=20162669type=MAINTYPEoperator=Hmd5Code=072fa43b87b31865e60aa6fceb24 And the second one has been shorted somehow: GET /misc/ccs/deleteClubThread Maybe a different client request or you visited the same page? :-? I suspect that it is caused by different version of tcpdump? The dilemma is I've no permission to upgrade the software :( I also think so... but even if different releases produce different output (it could be understandable), the date format coming from the older one looks to be really broken, date is completely cutted and so useless :-/ Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.03.31.16.49...@gmail.com
Re: I've got a problem with tcpdump, HELP
El 2011-04-01 a las 01:02 +0800, Benimaur Gao escribió: (resending to the list) On Fri, Apr 1, 2011 at 12:49 AM, Camaleón wrote: (...) Sure... I also noted the URI was recorded differently. First one is: GET /misc/ccs/deleteClubThread.html?id=20162669type=MAINTYPEoperator=Hmd5Code=072fa43b87b31865e60aa6fceb24 And the second one has been shorted somehow: GET /misc/ccs/deleteClubThread Maybe a different client request or you visited the same page? :-? I suspect that it is caused by different version of tcpdump? The dilemma is I've no permission to upgrade the software :( I also think so... but even if different releases produce different output (it could be understandable), the date format coming from the older one looks to be really broken, date is completely cutted and so useless :-/ I guarantee that the two request URI should be the same.. Thanks for you suggestion! Okay, I just was poiting out the differences between two outputs O:-) I think I should also post in the mailing list from tcpdump proj. :) That's a very good idea. Devels will provide accurate information on this issue. Should you finally find the culprit, post it back, it's quite interesting. Greetings -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110331183540.ga8...@stt008.linux.site
Re: How do you use TCPDump?
Correct, it is wireshark now. Somehow I still remember that with the name ethereal :) On Fri, Mar 4, 2011 at 10:15, Steven Ayre stevea...@gmail.com wrote: There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself). -Steve On 4 Mar 2011, at 03:11, Chris Jones cjns1...@gmail.com wrote: On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/116381e8-8be5-4583-ad73-effec4f5d...@gmail.com
Re: How do you use TCPDump?
On Fri, Mar 04, 2011 at 03:30:47AM EST, Anand Sivaram wrote: Correct, it is wireshark now. Somehow I still remember that with the name ethereal :) In ‘lenny’ at least, there's still a dummy ‘ethereal’ package.. That's how I found the new name.. couldn't remember it. Anyway, I mentioned it in case the OP needs to google for it. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304115801.GA4176@pavo.local
Re: How do you use TCPDump?
On Wed, Mar 2, 2011 at 11:00 PM, Jason Hsu jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? look at snort. it's pretty much the industry standard when it comes to ids. also, you can either use the new snort format (which is a pita to convert to pcap format) or you can have it log 'interesting' things to a flat file and directly look it with tshark or tcpdump or scapy or whatever else you'd like. now, what's cool, is if you see something that starts to make you wonder, you go into scapy, modify the packets and replay. fun :) one last thing, learn how to write 'good' rules. just because you've got a bunch of data doesn't make it good data. in fact, too much data is bad data because someone has to look through it all, after a while complacency sets in and your analysis guy becomes useless. in this case, i suppose the analysis guy would be you :)
Re: How do you use TCPDump?
On Thu, Mar 3, 2011 at 09:43, Mike Viau vi...@sheridanc.on.ca wrote: On Wed, 2 Mar 2011 22:00:41 -0600 jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host. The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp and port 80 and dst 10.0.0.1' One tip is to pass the -n switch when running because DNS queries slow down captures. Hope that helps :) -M -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap.
Re: How do you use TCPDump?
On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local
Re: How do you use TCPDump?
There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself). -Steve On 4 Mar 2011, at 03:11, Chris Jones cjns1...@gmail.com wrote: On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/116381e8-8be5-4583-ad73-effec4f5d...@gmail.com
How do you use TCPDump?
I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? -- Jason Hsu jhsu802...@jasonhsu.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110302220041.35071bf9.jhsu802...@jasonhsu.com
RE: How do you use TCPDump?
On Wed, 2 Mar 2011 22:00:41 -0600 jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host. The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp and port 80 and dst 10.0.0.1' One tip is to pass the -n switch when running because DNS queries slow down captures. Hope that helps :) -M -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl
Connectivity issue - tcpdump reports ping a success, ping itself does not.
Hi, I am having some connectivity issues. The arp table is not populated even if the arp request are successfully transferred on the wire. Which leads to unsuccessfully ping. When I add a arp entry manually, tcpdump shows replies but not ping itself. I have had this problems before only that was after I uploaded data using ssh or ssl. Then I got the same weird results. I lost connectivity on the application level, but tcpdump showed that the packets went through(ping packets got reply in tcpdump but not in ping, www would only load some kb with data before it stopped transmitting.) So I hope this is a known issue. All help is much appreciated. -tslura I have rebooted my system, and this is what I get. [2304][r...@pwwrpad:~]# uname -a Linux pwwrpad 2.6.32-3-686 #1 SMP Thu Feb 25 06:14:20 UTC 2010 i686 GNU/Linux I am using GNS3 to simulate a CiscoRuter. This I connect to a cloud which is connected to a tap0 interface. The tap0 interface is created by: # tunctl -t tap0 [2327][r...@pwwrpad:~]# ifconfig tap0 tap0 Link encap:Ethernet HWaddr 46:7c:75:84:7f:dd inet addr:10.10.0.1 Bcast:10.10.0.255 Mask:255.255.255.0 inet6 addr: fe80::447c:75ff:fe84:7fdd/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:5742 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) [2324][r...@pwwrpad:~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 10.10.0.0 0.0.0.0 255.255.255.0 U 0 00 tap0 109.246.52.00.0.0.0 255.255.252.0 U 0 00 eth0 0.0.0.0 109.246.52.10.0.0.0 UG0 00 eth0 Router#sh ip int FastEthernet0/0 is up, line protocol is up Internet address is 10.10.0.2/24 Broadcast address is 255.255.255.255 Router#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 1 subnets C 10.10.0.0 is directly connected, FastEthernet0/0 I can see the network traffic from the router node, connected to tap0 Routerping 10.10.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds: . Success rate is 0 percent (0/5) Router [2258][r...@pwwrpad:~]# tcpdump -i tap0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes 22:58:40.904701 22:58:50.904699 22:58:56.308857 ARP, Request who-has pwwrpad.local tell 10.10.0.2, length 46 22:58:56.463492 IP6 fe80::447c:75ff:fe84:7fdd.mdns ff02::fb.mdns: 0 PTR (QM)? 1.0.10.10.in-addr.arpa. (40) 22:58:56.463570 IP pwwrpad.local.mdns 224.0.0.251.mdns: 0 PTR (QM)? 1.0.10.10.in-addr.arpa. (40) 22:58:56.463906 IP pwwrpad.local.mdns 224.0.0.251.mdns: 0*- [0q] 1/0/0 (Cache flush) PTR pwwrpad.local. (61) 22:58:56.620013 IP6 fe80::447c:75ff:fe84:7fdd.mdns ff02::fb.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:58:56.620082 IP pwwrpad.local.mdns 224.0.0.251.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:58:57.267462 CDPv2, ttl: 180s, Device-ID 'Router', length 333 22:58:57.620916 IP6 fe80::447c:75ff:fe84:7fdd.mdns ff02::fb.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:58:57.620991 IP pwwrpad.local.mdns 224.0.0.251.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:58:58.308839 ARP, Request who-has pwwrpad.local tell 10.10.0.2, length 46 22:58:59.622211 IP6 fe80::447c:75ff:fe84:7fdd.mdns ff02::fb.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:58:59.622279 IP pwwrpad.local.mdns 224.0.0.251.mdns: 0 PTR (QM)? 2.0.10.10.in-addr.arpa. (40) 22:59:00.308839 ARP, Request who-has pwwrpad.local tell 10.10.0.2, length 46 [2259][leaf...@pwwrpad:~]$ ping 10.10.0.2 PING 10.10.0.2 (10.10.0.2) 56(84) bytes of data. From 10.10.0.1 icmp_seq=2 Destination Host Unreachable From 10.10.0.1 icmp_seq=3 Destination Host Unreachable From 10.10.0.1 icmp_seq=4 Destination Host Unreachable ^C --- 10.10.0.2 ping statistics --- 6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5009ms pipe 3 [2300][leaf...@pwwrpad:~]$ 23:00:51.246623 ARP, Request who-has 10.10.0.2 tell pwwrpad.local, length 28 23:00:51.251907 ARP, Reply 10.10.0.2 is-at c0:00:21:a4:00:00 (oui Unknown), length 46 23:00:52.246623 ARP, Request who-has 10.10.0.2 tell pwwrpad.local, length 28 23:00:52.248841 ARP, Reply 10.10.0.2
Re: tcpdump?
