TCPDUMP -- how to monitor traffic between one machine in My LAN and one website.

urhackking · 12-13-2002, 09:44 PM

Hi All,
I have LAN of 12 machines, all are running redhat linux with private IP adresses in 192.168.1. series. This Lan is connected to public Internet through router which have a static public IP.

Now, I want to monitor all the traffic from one particular machine in LAN to one particular website. But I want to monitor the traffic using my system only but the traffic that originates from one particular machine(192.168.1.10) to www.google.com
Assume that my machine IP address is 192.168.1.5.

How can I make use of "tcpdump" utility for this purpose.
Can any one give the exact syntax of the "tcpdump" command for the above purpose.( I gave all the ip addresses and website name).

Thanks in advance.

Daniel

Grim Reaper · 12-14-2002, 03:01 AM

I'm not entirely sure if you can do that...i was looking for the exact same thing and i searched tmpdump's man pages but couldn't find anything....AFAIK, what you can do is route all traffic from that machine through yours, and then use tcpdump to monitor the traffic as its going through you...
But it would be good if there was a way to just sniff the network from your machine...?

peter_robb · 12-14-2002, 02:12 PM

The good news, you can listen to anything on a lan segment...

Once the NIC is in "promiscuous mode" it stops ignoring packets not destined for itself..
eg "arpwatch" will place a card in this mode...

A quick Google search for "promiscuous mode" threw up a lot of useful reading...

DavidPhillips · 12-14-2002, 04:00 PM

yes you can do it

tcpdump | grep 192.168.0.25 | grep linuxquestions.org > /var/log/192.168.0.25-linuxquestions

cat /var/log/192.168.0.25-linuxquestions
tcpdump: listening on eth0
21:58:19.252247 192.168.0.25.32796 > linuxquestions.org.http: P 3019032012:3019032816(804) ack 3039838404 win 6432 <nop,nop,timestamp 3576334 76774486> (DF)
21:58:19.252414 linuxquestions.org.http > 192.168.0.25.32796: . ack 804 win 8040 <nop,nop,timestamp 76786926 3576334> (DF)
21:58:19.641067 linuxquestions.org.http > 192.168.0.25.32796: . 1:1449(1448) ack 804 win 8040 <nop,nop,timestamp 76787126 3576334> (DF)
21:58:19.641104 linuxquestions.org.http > 192.168.0.25.32796: P 1449:1493(44) ack 804 win 8040 <nop,nop,timestamp 76787126 3576334> (DF)

Grim Reaper · 12-15-2002, 01:03 AM

sweet, ill have to try that after...

seeings as tcpdump grabs every packet header...is there something that will grab the entire packet? or will this be a 3rd party program/script that needs to be installed?

I've never seen any entire packets being sent/recieved before (only the headers that tcpdump shows), shall be interesting

DavidPhillips · 12-15-2002, 03:27 AM

try something like tcpdump -s 0 -xX -vvv

unSpawn · 12-16-2002, 09:16 AM

Btw, using tcpdump tcpdump | grep 192.168.0.25 | grep linuxquestions.org can also be done with a BPF filter:
tcpdump <args> -w <filename> 'host 192.168.0.25 and host linuxquestions.org' or if you already have a full dump: tcpdump <args> -r <tcp.dump> -w <filename> 'host 192.168.0.25 and host linuxquestions.org'. So the answer to your original question using BPF could be: tcpdump <args> 'src 192.168.1.10 and dst 216.239.53.98'.

*If you're seeing zilch on a switched LAN, then (if you own the LAN/have permission) you could try ettercap or another MITM/MAC flood tool.

urhackking · 12-16-2002, 10:11 PM

robb,
can you tell me how to keep NIC in promiscuous mode

DavidPhillips · 12-16-2002, 10:58 PM

tcpdump will do it

or use

ifconfig eth0 promisc