tony.chamberlain@xxxxxxxxx wrote:
-----Original Message-----
From: fedora-list-request@xxxxxxxxxx [mailto:fedora-list-request@xxxxxxxxxx]
Sent: Wednesday, July 9, 2008 03:38 PM
To: fedora-list@xxxxxxxxxx
Subject: fedora-list Digest, Vol 53, Issue 75
Message: 5
Date: Wed, 09 Jul 2008 14:39:38 -0500
From: Kevin Martin <kevintm@xxxxxxxxxxxxx>
Subject: Re: tcpdump
To: For users of Fedora <fedora-list@xxxxxxxxxx>
Message-ID: <487513FA.9010809@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
tony.chamberlain@xxxxxxxxx wrote:
I want to look at all the traffic coming to my web browser (192.168.5.191)
(tomcat on port 80) using tcpdump.
If I say tcpdump port 80
that will get 80 coming and going. Also if I say
tcpdump dst port 80
I will still get any traffic I have to other web sites.
I thought tcpdump (dst port 80) and (dst host 192.168.5.191)
would work but that does not seem to get anything. I went to
192.168.5.191/~chamberl from another machine, got my web page
but nothing in the tcp dump.
What is the correct way to do this (all incoming to my web browser)?
Theoretically besdies 192.168.5.191 I would also like 127.0.0.1
Are you listening on the correct device? I just tried:
tcpdump dst port 22 and dst host 10.10.20.20
and didn't get anything but when I added the "-i <device>" that
10.10.20.20 is bound to then I got the correct information.
Kevin
==================================================
Actually it doesn't really matter I think. On my machine it doesn't work
but it works fine on some other ones. I want to monitor a different machine
anyway.
Here is a tcpdump/bash question though. (The following works if I don't
use the port filter stuff).
I do something like this (I abbreviate it hwere for space):
while :
do
mytotlen=0
nowdate=$(date +"%s")
((stopdate=nowdate+60))
tcpdump -nne -i eth0 '(dst port 80)' and '(dst host 10.0.0.10)' |
while [ $(date +"%s") -lt $stopdate
do
tim=""
# I leave out some names in this message
# to save space. I actually read everything
read -t4 tim ... length REST
[ "$tim" != "" ] && ((mytotlen+=length))
done
echo "Total TCP length in the last minute is $mytotlen"
done
The loop is executed fine (for debugging I print out the value of tim and
length). Problem is, once the while loop is completed it locks up and
never echoes the total tcp length. I think this is because the tcpdump
is still running and blocking. I don't believe before the echo I could put
something like pkill tcpdump. But what can I do to get this to work?
(Actually there is another problem here too that mytotlen inside the loop
is a local variable in a different scope than when I echo it but I solved
this by inside the loop echoing it to a file, and then reading the file
outside the loop, but that is irrelevant).
Questions: does the tcpdump arguments for dst port and dst host need to
be enclosed in '()'? I did it without those and it worked ok for me.
Are you trying to monitor machine A from machine B?
This will only work if both machine A and machine B are on a hub or
have linked ethernet ports with a crossover cable, not a switch (unless
you are doing some port mirroring).
As to the loop, you need to close the while statement, and then how
about this:
tcpdump -nne -i eth0 '(dst port 80)' and '(dst host 10.0.0.10)' |
while [ $(date +"%s") -lt $stopdate ]
do
tim=""
# I leave out some names in this message
# to save space. I actually read everything
read -t4 tim ... length REST
[ "$tim" != "" ] && ((mytotlen+=length))
if [ $(date +"%s") -ge $stopdate ] ; then
echo "Total TCP length in the last minute is $mytotlen"
fi
done
|
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