On Sat, Feb 20, 2010 at 06:05:50AM +, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? tcpdump -s0 -w output.pcap port 4957 Consider also adding -n if name resolution takes extra time. This will send output to output.pcap . Later on run: wireshark output.pcap and analyze the flows there. Naturally you can use other programs. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100221181130.gw16...@pear.tzafrir.org.il
Re: tcpdump?
On Sat, Feb 20, 2010 at 07:19:13AM +0100, frank thyes wrote: On Sat, 2010-02-20 at 06:05 +, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? RTFM - if you dont now how to read manuals start with man man That's a rather unusful reply. Not to mention 'man man' is not my recommendation to someone not familiar with man pages. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100221181353.gx16...@pear.tzafrir.org.il
Re: tcpdump?
On Sun, Feb 21, 2010 at 04:55:11AM +, Hadi Motamedi wrote: [snip] Why not explain what you are trying to do, you main goal Thank you for your reply . My mail goal is to find what is the exact command syntax and its arguments that the attached network element is sending to my Debian server on the specified port . I am seeing communication packets exchaned between the network element and my Debian (through opening the log on Wireshark) but I want to decode it and find the exact syntax of the command sent . so wireshark and tcpdump, ethereal, tshark are all going to capture the entire packet (make sure to use -s 1500 for ethernet). if wireshark doesn't decode/translate the packet then you are going to have to figure out the protocol spec yourself. it automatically looks and decodes. Wireshark will present you with all the information that you need _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- The best way to find these terrorists who hide in holes is to get people coming forth to describe the location of the hole, is to give clues and data. - George W. Bush 12/15/2003 Washington, DC signature.asc Description: Digital signature
RE: tcpdump?
Date: Sun, 21 Feb 2010 18:11:31 + From: tzaf...@cohens.org.il To: debian-user@lists.debian.org Subject: Re: tcpdump? On Sat, Feb 20, 2010 at 06:05:50AM +, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? tcpdump -s0 -w output.pcap port 4957 Consider also adding -n if name resolution takes extra time. This will send output to output.pcap . Later on run: wireshark output.pcap and analyze the flows there. Naturally you can use other programs. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100221181130.gw16...@pear.tzafrir.org.il Thank you for your reply . I tried according to your comment , but still the intended exchanged command cannot be captured on the Wireshark analyze . _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: tcpdump?
Date: Mon, 22 Feb 2010 07:21:30 +1100 From: a...@samad.com.au To: debian-user@lists.debian.org Subject: Re: tcpdump? On Sun, Feb 21, 2010 at 04:55:11AM +, Hadi Motamedi wrote: [snip] Why not explain what you are trying to do, you main goal Thank you for your reply . My mail goal is to find what is the exact command syntax and its arguments that the attached network element is sending to my Debian server on the specified port . I am seeing communication packets exchaned between the network element and my Debian (through opening the log on Wireshark) but I want to decode it and find the exact syntax of the command sent . so wireshark and tcpdump, ethereal, tshark are all going to capture the entire packet (make sure to use -s 1500 for ethernet). if wireshark doesn't decode/translate the packet then you are going to have to figure out the protocol spec yourself. it automatically looks and decodes. Wireshark will present you with all the information that you need _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- The best way to find these terrorists who hide in holes is to get people coming forth to describe the location of the hole, is to give clues and data. - George W. Bush 12/15/2003 Washington, DC Thank you . I tried for your proposed switches in my 'tcpdump' but still the Wireshark does not show the command syntax that is being exchanged . So it seems that , according to you , I need to figure out the protocol spec in other way . _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: tcpdump?
On 20/02/2010 08:05, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? Thank you Hiya Use tcpflow i.e. tcpflow -c port 4957 HTH Brent Clark -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b7fa05b.7010...@gmail.com
Re: tcpdump?
On Sat, 20 Feb 2010 06:26:07 +, Hadi Motamedi wrote: Sorry . I mean inside the payload data (as I have obtained the output by tracing with tcpdump) . I need to decode the exchanged data . Does tcpshow helps? *** tcpshow - decode a tcpdump savefile (...) tcpshow reads a tcpdump(1) savefile and provides a reasonably complete decode of Ethernet, IP, ICMP, UDP and TCP headers, in packets that match the boolean expression. The data belonging to these packets is displayed in ASCII. *** Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.02.20.09.49...@gmail.com
RE: tcpdump?
Date: Sat, 20 Feb 2010 10:42:03 +0200 From: brentgclarkl...@gmail.com To: debian-user@lists.debian.org Subject: Re: tcpdump? On 20/02/2010 08:05, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? Thank you Hiya Use tcpflow i.e. tcpflow -c port 4957 HTH Brent Clark -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b7fa05b.7010...@gmail.com I tried for the following : #tcpflow -c port 4957 But it didn't produce any output . Can you please give me a hint? _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
RE: tcpdump?
To: debian-user@lists.debian.org From: noela...@gmail.com Subject: Re: tcpdump? Date: Sat, 20 Feb 2010 09:49:50 + On Sat, 20 Feb 2010 06:26:07 +, Hadi Motamedi wrote: Sorry . I mean inside the payload data (as I have obtained the output by tracing with tcpdump) . I need to decode the exchanged data . Does tcpshow helps? *** tcpshow - decode a tcpdump savefile (...) tcpshow reads a tcpdump(1) savefile and provides a reasonably complete decode of Ethernet, IP, ICMP, UDP and TCP headers, in packets that match the boolean expression. The data belonging to these packets is displayed in ASCII. *** Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.02.20.09.49...@gmail.com I tried to install 'tcpshow' on my Debian , but 'apt-cache search tcpshow' didn't return anything . Can you please give me a hint? _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
tcpdump?
#tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? Try tcpdump host IP-addr-deb-server and port 4957 This will grab all packets to and from the server, which are to or from port 4957 If you want traffic in one direction only, you can use src host or dst host instead of host, and/or src port or dst port instaed of port. You could add -s 0 to ensure you grab entire packets regardless of size, and -v, -vv or -vvv if you need more details on packets. John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1f1816a91002200315o39f14dbdsd6376f5a3b9ec...@mail.gmail.com
Re: tcpdump?
On Sat, 20 Feb 2010 11:06:26 +, Hadi Motamedi wrote: Does tcpshow helps? (...) I tried to install 'tcpshow' on my Debian , but 'apt-cache search tcpshow' didn't return anything . Can you please give me a hint? Mmm, you're right. It seems that package is not available in Debian's repos :-? Anyway, have you tried to save the file with tcpdump -w and then read it with tcpdump -r switch? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.02.20.11.44...@gmail.com
RE: tcpdump?
