Questions about tcpdump
I'm a newbie in the packet sniffing tool tcpdump. I've installed tcpdump v3.9.8 on my machine and let it listen to an interface called \Device\PssdkLoopback on my machine. It dumps all the packet information that it sniffs from that interface, however, I have the following questions:
1) The filter option "host <hostname>" does not seem to work. I mean, the DNS name of my machine is snt-2.iastate.edu (which is shown when I run tcpdump without the host option), but when I run the command "tcpdump host snt-2.iastate.edu" , it does not dump any packets.
2) With the -e option (ethernet), it shows incoming frames to the MAC address 4c:4f:43:41:4c:20, whereas the MAC address of the Ethernet LAN adapter of my machine, as shown by the command "ipconfig -all", is 00-13-72-78-C5-12. Could you please explain the reason of this apparent discrepancy?
Can anyone shed some light?
the option host <hostname> work if you have A record for host.
running without option host, you will view PTR record for host.
Thanks for your reply.
If the host <hostname> option works only for packets containing the A record, then do you mean, it will work only for the packets returned from the DNS name servers, that reply with the IP address, when queried with a hostname? But then, in most cases, the IP addresses corresponding to the most common hostnames/URLs are already cached in the local name servers, so we won't find any packets with A records, right?
In fact, I saw "tcpdump host snt-2.iastate.edu" giving results when ns-1.iastate.edu (the DNS server) is queried, and the reply is an A record.
But then what about other packets then...that are not received from the DNS servers, but regular web servers? Is there a way to filter them?
the <host> option don't work only for packets contain A record.
tcpdump use A record to resolve IP addres on the host, and then listen for all package who contain that IP address, if you don't use any other filters.
If you run tcpdump without host option, program resolve the PTR record from DNS for IP addresses who you capture.
where is example:
router:~# host -t A yahoo.com
yahoo.com has address 220.127.116.11
yahoo.com has address 18.104.22.168
router:~# host -t PTR 22.214.171.124
126.96.36.199.in-addr.arpa domain name pointer w2.rc.vip.sp1.yahoo.com.
router:~# host -t PTR 188.8.131.52
184.108.40.206.in-addr.arpa domain name pointer w2.rc.vip.re4.yahoo.com.
in fact if you run "tcpdump host yahoo.com" and open Yahoo! in console will see response from w2.rc.vip.sp1.yahoo.com.
You can filter any package witch tcpdump:
www traffic witch yahoo.com - tcpdump host yahoo.com and port 80
www fraffic incoming from yahoo.com - tcpdump src host yahoo.com and src port 80
ssh traffic - tcpdump port 22