Tcpdump question?
Hi,
I use the following command to store the packet information in a file: tcpdump -wfilename But now when i open up this file using vi the contents are all encrypted, can somebody siggest me something. Its kinda urgent |
From 'man tcpdump'
Quote:
|
thanks for the reply, i have the following situation right now:
i am currently using tcpdump on a network. The network consist of 3 nodes. A, B and C. A is connected to B and B to C. The tcpdump is run on Node B, but it does noot seem to capture the packets which are going from A to C, through B. it only captures packets which are either sourced from or destined to node B. You have any idea. I SSH to all these nodes from my account and tcpdump is already present in my account. So i just use the SUDO command to run this software on any node. What i am trying to say is that tcpdump is not specifically installed on node B. SUDO command allows a person to run as a root i have also converted the mode to promiscuous one more thing, the packets are going for sure from A to C via B. This is because there is no other route for them to follow. If i run tcpdump on node C then it captures these packets. |
I have also tried using tethereal, it gives the same results as tcpdump
|
It's worth checking which interface your tcpdump uses. Remember that you control it by using tcpdump -i.
|
I am using interface eth0,
Do you think i should be using some other interface, this is my list of interfaces: eth0 Link encap:Ethernet HWaddr 00:06:29:0F:04:24 inet addr:192.168.1.6 Bcast:192.168.3.255 Mask:255.255.252.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2818 errors:0 dropped:0 overruns:0 frame:0 TX packets:2764 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:244457 (238.7 Kb) TX bytes:536407 (523.8 Kb) Interrupt:16 Base address:0x2000 Memory:feb7f000-feb7f038 eth2 Link encap:Ethernet HWaddr 00:04:23:9F:14:FF inet addr:10.1.3.3 Bcast:10.255.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Base address:0x2080 Memory:eff60000-eff80000 eth3 Link encap:Ethernet HWaddr 00:04:23:9F:16:E4 inet addr:10.1.2.3 Bcast:10.255.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:346 (346.0 b) Base address:0x20c0 Memory:eff40000-eff60000 eth4 Link encap:Ethernet HWaddr 00:04:23:9F:16:E5 inet addr:10.1.1.2 Bcast:10.255.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Base address:0x2300 Memory:efea0000-efec0000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING PROMISC MTU:16436 Metric:1 RX packets:43 errors:0 dropped:0 overruns:0 frame:0 TX packets:43 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4220 (4.1 Kb) TX bytes:4220 (4.1 Kb) |
If you are trying to see packets going from A ==> C from B, then sniffing either the interface that connects B ==> A or B ==> C should reveal the packets if indeed B is routing for A and C.
Does that make sense? |
Hey,
I am using an NS script to bulid the topology. Consider the following script, it is little different than what i had mentioned. set ns [new Simulator] source tb_compat.tcl set OS0 RHL9-STD set OS1 FBSD410-STD set OS2 RHL9-STD set OS3 FBSD410-STD set node0 [$ns node] tb-set-node-os $node0 $OS0 set node1 [$ns node] tb-set-node-os $node1 $OS1 set node2 [$ns node] tb-set-node-os $node2 $OS2 set node3 [$ns node] tb-set-node-os $node3 $OS3 set link0 [$ns duplex-link $node0 $node2 1000Mb 0ms DropTail] set link1 [$ns duplex-link $node1 $node2 1000Mb 0ms DropTail] set link2 [$ns duplex-link $node2 $node3 1000Mb 0ms DropTail] $ns rtproto Static $ns run The topology is shown as follows: -------- -------- |Node 0 | |Node 1| -------- -------- \ Attacker / Normal client \ / \ / \ / -------- |Node 2| Gateway -------- | | | -------- |Node 3| Server -------- This statement :$ns rtproto Static in the above script is used to enable routing. Now i send traffic from Node0 to Node3, i start tcpdump on node2. But i cannot capture the packets which are going from node0 to node3. I can only capture the packets which are either or sourced or destined to Node 2. |
Quote:
One more thing that i would like to add is that i am using the Apache-scalp.c (available on net) program on node0 to attack apache installed on node3. The attacke takes place successfully, i.e the apache error_log shows memory faults but there are no sign of packest. |
Bingo!!! Problem Solved. Turns out i was listening on the wrong interface.
|
All times are GMT -5. The time now is 01:08 PM. |