Date: Sat, 20 Feb 2010 11:15:33 + Subject: tcpdump? From: brianol...@gmail.com To: debian-user@lists.debian.org #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? Try tcpdump host IP-addr-deb-server and port 4957 This will grab all packets to and from the server, which are to or from port 4957 If you want traffic in one direction only, you can use src host or dst host instead of host, and/or src port or dst port instaed of port. You could add -s 0 to ensure you grab entire packets regardless of size, and -v, -vv or -vvv if you need more details on packets. John -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1f1816a91002200315o39f14dbdsd6376f5a3b9ec...@mail.gmail.com I tried as the following : #tcpdump -s 0 -vvv port 4957 But the output does not have additional data over the 'tcpdump port 4957' output . Can you please let me know what is wrong here? _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: tcpdump?
On 20/02/2010 12:48, Hadi Motamedi wrote: I tried for the following : #tcpflow -c port 4957 But it didn't produce any output . Can you please give me a hint? K Lets start with a silly question show us netstat -nalptu | grep 4957 I.e. Do you have actually have something listening on that port. Brent -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b800505.6080...@gmail.com
Re: tcpdump?
On Sat, Feb 20, 2010 at 07:22:29AM +, Hadi Motamedi wrote: [snip] try wireshark [snip] I have Wireshark on my MS Windows platform . I captured the tcpdump output in a file and opened it in Wireshark , but I cannot find how to decode the udp payload data in ascii format . Can you please let me know how can I do that in Wireshark ? So first you are trying to look at the data that is being sent to/from exchange. You are trying to decode the udp packets ? if so , then if anything out of the box can do it, that would be wireshark, by default (atleast on the linux/debian version), it comes with alot of decoders. Select the packet you are looking into and drill down, you should have 3 windows of different information. with the bottom window you can view the payload and if wireshark can decode it, it will into something more sensible. but if its been encryted then you are going to need the keys or a lot of money and time. Why not explain what you are trying to do, you main goal signature.asc Description: Digital signature
RE: tcpdump?
Date: Sun, 21 Feb 2010 07:32:19 +1100 From: a...@samad.com.au To: debian-user@lists.debian.org Subject: Re: tcpdump? On Sat, Feb 20, 2010 at 07:22:29AM +, Hadi Motamedi wrote: [snip] try wireshark [snip] I have Wireshark on my MS Windows platform . I captured the tcpdump output in a file and opened it in Wireshark , but I cannot find how to decode the udp payload data in ascii format . Can you please let me know how can I do that in Wireshark ? So first you are trying to look at the data that is being sent to/from exchange. You are trying to decode the udp packets ? if so , then if anything out of the box can do it, that would be wireshark, by default (atleast on the linux/debian version), it comes with alot of decoders. Select the packet you are looking into and drill down, you should have 3 windows of different information. with the bottom window you can view the payload and if wireshark can decode it, it will into something more sensible. but if its been encryted then you are going to need the keys or a lot of money and time. Why not explain what you are trying to do, you main goal Thank you for your reply . My mail goal is to find what is the exact command syntax and its arguments that the attached network element is sending to my Debian server on the specified port . I am seeing communication packets exchaned between the network element and my Debian (through opening the log on Wireshark) but I want to decode it and find the exact syntax of the command sent . _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
RE: tcpdump?
Date: Sat, 20 Feb 2010 17:51:33 +0200 From: brentgclarkl...@gmail.com To: debian-user@lists.debian.org Subject: Re: tcpdump? On 20/02/2010 12:48, Hadi Motamedi wrote: I tried for the following : #tcpflow -c port 4957 But it didn't produce any output . Can you please give me a hint? K Lets start with a silly question show us netstat -nalptu | grep 4957 I.e. Do you have actually have something listening on that port. Brent -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b800505.6080...@gmail.com Please find below the output of 'netstat' : #netstat -nalptu |grep 4959 udp 0 0 0.0.0.0:49590.0.0.0:* 1008/iptrans As you see , my trace is listening on that port . _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
tcpdump?
Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? Thank you _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
Re: tcpdump?
On Sat, 2010-02-20 at 06:05 +, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? RTFM - if you dont now how to read manuals start with man man Frank -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1266646753.2310.5.ca...@leela
RE: tcpdump?
Subject: Re: tcpdump? From: fr...@anotheria.net CC: debian-user@lists.debian.org Date: Sat, 20 Feb 2010 07:19:13 +0100 To: debian-user@lists.debian.org On Sat, 2010-02-20 at 06:05 +, Hadi Motamedi wrote: Dear All I have put tcpdump trace on port 4957 on my Debian server , as the following : #tcpdump port 4957 I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? RTFM - if you dont now how to read manuals start with man man Frank -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1266646753.2310.5.ca...@leela Sorry . I mean inside the payload data (as I have obtained the output by tracing with tcpdump) . I need to decode the exchanged data . _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
Re: tcpdump?
On Sat, Feb 20, 2010 at 06:26:07AM +, Hadi Motamedi wrote: [snip] Sorry . I mean inside the payload data (as I have obtained the output by tracing with tcpdump) . I need to decode the exchanged data . try wireshark _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- What I think the president ought to do [when gas prices spike] is he ought to get on the phone with the OPEC cartel and say we expect you to open your spigots. - George W. Bush 01/26/2006 Manchester, NH in a Republican Primary debate signature.asc Description: Digital signature
RE: tcpdump?
