Find the answer to your Linux question:
Results 1 to 4 of 4
Hi, I'm a newbie in the packet sniffing tool tcpdump. I've installed tcpdump v3.9.8 on my machine and let it listen to an interface called \Device\PssdkLoopback on my machine. It ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2

    Questions about tcpdump


    Hi,
    I'm a newbie in the packet sniffing tool tcpdump. I've installed tcpdump v3.9.8 on my machine and let it listen to an interface called \Device\PssdkLoopback on my machine. It dumps all the packet information that it sniffs from that interface, however, I have the following questions:

    1) The filter option "host <hostname>" does not seem to work. I mean, the DNS name of my machine is snt-2.iastate.edu (which is shown when I run tcpdump without the host option), but when I run the command "tcpdump host snt-2.iastate.edu" , it does not dump any packets.

    2) With the -e option (ethernet), it shows incoming frames to the MAC address 4c:4f:43:41:4c:20, whereas the MAC address of the Ethernet LAN adapter of my machine, as shown by the command "ipconfig -all", is 00-13-72-78-C5-12. Could you please explain the reason of this apparent discrepancy?

    Can anyone shed some light?
    Bibudh

  2. #2
    Just Joined!
    Join Date
    Sep 2008
    Posts
    5
    Hello,
    the option host <hostname> work if you have A record for host.
    running without option host, you will view PTR record for host.

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2
    Hi Diel,
    Thanks for your reply.
    If the host <hostname> option works only for packets containing the A record, then do you mean, it will work only for the packets returned from the DNS name servers, that reply with the IP address, when queried with a hostname? But then, in most cases, the IP addresses corresponding to the most common hostnames/URLs are already cached in the local name servers, so we won't find any packets with A records, right?

    In fact, I saw "tcpdump host snt-2.iastate.edu" giving results when ns-1.iastate.edu (the DNS server) is queried, and the reply is an A record.

    But then what about other packets then...that are not received from the DNS servers, but regular web servers? Is there a way to filter them?

    Thanks
    Bibudh

  4. #4
    Just Joined!
    Join Date
    Sep 2008
    Posts
    5
    Hi Bibudh,
    the <host> option don't work only for packets contain A record.
    tcpdump use A record to resolve IP addres on the host, and then listen for all package who contain that IP address, if you don't use any other filters.
    If you run tcpdump without host option, program resolve the PTR record from DNS for IP addresses who you capture.

    where is example:

    router:~# host -t A yahoo.com
    yahoo.com has address 68.180.206.184
    yahoo.com has address 206.190.60.37
    router:~# host -t PTR 68.180.206.184
    184.206.180.68.in-addr.arpa domain name pointer w2.rc.vip.sp1.yahoo.com.
    router:~#
    router:~# host -t PTR 206.190.60.37
    37.60.190.206.in-addr.arpa domain name pointer w2.rc.vip.re4.yahoo.com.
    router:~#
    in fact if you run "tcpdump host yahoo.com" and open Yahoo! in console will see response from w2.rc.vip.sp1.yahoo.com.

    You can filter any package witch tcpdump:

    www traffic witch yahoo.com - tcpdump host yahoo.com and port 80
    www fraffic incoming from yahoo.com - tcpdump src host yahoo.com and src port 80
    ssh traffic - tcpdump port 22


    Regards
    Diel

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •