tcpdump or snoop

tcpdump or snoop

Post by Karl Jone » Fri, 13 Oct 2000 04:00:00



I want to watch traffic going out over a particular port - for
debugging purposes.  I got tcpdump and took a look.  I think I
understand and I don't like what I see.

Seems like I have to either 1) destroy my current network card
configuration in the interest of tcpdump or 2) add a network card and
totally turn it over to tcpdump.

Is this really true?  Seems like a big hassle just to watch the
existing traffic swimming by.

I am assuming that a) snoop is not an alternative on SCO and b) it
might not be any simpler to use.

Any suggestions?

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

tcpdump or snoop

Post by John DuBo » Sat, 14 Oct 2000 15:02:44



Quote:>I want to watch traffic going out over a particular port - for
>debugging purposes.  I got tcpdump and took a look.  I think I
>understand and I don't like what I see.

>Seems like I have to either 1) destroy my current network card
>configuration in the interest of tcpdump or 2) add a network card and
>totally turn it over to tcpdump.

I use the 'ipmon' facility that is part of the ipfilter package.  It works just
fine as long as what you want to watch is traffic into and out of the machine
you're running it on.  The only time I use tcpdump is when I need to watch
traffic on the network that *isn't* to/from the machine I'm using for
monitoring.  I think it's both a TLS and included in 5.0.6.

        John
--


 
 
 

tcpdump or snoop

Post by Jeff Lieberman » Sat, 14 Oct 2000 04:00:00





>>I want to watch traffic going out over a particular port - for
>>debugging purposes.  I got tcpdump and took a look.  I think I
>>understand and I don't like what I see.

>>Seems like I have to either 1) destroy my current network card
>>configuration in the interest of tcpdump or 2) add a network card and
>>totally turn it over to tcpdump.

Correct.  I use a 2nd ethernet card with tcpdump on OSR5.

Quote:>I use the 'ipmon' facility that is part of the ipfilter package.  It works just
>fine as long as what you want to watch is traffic into and out of the machine
>you're running it on.  The only time I use tcpdump is when I need to watch
>traffic on the network that *isn't* to/from the machine I'm using for
>monitoring.  I think it's both a TLS and included in 5.0.6.

Monitoring and capturing data can be done various ways.  All of them
basically work.  Analyzing the resultant capture is the hard part.  My
magic decoder ring used to be sufficient, but protocols seem to grow on
trees these days.  Today, I use Ethereal:
        http://www.ethereal.com
to decode the capture.  It does a great job of playing mini-Carnivore and
reassembling packet streams into readable text.

Various packet sniffer packages:
        http://packetstorm.securify.com/sniffers/indexdl.shtml
Packet sniffer and network wiretap FAQ
        http://packetstorm.securify.com/sniffers/sniffing-faq.htm

--

150 Felker St #D  Santa Cruz CA  95060
831-421-6491 pager   831-429-1240 fax
http://www.cruzio.com/~jeffl/sco/   SCO stuff

 
 
 

tcpdump or snoop

Post by Karl Jone » Sat, 14 Oct 2000 04:00:00


Thanks for the quick feedback.  Exactly what I wanted to hear (as if
that mattered...).

All I really want to determine if packets to a particular port are
making it out or not and why not if there are being denied.  I know if
could get blocked at the proxy, etc. but have seen nothing there.







> >>I want to watch traffic going out over a particular port - for
> >>debugging purposes.  I got tcpdump and took a look.  I think I
> >>understand and I don't like what I see.

> >>Seems like I have to either 1) destroy my current network card
> >>configuration in the interest of tcpdump or 2) add a network card
and
> >>totally turn it over to tcpdump.

> Correct.  I use a 2nd ethernet card with tcpdump on OSR5.

> >I use the 'ipmon' facility that is part of the ipfilter package.  It
works just
> >fine as long as what you want to watch is traffic into and out of
the machine
> >you're running it on.  The only time I use tcpdump is when I need to
watch
> >traffic on the network that *isn't* to/from the machine I'm using for
> >monitoring.  I think it's both a TLS and included in 5.0.6.

> Monitoring and capturing data can be done various ways.  All of them
> basically work.  Analyzing the resultant capture is the hard part.  My
> magic decoder ring used to be sufficient, but protocols seem to grow
on
> trees these days.  Today, I use Ethereal:
>    http://www.ethereal.com
> to decode the capture.  It does a great job of playing mini-Carnivore
and
> reassembling packet streams into readable text.

> Various packet sniffer packages:
>    http://packetstorm.securify.com/sniffers/indexdl.shtml
> Packet sniffer and network wiretap FAQ
>    http://packetstorm.securify.com/sniffers/sniffing-faq.htm

> --

> 150 Felker St #D  Santa Cruz CA  95060
> 831-421-6491 pager   831-429-1240 fax
> http://www.cruzio.com/~jeffl/sco/   SCO stuff

Sent via Deja.com http://www.deja.com/
Before you buy.
 
 
 

1. Tcpdump output in (Solaris) snoop format

Hello,
        I run tcpdump on a couple of FreeBSD 2.2.6 machines. However,
I like the way snoop on my Solaris machines formats its output, especially
the way it responds to HTTP requests. Snoop outputs the URI of the origin
server and the method very well; tcpdump seems to only spew out
the contents of the buffer, which is usually unreadable.

        So, my questions are:
1. Is there a way to make tcpdump "behave" like snoop on Solaris boxen?

2. Has anyone ported a snoop like program to FreeBSD 2.2.6

Thanks for the information, please email me on your response as well.

Regards,
Sandeep Cariapa

2. PLIP probs - solutions!!!

3. snoop like formated output using tcpdump?

4. Historic opportunity for free UNIX

5. Packet sniffer, Solaris snoop, tcpdump

6. G3 Yosemite vs Linux

7. tcpdump & snoop

8. Partitioning and XFree Questions

9. snoop->tcpdump

10. tcpdump/snoop for pppd?

11. snoop/ tcpdump

12. tcpdump or snoop on lo0

13. grep dynamic ip-address with tcpdump, snoop