Date: Sat, 20 Feb 2010 18:01:49 +1100 From: a...@samad.com.au To: debian-user@lists.debian.org Subject: Re: tcpdump? On Sat, Feb 20, 2010 at 06:26:07AM +, Hadi Motamedi wrote: [snip] Sorry . I mean inside the payload data (as I have obtained the output by tracing with tcpdump) . I need to decode the exchanged data . try wireshark _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 -- What I think the president ought to do [when gas prices spike] is he ought to get on the phone with the OPEC cartel and say we expect you to open your spigots. - George W. Bush 01/26/2006 Manchester, NH in a Republican Primary debate I have Wireshark on my MS Windows platform . I captured the tcpdump output in a file and opened it in Wireshark , but I cannot find how to decode the udp payload data in ascii format . Can you please let me know how can I do that in Wireshark ? _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
Re: Tcpdump ( ver iptables drops )
Rafael Moraes escreveu: isso é varável a idéia é ver os pacotes que estão sendo dropados.. por exemplofecho a porta 80...e tem user tentando acessar sites e etc. quero ver estas tentativas e taqlz entendeu? 2009/5/26 Miguel Da Silva - URI mdasi...@fing.edu.uy mailto:mdasi...@fing.edu.uy Rafael Moraes escribió: Opa escrevi errado a pergunta certa é: gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do* tcpdump*? 2009/5/26 Allison Vollmann allisonv...@yahoo.com.br mailto:allisonv...@yahoo.com.br mailto:allisonv...@yahoo.com.br mailto:allisonv...@yahoo.com.br Em 25/5/2009 22:04, Rafael Moraes escreveu: Boa noite, gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do Iptables? Abraços Você também pode fazer isso direto pelo iptables, use a mesma regra que estiver usando para o DROP, apenas altere o jump no final para -J LOG por padrão vai cair no syslog a nível de warning, depois que ele processar vai voltar para a chain atual e prosseguir nas regras como ocorria anteriormente. --To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org mailto:debian-user-portuguese-requ...@lists.debian.org mailto:debian-user-portuguese-requ...@lists.debian.org mailto:debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org mailto:listmas...@lists.debian.org mailto:listmas...@lists.debian.org mailto:listmas...@lists.debian.org E quais são os pacotes que deveram ser dropados?! A sintaxe do tcpdump vai depender, e muito, desta informação. Até. -- Miguel Da Silva Unidad de Recursos Informáticos Facultad de Ingeniería - http://www.fing.edu.uy Universidad de la República - http://www.rau.edu.uy -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org mailto:debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org mailto:listmas...@lists.debian.org $ tcpdump src port 80 Mais informações em man tcpdump. Até. -- Miguel Da Silva Unidad de Recursos Informáticos Facultad de Ingeniería - http://www.fing.edu.uy Universidad de la República - http://www.rau.edu.uy -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tcpdump ( ver iptables drops )
Em 25/5/2009 22:04, Rafael Moraes escreveu: Boa noite, gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do Iptables? Abraços Você também pode fazer isso direto pelo iptables, use a mesma regra que estiver usando para o DROP, apenas altere o jump no final para -J LOG por padrão vai cair no syslog a nível de warning, depois que ele processar vai voltar para a chain atual e prosseguir nas regras como ocorria anteriormente. -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tcpdump ( ver iptables drops )
Opa escrevi errado a pergunta certa é: gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do* tcpdump*? 2009/5/26 Allison Vollmann allisonv...@yahoo.com.br Em 25/5/2009 22:04, Rafael Moraes escreveu: Boa noite, gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do Iptables? Abraços Você também pode fazer isso direto pelo iptables, use a mesma regra que estiver usando para o DROP, apenas altere o jump no final para -J LOG por padrão vai cair no syslog a nível de warning, depois que ele processar vai voltar para a chain atual e prosseguir nas regras como ocorria anteriormente. -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Tcpdump ( ver iptables drops )
Rafael Moraes escribió: Opa escrevi errado a pergunta certa é: gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do* tcpdump*? 2009/5/26 Allison Vollmann allisonv...@yahoo.com.br mailto:allisonv...@yahoo.com.br Em 25/5/2009 22:04, Rafael Moraes escreveu: Boa noite, gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do Iptables? Abraços Você também pode fazer isso direto pelo iptables, use a mesma regra que estiver usando para o DROP, apenas altere o jump no final para -J LOG por padrão vai cair no syslog a nível de warning, depois que ele processar vai voltar para a chain atual e prosseguir nas regras como ocorria anteriormente. -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org mailto:debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org mailto:listmas...@lists.debian.org E quais são os pacotes que deveram ser dropados?! A sintaxe do tcpdump vai depender, e muito, desta informação. Até. -- Miguel Da Silva Unidad de Recursos Informáticos Facultad de Ingeniería - http://www.fing.edu.uy Universidad de la República - http://www.rau.edu.uy -- To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Tcpdump ( ver iptables drops )
Boa noite, gostaria de saber qual a sintaxe correta para verificar os pacotes que são dropados pelo Iptables através do Iptables? Abraços
Re: Re: Capturar chats de msn con tcpdump
porque no pruebas con esto? http://subnacion.com/?cont=lecart=545 saludos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
Go Go escribió: porque no pruebas con esto? http://subnacion.com/?cont=lecart=545 saludos Esto no es contra la DECLARACIÓN MUNDIAL DE LOS DERECHOS HUMANOS Salu2 Alien! -- Si cree que la capacitación es cara, pruebe con la ignorancia. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
El vie, 30-05-2008 a las 10:14 -0300, adriancito escribió: Es posible caputar el chat (msn) mediante tcpdump? Seguramente se pueda con tcpdump, pero ya probaste imsniff? $ aptitude show imsniff Paquete: imsniff Estado: sin instalar Versión: 0.04-4 Prioridad: extra Sección: net Desarrollador: Juan Angulo Moreno [EMAIL PROTECTED] Tamaño sin comprimir: 111k Depende de: libc6 (= 2.7-1), libpcap0.8 (= 0.9.3-1), libstdc++6 (= 4.1.1) Descripción: Simple program to log Instant Messaging activity on the network The imsniff program can be used to log IM activity on the network. It uses libpcap to capture packets and analyzes them, logging conversation, contact lists, etc. Users connecting after imsniff is started can get pretty good results, including complete contact lists and events (displaying a name change, for example). Users already connected will be able to get the conversations, but will miss the other information. The only required parameter is the interface name to listen to. This can be any interface that libpcap supports. A sample imsniff.conf.sample file is included. imsniff is beta software, for now, only MSN is supported. Others could follow. -- Gabriel Parrondo GNU/Linux User #404138 GnuPG Public Key ID: BED7BF43 JID: [EMAIL PROTECTED] The only difference between theory and practice is that, in theory, there's no difference between theory and practice. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
2008/5/31, David Francos (XayOn) [EMAIL PROTECTED]: Alejandro Facultad escribió: angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada Curiosa y rapida respuesta. A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Con WireShark no se ve mal del todo, filtras los mensajes que sean de protocolo msnms (pon msnms en la barra de filtros) y ordenalos por contenido, los mensajes que comiencen por MSG son mensajes ;) , lees la parte ascii y ya esta, de todos modos, el comando que envie parsea los mensajes perfectamente... ;) Solo le falla lo del usuario al que van destinados :P Ayer estube tentado aa responder. pero realmente alguien que hace ese comentario en una lista de software libre. es un desubicado un terrible desubicado. el dia que M$ o cualqiera de sus lame botas hada un soft que supere a uno libre, y antes que alejandro, y veran que omiti el sr. (por que es un irespetuoso) (el que cuenta chistes en un funeral). diga que no cual soft o cual otro. pensa que se hace a pulmon y tienen muchos años menos de desarrollo y el ritmo de cresimiento es mucho mayor. y hacer las cosas bien lleva tiempo. y si tenes que hacer mas comenterios de M$ te invito a que las hagas en otro lado. A mi me ofende tu comentario!! y lo tomo como un insulto!!! lo entendiste auque creo que no, como desubicado que sos Saludos Supongo que el espacio es un problema añadido que tiene.. -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- MrIX Linux user number 412793. http://counter.li.org/ las grandes obras, las sueñan los santos locos, las realizan los luchadores natos, las aprovechan los felices cuerdo, y las critican los inútiles crónicos, yo no fui, seguro que es mas inteligente. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
