LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-07-2006, 07:47 PM   #1
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Rep: Reputation: 15
Tcpdump question?


Hi,

I use the following command to store the packet information in a file:

tcpdump -wfilename

But now when i open up this file using vi the contents are all encrypted, can somebody siggest me something. Its kinda urgent
 
Old 01-08-2006, 01:29 PM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
From 'man tcpdump'

Quote:
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option.
You could also open the raw packet dump with ethereal if you like.
 
Old 01-08-2006, 03:53 PM   #3
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
thanks for the reply, i have the following situation right now:

i am currently using tcpdump on a network. The network consist of 3 nodes. A, B and C. A is connected to B and B to C. The tcpdump is run on Node B, but it does noot seem to capture the packets which are going from A to C, through B. it only captures packets which are either sourced from or destined to node B. You have any idea.
I SSH to all these nodes from my account and tcpdump is already present in my account. So i just use the SUDO command to run this software on any node. What i am trying to say is that tcpdump is not specifically installed on node B.
SUDO command allows a person to run as a root
i have also converted the mode to promiscuous
one more thing, the packets are going for sure from A to C via B. This is because there is no other route for them to follow. If i run tcpdump on node C then it captures these packets.

Last edited by chinmays; 01-08-2006 at 03:58 PM.
 
Old 01-08-2006, 03:54 PM   #4
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
I have also tried using tethereal, it gives the same results as tcpdump
 
Old 01-08-2006, 04:09 PM   #5
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
It's worth checking which interface your tcpdump uses. Remember that you control it by using tcpdump -i.
 
Old 01-08-2006, 05:37 PM   #6
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
I am using interface eth0,
Do you think i should be using some other interface, this is my list of interfaces:

eth0 Link encap:Ethernet HWaddr 00:06:29:0F:04:24
inet addr:192.168.1.6 Bcast:192.168.3.255 Mask:255.255.252.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:2818 errors:0 dropped:0 overruns:0 frame:0
TX packets:2764 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:244457 (238.7 Kb) TX bytes:536407 (523.8 Kb)
Interrupt:16 Base address:0x2000 Memory:feb7f000-feb7f038

eth2 Link encap:Ethernet HWaddr 00:04:23:9F:14:FF
inet addr:10.1.3.3 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0x2080 Memory:eff60000-eff80000

eth3 Link encap:Ethernet HWaddr 00:04:23:9F:16:E4
inet addr:10.1.2.3 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:346 (346.0 b)
Base address:0x20c0 Memory:eff40000-eff60000

eth4 Link encap:Ethernet HWaddr 00:04:23:9F:16:E5
inet addr:10.1.1.2 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0x2300 Memory:efea0000-efec0000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING PROMISC MTU:16436 Metric:1
RX packets:43 errors:0 dropped:0 overruns:0 frame:0
TX packets:43 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4220 (4.1 Kb) TX bytes:4220 (4.1 Kb)
 
Old 01-08-2006, 05:52 PM   #7
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
If you are trying to see packets going from A ==> C from B, then sniffing either the interface that connects B ==> A or B ==> C should reveal the packets if indeed B is routing for A and C.

Does that make sense?
 
Old 01-08-2006, 06:06 PM   #8
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
Hey,

I am using an NS script to bulid the topology.

Consider the following script, it is little different than what i had mentioned.

set ns [new Simulator]
source tb_compat.tcl

set OS0 RHL9-STD
set OS1 FBSD410-STD
set OS2 RHL9-STD
set OS3 FBSD410-STD

set node0 [$ns node]
tb-set-node-os $node0 $OS0
set node1 [$ns node]
tb-set-node-os $node1 $OS1
set node2 [$ns node]
tb-set-node-os $node2 $OS2
set node3 [$ns node]
tb-set-node-os $node3 $OS3

set link0 [$ns duplex-link $node0 $node2 1000Mb 0ms DropTail]
set link1 [$ns duplex-link $node1 $node2 1000Mb 0ms DropTail]
set link2 [$ns duplex-link $node2 $node3 1000Mb 0ms DropTail]

$ns rtproto Static
$ns run

The topology is shown as follows:

-------- --------
|Node 0 | |Node 1|
-------- --------
\ Attacker / Normal client
\ /
\ /
\ /
--------
|Node 2| Gateway
--------
|
|
|
--------
|Node 3| Server
--------

This statement :$ns rtproto Static in the above script is used to enable routing.
Now i send traffic from Node0 to Node3, i start tcpdump on node2. But i cannot capture the packets which are going from node0 to node3. I can only capture the packets which are either or sourced or destined to Node 2.
 
Old 01-08-2006, 06:12 PM   #9
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bulliver
If you are trying to see packets going from A ==> C from B, then sniffing either the interface that connects B ==> A or B ==> C should reveal the packets if indeed B is routing for A and C.

Does that make sense?
I know it does, but it is not showing the attack.

One more thing that i would like to add is that i am using the Apache-scalp.c (available on net) program on node0 to attack apache installed on node3. The attacke takes place successfully, i.e the apache error_log shows memory faults but there are no sign of packest.
 
Old 01-08-2006, 08:56 PM   #10
chinmays
Member
 
Registered: Jan 2006
Posts: 37

Original Poster
Rep: Reputation: 15
Bingo!!! Problem Solved. Turns out i was listening on the wrong interface.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
tcpdump / ethereal question jeffk42 Linux - Networking 2 09-22-2005 06:30 AM
tcpdump question gauge73 Linux - Newbie 2 08-09-2005 04:37 PM
tcpdump and arp question blackzone Linux - Networking 2 07-01-2004 12:25 PM
tcpdump -n question Melissa22 Linux - Networking 3 03-07-2004 08:05 PM
tcpdump question Xris718 Linux - Networking 1 12-08-2003 11:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration