tcpdump?
in [Debian]
|
Prev: Debian Lenny, apache2, ldaps to active directory
Next: IBM Model M Keyboards (Was: Air compressors vs. canned air)
From: Hadi Motamedi on 21 Feb 2010 00:00 > Date: Sun, 21 Feb 2010 07:32:19 +1100 > From: alex(a)samad.com.au > To: debian-user(a)lists.debian.org > Subject: Re: tcpdump? > > On Sat, Feb 20, 2010 at 07:22:29AM +0000, Hadi Motamedi wrote: > > [snip] > > > > try wireshark > > [snip] > > > > > I have Wireshark on my MS Windows platform . I captured the tcpdump output in a file and opened it in Wireshark , but I cannot find how to decode the udp payload data in ascii format . Can you please let me know how can I do that in Wireshark ? > > > > So first you are trying to look at the data that is being sent to/from > exchange. You are trying to decode the udp packets ? > > if so , then if anything out of the box can do it, that would be > wireshark, by default (atleast on the linux/debian version), it comes > with alot of decoders. Select the packet you are looking into and drill > down, you should have 3 windows of different information. with the > bottom window you can view the payload and if wireshark can decode it, > it will into something more sensible. but if its been encryted then you > are going to need the keys or a lot of money and time. > > > Why not explain what you are trying to do, you main goal > > Thank you for your reply . My mail goal is to find what is the exact command syntax and its arguments that the attached network element is sending to my Debian server on the specified port . I am seeing communication packets exchaned between the network element and my Debian (through opening the log on Wireshark) but I want to decode it and find the exact syntax of the command sent . _________________________________________________________________ Hotmail: Trusted email with Microsoft�s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
From: Hadi Motamedi on 21 Feb 2010 00:30 > Date: Sat, 20 Feb 2010 17:51:33 +0200 > From: brentgclarklist(a)gmail.com > To: debian-user(a)lists.debian.org > Subject: Re: tcpdump? > > On 20/02/2010 12:48, Hadi Motamedi wrote: > > > > I tried for the following : > > #tcpflow -c port 4957 > > But it didn't produce any output . Can you please give me a hint? > > K Lets start with a silly question > > show us > > netstat -nalptu | grep 4957 > > I.e. Do you have actually have something listening on that port. > > Brent > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org > Archive: http://lists.debian.org/4B800505.6080104(a)gmail.com > Please find below the output of 'netstat' : #netstat -nalptu |grep 4959 udp 0 0 0.0.0.0:4959 0.0.0.0:* 1008/iptrans As you see , my trace is listening on that port . _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
From: Tzafrir Cohen on 21 Feb 2010 13:20 On Sat, Feb 20, 2010 at 06:05:50AM +0000, Hadi Motamedi wrote: > > Dear All > I have put tcpdump trace on port 4957 on my Debian server , as the following : > #tcpdump port 4957 > I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? tcpdump -s0 -w output.pcap port 4957 Consider also adding -n if name resolution takes extra time. This will send output to output.pcap . Later on run: wireshark output.pcap and analyze the flows there. Naturally you can use other programs. -- Tzafrir Cohen | tzafrir(a)jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzafrir(a)cohens.org.il | | best ICQ# 16849754 | | friend -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100221181130.GW16560(a)pear.tzafrir.org.il
From: Alex Samad on 21 Feb 2010 15:30 On Sun, Feb 21, 2010 at 04:55:11AM +0000, Hadi Motamedi wrote: > > > [snip] > > > > Why not explain what you are trying to do, you main goal > > > > > > Thank you for your reply . My mail goal is to find what is the exact command syntax and its arguments that the attached network element is sending to my Debian server on the specified port . I am seeing communication packets exchaned between the network element and my Debian (through opening the log on Wireshark) but I want to decode it and find the exact syntax of the command sent . so wireshark and tcpdump, ethereal, tshark are all going to capture the entire packet (make sure to use -s 1500 for ethernet). if wireshark doesn't decode/translate the packet then you are going to have to figure out the protocol spec yourself. it automatically looks and decodes. Wireshark will present you with all the information that you need > > > > > _________________________________________________________________ > Hotmail: Trusted email with Microsoftâs powerful SPAM protection. > https://signup.live.com/signup.aspx?id=60969 -- "The best way to find these terrorists who hide in holes is to get people coming forth to describe the location of the hole, is to give clues and data." - George W. Bush 12/15/2003 Washington, DC
From: Hadi Motamedi on 22 Feb 2010 02:10 > Date: Sun, 21 Feb 2010 18:11:31 +0000 > From: tzafrir(a)cohens.org.il > To: debian-user(a)lists.debian.org > Subject: Re: tcpdump? > > On Sat, Feb 20, 2010 at 06:05:50AM +0000, Hadi Motamedi wrote: > > > > Dear All > > I have put tcpdump trace on port 4957 on my Debian server , as the following : > > #tcpdump port 4957 > > I want to obtain the payload data to see what is realy being exchanged between my Debian server and the outside network element . Can you please let me know how I can modify my command ? > > > tcpdump -s0 -w output.pcap port 4957 > > > Consider also adding -n if name resolution takes extra time. > > This will send output to output.pcap . > > Later on run: > > wireshark output.pcap > > and analyze the flows there. > > Naturally you can use other programs. > > -- > Tzafrir Cohen | tzafrir(a)jabber.org | VIM is > http://tzafrir.org.il | | a Mutt's > tzafrir(a)cohens.org.il | | best > ICQ# 16849754 | | friend > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org > Archive: http://lists.debian.org/20100221181130.GW16560(a)pear.tzafrir.org.il > Thank you for your reply . I tried according to your comment , but still the intended exchanged command cannot be captured on the Wireshark analyze . _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Debian Lenny, apache2, ldaps to active directory Next: IBM Model M Keyboards (Was: Air compressors vs. canned air) |