Cristian Mitchell escribió: 2008/5/31, David Francos (XayOn) [EMAIL PROTECTED]: Alejandro Facultad escribió: angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada Curiosa y rapida respuesta. A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Con WireShark no se ve mal del todo, filtras los mensajes que sean de protocolo msnms (pon msnms en la barra de filtros) y ordenalos por contenido, los mensajes que comiencen por MSG son mensajes ;) , lees la parte ascii y ya esta, de todos modos, el comando que envie parsea los mensajes perfectamente... ;) Solo le falla lo del usuario al que van destinados :P Ayer estube tentado aa responder. pero realmente alguien que hace ese comentario en una lista de software libre. es un desubicado un terrible desubicado. ¿Yo? Impresionante, lo que me faltaba por oir. Primero aprende a escribir, luego escribe, y luego el resto del mundo intentaremos entenderte y ubicarte. el dia que M$ o cualqiera de sus lame botas hada un soft que supere a uno libre, y antes que alejandro, y veran que omiti el sr. (por que es un irespetuoso) (el que cuenta chistes en un funeral). diga que no cual soft o cual otro. ¿Que tendra que ver? En ningun momento he utilizado ningun software no-libre, si un protocolo (msnpX), pero bueno, el motivo por el que el quiere conseguir esos datos es cosa suya, no mia. En ningun momento he dicho que microsoft haya hecho ningún software superior a un software libre, aunque no podria asegurarlo por mi mismo, estoy convencido de ello (hace años que no uso software de microsoft). pensa que se hace a pulmon y tienen muchos años menos de desarrollo y el ritmo de cresimiento es mucho mayor. y hacer las cosas bien lleva tiempo. y si tenes que hacer mas comenterios de M$ te invito a que las hagas en otro lado. ¿Comentario de microsoft? Dios mio, por favor, ve a un psiquiatra, un oculista o vuelve a cursar la educacion primaria. A mi me ofende tu comentario!! y lo tomo como un insulto!!! lo entendiste auque creo que no, como desubicado que sos A insultar te vas a insultar a quien yo te diga, a acusar de pro-microsoft te vas a acusar a quien yo te diga, y si el comentario no iba dirigido a mi, aprende a poner las cosas donde van (aqui el unico que ha echo un comentario pro-microsoft a sido Alejandro Facultad Tal y como podrás leer arriba, claro, si sabes, despues de haberme ofendido (mucho) a mi. Lo que me faltaba, el otro dia el troll de es.comp.os.linux.misc en el que un capullo decia que si la comunidad GNU/Linux nos sentiamos marginados era por nuestra culpa, por que habiamos elejido usar GNU/Linux y hoy uno que dice que soy pro-microsoft y que le he ofendido con mis comentarios, claro, por eso para filtrar ese tipo de trafico utilice tcpdump y un script en perl y recomende wireshark... Como son software de microsoft... (Por si aun no lo has entendido, no son software de microsoft, son completamente Open Source, es una ironia) A mi, que el numero de software no-libre (drivers a parte) en mis (7) pcs es 0, y que drivers no libres tengo dos, instalados en uno de ellos... Saludos Supongo que el espacio es un problema añadido que tiene.. -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
El sáb, 31-05-2008 a las 20:42 -0300, Alejandro Facultad escribió: angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Saludos 2 cosas 1: YO no pregunte nada, por lo tanto NO necesito respuestas 2: Las preguntas de lalista se responden SOLO a la lista -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
El 1/06/08, David Francos (XayOn) [EMAIL PROTECTED] escribió: Cristian Mitchell escribió: 2008/5/31, David Francos (XayOn) [EMAIL PROTECTED]: Alejandro Facultad escribió: angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada Curiosa y rapida respuesta. A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Con WireShark no se ve mal del todo, filtras los mensajes que sean de protocolo msnms (pon msnms en la barra de filtros) y ordenalos por contenido, los mensajes que comiencen por MSG son mensajes ;) , lees la parte ascii y ya esta, de todos modos, el comando que envie parsea los mensajes perfectamente... ;) Solo le falla lo del usuario al que van destinados :P Ayer estube tentado aa responder. pero realmente alguien que hace ese comentario en una lista de software libre. es un desubicado un terrible desubicado. ¿Yo? Impresionante, lo que me faltaba por oir. Primero aprende a escribir, luego escribe, y luego el resto del mundo intentaremos entenderte y ubicarte. el dia que M$ o cualqiera de sus lame botas hada un soft que supere a uno libre, y antes que alejandro, y veran que omiti el sr. (por que es un irespetuoso) (el que cuenta chistes en un funeral). diga que no cual soft o cual otro. ¿Que tendra que ver? En ningun momento he utilizado ningun software no-libre, si un protocolo (msnpX), pero bueno, el motivo por el que el quiere conseguir esos datos es cosa suya, no mia. En ningun momento he dicho que microsoft haya hecho ningún software superior a un software libre, aunque no podria asegurarlo por mi mismo, estoy convencido de ello (hace años que no uso software de microsoft). pensa que se hace a pulmon y tienen muchos años menos de desarrollo y el ritmo de cresimiento es mucho mayor. y hacer las cosas bien lleva tiempo. y si tenes que hacer mas comenterios de M$ te invito a que las hagas en otro lado. ¿Comentario de microsoft? Dios mio, por favor, ve a un psiquiatra, un oculista o vuelve a cursar la educacion primaria. A mi me ofende tu comentario!! y lo tomo como un insulto!!! lo entendiste auque creo que no, como desubicado que sos A insultar te vas a insultar a quien yo te diga, a acusar de pro-microsoft te vas a acusar a quien yo te diga, y si el comentario no iba dirigido a mi, aprende a poner las cosas donde van (aqui el unico que ha echo un comentario pro-microsoft a sido Alejandro Facultad Tal y como podrás leer arriba, claro, si sabes, despues de haberme ofendido (mucho) a mi. Lo que me faltaba, el otro dia el troll de es.comp.os.linux.misc en el que un capullo decia que si la comunidad GNU/Linux nos sentiamos marginados era por nuestra culpa, por que habiamos elejido usar GNU/Linux y hoy uno que dice que soy pro-microsoft y que le he ofendido con mis comentarios, claro, por eso para filtrar ese tipo de trafico utilice tcpdump y un script en perl y recomende wireshark... Como son software de microsoft... (Por si aun no lo has entendido, no son software de microsoft, son completamente Open Source, es una ironia) A mi, que el numero de software no-libre (drivers a parte) en mis (7) pcs es 0, y que drivers no libres tengo dos, instalados en uno de ellos... Saludos Supongo que el espacio es un problema añadido que tiene.. -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] por que te peinas si no salis en la foto no hera para vos es para lejandro Facultad [EMAIL PROTECTED] -- MrIX Linux user number 412793. http://counter.li.org/ las grandes obras, las sueñan los santos locos, las realizan los luchadores natos, las aprovechan los felices cuerdo, y las critican los inútiles crónicos, yo no fui, seguro que es mas inteligente. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
David Francos (XayOn) escribió: tcpdump es un sniffer, captura trafico de la red. Un sniffer solo puede capturar lo que pase por tu nic (tu tarjeta de red) esto es, o tu propio trafico, o trafico a broadcast (claro, que con ataques mitm puedes hacer que pase el trafico de tu red que quieras por tu tarjeta de red). El paquete de tcpdump ocupa 300 kb, asi que supongo que te cabrá. apt-get install tcpdump Para liberar un poco de espacio en tu sistema: apt-get install localepurge deborphan apt-get remove `deborphan` apt-get autoremove apt-get clean localepurge Esto te quita los archivos de idiomas que no necesitas, los paquetes descargados en /var/cache y los paquetes huerfanos. La primera vez que ejecute localepurge en mi sistema me quito unos 300MB de archivos, lo cual para ti, con un disco de 1gb seria un alivio. Por cierto ¿Que has instalado con 1GB? :-D Hola david, ya lo probe y anda barbaro, pero, trate de con /var /log/tcpd.txt para que la salida la guarde ahi, pero no guardo nada.., es decir, me lo muestra en el momento.., pero como hago para que lo guardo en un archivo? eso es todo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
