tcpdump?
in [Debian]
|
Prev: Debian Lenny, apache2, ldaps to active directory
Next: IBM Model M Keyboards (Was: Air compressors vs. canned air)
From: John O Laoi on 20 Feb 2010 06:20 > #tcpdump port 4957 > I want to obtain the payload data to see what is realy being exchanged > between my Debian server and the outside network element . Can you please > let me know how I can modify my command ? Try tcpdump host <IP-addr-deb-server> and port 4957 This will grab all packets to and from the server, which are to or from port 4957 If you want traffic in one direction only, you can use "src host" or "dst host" instead of "host", and/or "src port" or "dst port" instaed of "port". You could add -s 0 to ensure you grab entire packets regardless of size, and -v, -vv or -vvv if you need more details on packets. John -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1f1816a91002200315o39f14dbdsd6376f5a3b9ec2f6(a)mail.gmail.com
From: Camaleón on 20 Feb 2010 06:50 On Sat, 20 Feb 2010 11:06:26 +0000, Hadi Motamedi wrote: >> Does "tcpshow" helps? (...) > I tried to install 'tcpshow' on my Debian , but 'apt-cache search > tcpshow' didn't return anything . Can you please give me a hint? Mmm, you're right. It seems that package is not available in Debian's repos :-? Anyway, have you tried to save the file with "tcpdump -w" and then read it with "tcpdump -r" switch? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/pan.2010.02.20.11.44.35(a)gmail.com
From: Hadi Motamedi on 20 Feb 2010 07:50 > Date: Sat, 20 Feb 2010 11:15:33 +0000 > Subject: tcpdump? > From: brianolaoi(a)gmail.com > To: debian-user(a)lists.debian.org > > > #tcpdump port 4957 > > I want to obtain the payload data to see what is realy being exchanged > > between my Debian server and the outside network element . Can you please > > let me know how I can modify my command ? > > Try > tcpdump host <IP-addr-deb-server> and port 4957 > > This will grab all packets to and from the server, which are to or > from port 4957 > > If you want traffic in one direction only, you can use "src host" or > "dst host" instead of "host", and/or > "src port" or "dst port" instaed of "port". > > You could add -s 0 to ensure you grab entire packets regardless of > size, and -v, -vv or -vvv if you need more details on packets. > > > John > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org > Archive: http://lists.debian.org/1f1816a91002200315o39f14dbdsd6376f5a3b9ec2f6(a)mail.gmail.com > I tried as the following : #tcpdump -s 0 -vvv port 4957 But the output does not have additional data over the 'tcpdump port 4957' output . Can you please let me know what is wrong here? _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969
From: Brent Clark on 20 Feb 2010 11:00 On 20/02/2010 12:48, Hadi Motamedi wrote: > > I tried for the following : > #tcpflow -c port 4957 > But it didn't produce any output . Can you please give me a hint? K Lets start with a silly question show us netstat -nalptu | grep 4957 I.e. Do you have actually have something listening on that port. Brent -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4B800505.6080104(a)gmail.com
From: Alex Samad on 20 Feb 2010 15:40
On Sat, Feb 20, 2010 at 07:22:29AM +0000, Hadi Motamedi wrote: [snip] > > try wireshark [snip] > > I have Wireshark on my MS Windows platform . I captured the tcpdump output in a file and opened it in Wireshark , but I cannot find how to decode the udp payload data in ascii format . Can you please let me know how can I do that in Wireshark ? > So first you are trying to look at the data that is being sent to/from exchange. You are trying to decode the udp packets ? if so , then if anything out of the box can do it, that would be wireshark, by default (atleast on the linux/debian version), it comes with alot of decoders. Select the packet you are looking into and drill down, you should have 3 windows of different information. with the bottom window you can view the payload and if wireshark can decode it, it will into something more sensible. but if its been encryted then you are going to need the keys or a lot of money and time. Why not explain what you are trying to do, you main goal |