tcpdump filter for out/in traffic

KES kes-kes at yandex.ru
Mon Jan 5 16:53:29 UTC 2009 

   Zdravstvujte, matt.

   Vy pisali 4 yanvarya 2009 g., 22:23:16:

   >

   On Sun, Jan 4, 2009 at 10:56 AM, Eugene Grosbein <[1]eugen at kuzbass.ru>
   wrote:

   On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote:

   > There will be very usefull to have options for tcpdump to monitor

   > incomint or outgoing traffic regardless of src/dst IPs or ports or
   protocol

   >

   > For example:

   >

   > kes# tcpdump -n -i rl4 out

   > EXPECTED: show traffic outgoing on rl4

   > ACTUAL: tcpdump: syntax error

   >

   > kes# tcpdump -n -i rl4 in

   > EXPECTED: show traffic incoming on rl4

   > ACTUAL: tcpdump: syntax error

   Hi!

   I use following trick for that:

   tcpdump -n -p -i rl4 ether src me-rl4     # for outgoing

   tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming

   And add MAC-address of rl4 to /etc/ethers with name 'me-rl4'

   or just 'me' if you need not watch other interfaces this way.

   Eugene Grosbein

   _______________________________________________

   [2]freebsd-hackers at freebsd.org mailing list

   [3]http://lists.freebsd.org/mailman/listinfo/freebsd-hackers

   To unsubscribe, send any mail to
   "[4]freebsd-hackers-unsubscribe at freebsd.org"

   don't even need an option you just have to filter the traffic
   correctly using tcpdump which Eugene already point out

   >tcpdump -n -p -i rl4 ether src me-rl4     # for outgoing

   >tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming

   That will not help

   I can not add ether because of this is PPPoE interface.

   I can not use 'me' because of I need to view going through traffic. It
   is not originated from 'me'.

   For example I have mpd5. I set up PPPoE connection with my ISP. (ng0)

   I have VPN server for LAN users it also mpd5 (ng1 ng2 ng3 .... etc)

   I do NAT with MPD.

   so when I do tcpdump -n -i ng0 I get:

   18:52:11.781281 IP  192.168.5.11.2348 > 95.57.143.109.64350: P
   1853247053:1853247057(4) ack 1650009540 win 17080

   18:52:11.783777 IP 81.19.80.166.80 > 192.168.4.5.2839: .
   11790:13150(1360) ack 0 win 65535

   18:52:11.784218 IP 192.168.4.9.3298 > 82.144.223.61.80: . ack 21761
   win 17680

   18:52:11.787732 IP 81.19.80.166.80 > 192.168.4.5.2839: .
   13150:14510(1360) ack 0 win 65535

   18:52:11.789122 IP 192.168.5.15.2903 > 89.178.118.23.16562: .
   13601:14961(1360) ack 0 win 16659

   18:52:11.790065 IP 192.168.5.15.1386 > 78.106.215.39.18155: . ack
   18981 win 17680

   18:52:11.791181 IP 192.168.5.15.1311 > 79.174.64.193.80: . ack 5441
   win 17680

   18:52:11.791889 IP 81.19.80.166.80 > 192.168.4.5.2839: .
   14510:15870(1360) ack 0 win 65535

   18:52:11.792176 IP 192.168.5.15.4969 > 87.241.174.129.41954: . ack 18
   win 16635

   18:52:11.792200 IP 192.168.8.13.1616 > 217.20.174.228.80: . ack 1361
   win65535 <nop,nop,sack 1 {4081:6801}>

   So 'in/out' ouptions will help.

   --

   S uvazheniem,

    KES                          [5]mailto:kes-kes at yandex.ru

References

   1. mailto:eugen at kuzbass.ru
   2. mailto:freebsd-hackers at freebsd.org
   3. http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
   4. mailto:freebsd-hackers-unsubscribe at freebsd.org
   5. mailto:kes-kes at yandex.ru

More information about the freebsd-hackers mailing list