El vie, 30-05-2008 a las 10:14 -0300, adriancito escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Saludos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
Alejandro Facultad escribió: angel escribió: Es posible caputar el chat (msn) mediante tcpdump? si gracias. de nada Curiosa y rapida respuesta. A mi me resulto mas simple usar el programa MSN Sniffer sobre Windows para capturar MSN y MSN Yahoo Monitor Sniffer para el trafico de Yahoo Mesenger. Aunque soy fanatico y usuario de Debian, para esto solamente elegi Windows porque los dialogos estan parseados perfectamente. Con WireShark no se ve mal del todo, filtras los mensajes que sean de protocolo msnms (pon msnms en la barra de filtros) y ordenalos por contenido, los mensajes que comiencen por MSG son mensajes ;) , lees la parte ascii y ya esta, de todos modos, el comando que envie parsea los mensajes perfectamente... ;) Solo le falla lo del usuario al que van destinados :P Saludos Supongo que el espacio es un problema añadido que tiene.. -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Capturar chats de msn con tcpdump
Es posible caputar el chat (msn) mediante tcpdump? gracias. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
adriancito escribió: Es posible caputar el chat (msn) mediante tcpdump? gracias. Sí, simplemente pidele que te muestre ascii y que capture todo lo que el puerto de destino sea 1863 capturando los paquetes enteros tcpdump -A -s0 dst port 1863 Gracias a las excelentes cualidades de perl, puedes usar este comando, que te filtrara directamente los mensajes de texto: tcpdump -l -A dst port 1863 -s0|perl -ne \$a=''if \$_=~ /ack/;if (\$_=~/: text\/plain;/){\$a=1;\$c=1;}if(\$a){\$c++; print \$_ if \$c=5;} Pega: Esto no te devuelve, para nada, que usuario a dicho que cosa :-D, simplemente te deja el texto en plano de todas las conversaciones :-) Si mal no recuerdo, wireshark hace bien este trabajo, pero si quieres tcpdump, ahi tienes como hacerlo ;) -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
David Francos (XayOn) escribió: adriancito escribió: Es posible caputar el chat (msn) mediante tcpdump? gracias. Sí, simplemente pidele que te muestre ascii y que capture todo lo que el puerto de destino sea 1863 capturando los paquetes enteros tcpdump -A -s0 dst port 1863 Gracias a las excelentes cualidades de perl, puedes usar este comando, que te filtrara directamente los mensajes de texto: tcpdump -l -A dst port 1863 -s0|perl -ne \$a=''if \$_=~ /ack/;if (\$_=~/: text\/plain;/){\$a=1;\$c=1;}if(\$a){\$c++; print \$_ if \$c=5;} Pega: Esto no te devuelve, para nada, que usuario a dicho que cosa :-D, simplemente te deja el texto en plano de todas las conversaciones :-) Si mal no recuerdo, wireshark hace bien este trabajo, pero si quieres tcpdump, ahi tienes como hacerlo ;) huy que bueno esto che, que es tcpdump? tiene algo que ver con iptables? como podria yo implementarlo..aunque me queda poco espacio en el disquito de 1gb..:S como es entonces? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
Julián Esteban Perconti escribió: David Francos (XayOn) escribió: adriancito escribió: Es posible caputar el chat (msn) mediante tcpdump? gracias. Sí, simplemente pidele que te muestre ascii y que capture todo lo que el puerto de destino sea 1863 capturando los paquetes enteros tcpdump -A -s0 dst port 1863 Gracias a las excelentes cualidades de perl, puedes usar este comando, que te filtrara directamente los mensajes de texto: tcpdump -l -A dst port 1863 -s0|perl -ne \$a=''if \$_=~ /ack/;if (\$_=~/: text\/plain;/){\$a=1;\$c=1;}if(\$a){\$c++; print \$_ if \$c=5;} Pega: Esto no te devuelve, para nada, que usuario a dicho que cosa :-D, simplemente te deja el texto en plano de todas las conversaciones :-) Si mal no recuerdo, wireshark hace bien este trabajo, pero si quieres tcpdump, ahi tienes como hacerlo ;) huy que bueno esto che, que es tcpdump? tiene algo que ver con iptables? como podria yo implementarlo..aunque me queda poco espacio en el disquito de 1gb..:S como es entonces? tcpdump es un sniffer, captura trafico de la red. Un sniffer solo puede capturar lo que pase por tu nic (tu tarjeta de red) esto es, o tu propio trafico, o trafico a broadcast (claro, que con ataques mitm puedes hacer que pase el trafico de tu red que quieras por tu tarjeta de red). El paquete de tcpdump ocupa 300 kb, asi que supongo que te cabrá. apt-get install tcpdump Para liberar un poco de espacio en tu sistema: apt-get install localepurge deborphan apt-get remove `deborphan` apt-get autoremove apt-get clean localepurge Esto te quita los archivos de idiomas que no necesitas, los paquetes descargados en /var/cache y los paquetes huerfanos. La primera vez que ejecute localepurge en mi sistema me quito unos 300MB de archivos, lo cual para ti, con un disco de 1gb seria un alivio. Por cierto ¿Que has instalado con 1GB? :-D -- http://thexayon.wordpress.com Que la fuerza os acompañe. -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS dpu s: a--- C UL P L+++ E--- W+++ N+++ o+ K- w--- O M+ V- PS+ PE+++ Y PGP++ t--- 5 X+++ R tv+++ b DI--- D+++ G+ e- h++ r+++ y --END GEEK CODE BLOCK-- --XayOn-- Linux registered user #446872 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Capturar chats de msn con tcpdump
David Francos (XayOn) escribió: tcpdump es un sniffer, captura trafico de la red. Un sniffer solo puede capturar lo que pase por tu nic (tu tarjeta de red) esto es, o tu propio trafico, o trafico a broadcast (claro, que con ataques mitm puedes hacer que pase el trafico de tu red que quieras por tu tarjeta de red). El paquete de tcpdump ocupa 300 kb, asi que supongo que te cabrá. apt-get install tcpdump Para liberar un poco de espacio en tu sistema: apt-get install localepurge deborphan apt-get remove `deborphan` apt-get autoremove apt-get clean localepurge Esto te quita los archivos de idiomas que no necesitas, los paquetes descargados en /var/cache y los paquetes huerfanos. La primera vez que ejecute localepurge en mi sistema me quito unos 300MB de archivos, lo cual para ti, con un disco de 1gb seria un alivio. Por cierto ¿Que has instalado con 1GB? :-D Hola david, en 1 GB tengo debian 2.6.18 routeando, con squid, dns y dhcp. hacia mi red, con respecto a los comandos que mencionas, ya estan instalados, y son ejecutados periodicamente (cron). Me quedan unos 200 mb libres, el que no probe es el autoremove, que lo voy a probar ahora. saludos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ulogd-pcap et tcpdump
Bonsoir, Ayant installé ulogd et son plugin ulogd-pcap, je rencontre un petit problème de format dans le fichier de dump de ulogd. ulogd me crée un fichier pcap.log, et je veux le relire avec une librairie perl libnet-pcap-perl (Net::Pcap::open_offline). J'obtiens l'erreur suivante : __bad dump file format__ tout comme lors de l'utilisation de tcpdump pour relire ce même fichier. Pour l'instant je n'ai trouvé que cette piste : http://www.mail-archive.com/[EMAIL PROTECTED]/msg00892.html Des idées ? --- Franck Joncourt http://www.debian.org/ - http://smhteam.info/wiki/ -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/DebFrFrenchLists Vous pouvez aussi ajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what is this in tcpdump?
On Thursday 26 July 2007 00:47, Andrew Sackville-West wrote: I get a lot of these in my tcpdump on my machine: 15:45:47.427003 IP basement.ipp 192.168.1.31.ipp: UDP, length 129 15:45:48.427004 IP basement.ipp 192.168.1.31.ipp: UDP, length 167 192.168.1.31 is my broadcast address, and basement is me. They usually come in pairs like this, though sometimes split up by other traffic. Always, though, its one of length 129 and one of 167 A Hi Andrew. It looks like these are just broadcasts from your print server. The difference in packet size seems to indicate that you have 2 printers. I have 2 broadcasts every 30 secs. One is 189bytes, and the other 190bytes. I only have one printer. Printer1 on the Wireshark output attached should not be there, and will have to look into that, and get rid of the duplicated entry. I have a bunch of distros that run on the machine that has the printer physically attached to it, and even more distros on the other machine that is using network printing. I've obviously misconfigured something somewhere, which is very easy to do. See attachment below. Nigel. Wireshark-capture-20070726 Description: Binary data
Re: what is this in tcpdump?
On Wed, Jul 25, 2007 at 04:23:27PM -0700, David Brodbeck wrote: On Jul 25, 2007, at 3:47 PM, Andrew Sackville-West wrote: I get a lot of these in my tcpdump on my machine: 15:45:47.427003 IP basement.ipp 192.168.1.31.ipp: UDP, length 129 15:45:48.427004 IP basement.ipp 192.168.1.31.ipp: UDP, length 167 192.168.1.31 is my broadcast address, and basement is me. They usually come in pairs like this, though sometimes split up by other traffic. Always, though, its one of length 129 and one of 167 IPP is Internet Printing Protocol. My guess is CUPS is probably set to broadcast to other systems so they can automatically discover printers. doh. thanks. I knew it was something like that... I had some spurious net traffic today on my local machine which has a couple ports forwarded to it. I had the torrent ports still open from downloading an RMS talk the other day, and it was causing all sorts of activity. The short of it is, I ended up watching my tcpdump for a while and... well, you start to freak out about stuff... A signature.asc Description: Digital signature
Re: what is this in tcpdump?
On Thu, Jul 26, 2007 at 06:17:40PM +0200, Nigel Henry wrote: On Thursday 26 July 2007 00:47, Andrew Sackville-West wrote: I get a lot of these in my tcpdump on my machine: 15:45:47.427003 IP basement.ipp 192.168.1.31.ipp: UDP, length 129 15:45:48.427004 IP basement.ipp 192.168.1.31.ipp: UDP, length 167 192.168.1.31 is my broadcast address, and basement is me. They usually come in pairs like this, though sometimes split up by other traffic. Always, though, its one of length 129 and one of 167 A Hi Andrew. It looks like these are just broadcasts from your print server. The difference in packet size seems to indicate that you have 2 printers. I have 2 broadcasts every 30 secs. One is 189bytes, and the other 190bytes. I only have one printer. Printer1 on the Wireshark output attached should not be there, and will have to look into that, and get rid of the duplicated entry. hmmm... maybe my fax printer is shared too... thanks A signature.asc Description: Digital signature
what is this in tcpdump?
I get a lot of these in my tcpdump on my machine: 15:45:47.427003 IP basement.ipp 192.168.1.31.ipp: UDP, length 129 15:45:48.427004 IP basement.ipp 192.168.1.31.ipp: UDP, length 167 192.168.1.31 is my broadcast address, and basement is me. They usually come in pairs like this, though sometimes split up by other traffic. Always, though, its one of length 129 and one of 167 A signature.asc Description: Digital signature
Re: what is this in tcpdump?
On Jul 25, 2007, at 3:47 PM, Andrew Sackville-West wrote: I get a lot of these in my tcpdump on my machine: 15:45:47.427003 IP basement.ipp 192.168.1.31.ipp: UDP, length 129 15:45:48.427004 IP basement.ipp 192.168.1.31.ipp: UDP, length 167 192.168.1.31 is my broadcast address, and basement is me. They usually come in pairs like this, though sometimes split up by other traffic. Always, though, its one of length 129 and one of 167 IPP is Internet Printing Protocol. My guess is CUPS is probably set to broadcast to other systems so they can automatically discover printers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tcpdump doesn't show VLAN IDs
tcpdump ion current Debian testing does not show the VLAN ID in 802.1q tagged Ethernet frames. I have observed this using two machines: (A) Linux-2.4.34.4, almost everything compiled on my own from scratch tcpdump-3.9.5 and libpcap 0.9.5 (B) Debian testing, up to date, kernel 2.6.18-4-686, tcpdump 3.9.5 and libpcap 0.9.5. I have configured VLAN 100 on both machines using vconfig add eth0 100, have set addresses 172.16.6.1/24 and 172.16.6.2/24 resp. to eth0.100 interfaces, and have set the interfaces up. The VLAN works. But if I run tcpdump on eth0 on the Debian machine, it doesn't show me the VLAN ID. On (A) I do ping -c1 172.16.6.2 and I run tcpdump on both machines on interface eth0: host-A # tcpdump -ne -i eth0 -xx not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:55:48.128953 00:00:d1:9d:7b:a8 00:90:27:8f:dc:65, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, 172.16.6.1 172.16.6.2: ICMP echo request, id 44817, seq 0, length 64 0x: 0090 278f dc65 d19d 7ba8 8100 0064 0x0010: 0800 4500 0054 4000 4001 d685 ac10 0x0020: 0601 ac10 0602 0800 dd63 af11 444f 0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011 0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 13:55:48.129669 00:90:27:8f:dc:65 00:00:d1:9d:7b:a8, ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, 172.16.6.2 172.16.6.1: ICMP echo reply, id 44817, seq 0, length 64 0x: d19d 7ba8 0090 278f dc65 8100 0064 0x0010: 0800 4500 0054 d656 4001 402f ac10 0x0020: 0602 ac10 0601 e563 af11 444f 0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011 0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 host-B (Debian) # tcpdump -ne -xx -i eth0 not port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:55:48.127450 00:00:d1:9d:7b:a8 00:90:27:8f:dc:65, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, 172.16.6.1 172.16.6.2: ICMP echo request, id 44817, seq 0, length 64 0x: 0090 278f dc65 d19d 7ba8 8100 0064 ^ 0x0010: 0800 4500 0054 4000 4001 d685 ac10 0x0020: 0601 ac10 0602 0800 dd63 af11 444f 0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011 0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 13:55:48.127546 00:90:27:8f:dc:65 00:00:d1:9d:7b:a8, ethertype 802.1Q (0x8100), length 102: ethertype IPv4, 172.16.6.2 172.16.6.1: ICMP echo reply, id 44817, seq 0, length 64 0x: d19d 7ba8 0090 278f dc65 8100 0064 ^ 0x0010: 0800 4500 0054 d656 4001 402f ac10 0x0020: 0602 ac10 0601 e563 af11 444f 0x0030: 6546 d5f1 0100 0809 0a0b 0c0d 0e0f 1011 0x0040: 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 0x0050: 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 As you can see, the self-compiled tcpdump shows the VLAN tag, i.e. vlan 100, p 0 while the Debian version does not, although it sees the complete ethernet frame header including the VLAN tag (marked with ^ in the hexdump) and it shows that it is a VLAN tagged frame. Has Debian patched the tcpdump src or is this a bug? urs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Sytem freeze on debian 2.6.8-2-686-smp with intel e1000 running tcpdump
Hello, On dual proc Xeon with dual ethernet Intel e1000, when I run a tcpdump, according to network traffic my system freezes. The console is dead, the only way to restore the system is an electric power restart. My configuration is : # uname -a Linux 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux # lspci -vv :02:04.0 Ethernet controller: Intel Corp. 82541GI/PI Gigabit Ethernet Controller (rev 05) Subsystem: Dell: Unknown device 019a Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium TAbort- TAbort- MAbort- SERR- PERR- Latency: 32 (63750ns min), Cache Line Size: 0x10 (64 bytes) Interrupt: pin A routed to IRQ 201 Region 0: Memory at fe9e (32-bit, non-prefetchable) [size=128K] Region 2: I/O ports at ecc0 [size=64] Capabilities: [dc] Power Management version 2 Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) Status: D0 PME-Enable- DSel=0 DScale=1 PME- Capabilities: [e4] PCI-X non-bridge device. Command: DPERE- ERO+ RBC=0 OST=0 Status: Bus=0 Dev=0 Func=0 64bit- 133MHz- SCD- USC-, DC=simple, DMMRBC=2, DMOST=0, DMCRS=0, RSCEM- :04:03.0 Ethernet controller: Intel Corp. 82541GI/PI Gigabit Ethernet Controller (rev 05) Subsystem: Dell: Unknown device 019a Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium TAbort- TAbort- MAbort- SERR- PERR- Latency: 32 (63750ns min), Cache Line Size: 0x10 (64 bytes) Interrupt: pin A routed to IRQ 209 Region 0: Memory at fe5e (32-bit, non-prefetchable) [size=128K] Region 2: I/O ports at dcc0 [size=64] Capabilities: [dc] Power Management version 2 Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+) Status: D0 PME-Enable- DSel=0 DScale=1 PME- Capabilities: [e4] PCI-X non-bridge device. Command: DPERE- ERO+ RBC=0 OST=0 Status: Bus=0 Dev=0 Func=0 64bit- 133MHz- SCD- USC-, DC=simple, DMMRBC=2, DMOST=0, DMCRS=0, RSCEM- # ethtool -i eth0 driver: e1000 version: 5.2.52-k4 firmware-version: N/A bus-info: :02:04.0 # ethtool eth0 Settings for eth0: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Full Advertised auto-negotiation: Yes Speed: 100Mb/s Duplex: Full Port: Twisted Pair PHYAD: 0 Transceiver: internal Auto-negotiation: on Supports Wake-on: umbg Wake-on: d Current message level: 0x0007 (7) Link detected: yes Do you have any idea ou clue on how to solve this ? Thanks Julien
tcpdump et output vers console
Bonjour, comment peut-on voir les accès à mon site de mon serveur web en console ? cordialement mess-mate -- The Bulwer-Lytton fiction contest is held ever year at San Jose State Univ. by Professor Scott Rice. It is held in memory of Edward George Earle Bulwer-Lytton (1803-1873), a rather prolific and popular (in his time) novelist. He is best known today for having written The Last Days of Pompeii. Whenever Snoopy starts typing his novel from the top of his doghouse, beginning It was a dark and stormy night... he is borrowing from Lord Bulwer-Lytton. This was the line that opened his novel, Paul Clifford, written in 1830. The full line reveals why it is so bad: It was a dark and stormy night; the rain fell in torrents -- except at occasional intervals, when it was checked by a violent gust of wind which swept up the streets (for it is in London that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness.
Re: tcpdump et output vers console
$ tcpdump port 80 On 5/22/07, mess-mate [EMAIL PROTECTED] wrote: Bonjour, comment peut-on voir les accès à mon site de mon serveur web en console ? cordialement mess-mate -- The Bulwer-Lytton fiction contest is held ever year at San Jose State Univ. by Professor Scott Rice. It is held in memory of Edward George Earle Bulwer-Lytton (1803-1873), a rather prolific and popular (in his time) novelist. He is best known today for having written The Last Days of Pompeii. Whenever Snoopy starts typing his novel from the top of his doghouse, beginning It was a dark and stormy night... he is borrowing from Lord Bulwer-Lytton. This was the line that opened his novel, Paul Clifford, written in 1830. The full line reveals why it is so bad: It was a dark and stormy night; the rain fell in torrents -- except at occasional intervals, when it was checked by a violent gust of wind which swept up the streets (for it is in London that our scene lies), rattling along the housetops, and fiercely agitating the scanty flame of the lamps that struggled against the darkness. -- Jeremy GARROUSTE
Re: tcpdump et output vers console
bonjour, mais bon si tu veux tout juste voir les acces à ton site web,tu peux visionner le fichier de log de apache sur les accès. mais si tu veux qlq chose pour surveiller tout accès sur ton serveur,il faudra combiner avec autre chose ou prendre qlq chose comme snort ;-) mess-mate wrote: Bonjour, comment peut-on voir les accès à mon site de mon serveur web en console ? cordialement mess-mate -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Vous pouvez aussi ajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tcpdump et output vers console
iperf est pas mal. On 5/22/07, Benjamin RIOU [EMAIL PROTECTED] wrote: Le Tue, 22 May 2007 10:09:21 +0200, Jeremy Garrouste [EMAIL PROTECTED] a écrit : $ tcpdump port 80 Salut. pour monitorer en temps réel l'activité réseau d'une machine, j'utilise iftop connaissez vous d'autres logiciels dans le genre de iftop ? ++ Ben -- Il s'est sans doute laissé impressionner par les cris d'orfraie du quarteron de fufopithèques en furie. -+- MB in: Guide du Cabaliste Usenet - Bien configurer son MB -+- -- Jeremy GARROUSTE
Re: tcpdump et output vers console
Le mardi 22 mai 2007 à 14:01 +0200, Jeremy Garrouste a écrit : iperf est pas mal. On 5/22/07, Benjamin RIOU [EMAIL PROTECTED] wrote: connaissez vous d'autres logiciels dans le genre de iftop ? iptraf en mode ip traffic monitor -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message numériquement signée
Re: tcpdump et output vers console
bonjour, tout depend de ce que tu entends par monitorer.mais tu peux voir avec iptraf 8-) ,mrtg O:-) Benjamin RIOU wrote: Le Tue, 22 May 2007 10:09:21 +0200, Jeremy Garrouste [EMAIL PROTECTED] a écrit : $ tcpdump port 80 Salut. pour monitorer en temps réel l'activité réseau d'une machine, j'utilise iftop connaissez vous d'autres logiciels dans le genre de iftop ? ++ Ben -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.net/?DebianFrench Vous pouvez aussi ajouter le mot ``spam'' dans vos champs From et Reply-To: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tcpdump et output vers console
Pitshou Asingalembi Mbema [EMAIL PROTECTED] wrote: | bonjour, | mais bon si tu veux tout juste voir les acces à ton site web,tu peux visionner le fichier de | log de apache sur les accès. | mais si tu veux qlq chose pour surveiller tout accès sur ton serveur,il faudra combiner avec | autre chose ou prendre qlq chose comme snort ;-) | En effet, je veux seulement voir les acces à mon site web. Une commande avec tcpdump est passée dans la liste y'a quelque temps qui faisait cela à merveille et que j'ai utilisée mais oublié. C'était une commande qui faisait passer les accès à un ttyX inclusief ceux déjà loggés. mess-mate -- For a light heart lives long. -- Shakespeare, Love's Labour's Lost
Re: tcpdump et output vers console [résolu]
Jeremy Garrouste [EMAIL PROTECTED] wrote: | $ tcpdump port 80 | | On 5/22/07, mess-mate [EMAIL PROTECTED] wrote: | | Bonjour, | comment peut-on voir les accès à mon site de mon serveur web en | console ? | Au fait c'est avec la commande tail du fichier /var/log/apache2/access.log. merci mess-mate -- Q: What's buried in Grant's tomb? A: A corpse.
Re: Network access fails unless tcpdump is running?
On Wed, 28 Feb 2007 17:10:43 -0500 Marc D Ronell [EMAIL PROTECTED] wrote: Hi, I can not ping a remote host successfully unless I have tcpdump -i eth0 running, in which case, my network access works fine. I am running Debian etch on a Dell Inspiron e1505 laptop. The eth0 address is static on my local LAN. Once tcpdump is running, the laptop can access the network with no problems. Any help or suggestions to solving this concern is really appreciated. Thanks, Marc I would be interested to hear the explanation for this problem. I see similar behaviour when trying to establish an ssh connection to a guest OS running under qemu with the -redir option. The connection attempt just hangs until I run 'tcpdump -i eth0' inside the guest. Very weird. Not quite the problem you're having, but interesting nonetheless. -- Liam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Network access fails unless tcpdump is running?
Hi, I can not ping a remote host successfully unless I have tcpdump -i eth0 running, in which case, my network access works fine. I am running Debian etch on a Dell Inspiron e1505 laptop. The eth0 address is static on my local LAN. Once tcpdump is running, the laptop can access the network with no problems. Any help or suggestions to solving this concern is really appreciated. Thanks, Marc -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]