[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tcpdump data collection

Subject: Tcpdump data collection
From: nanog at daork.net (Nathan Ward)
Date: Wed, 3 Dec 2008 14:33:13 +1300
In-reply-to: <[email protected]>
References: <[email protected]>

On 3/12/2008, at 2:19 PM, Subba Rao wrote:

> Hello,
>
> I want to collect data on a network and map the data flow and system/ 
> port traffic. There are 2 scenarios of data collection here.  The  
> first is to collect IP traffic only.  In this method I do not want  
> the data portion of the IP packet (need IP address, source/ 
> destination ports etc).
>
> The second is to collect traffic that will show all the routing  
> protocols (non-IP) used on this network.  Today while collecting the  
> data, I saw several HSRP packets.  I don't know what portion of the  
> packet is sufficient to capture for this purpose.
>
> I used the "-s 0" option on tcpdump which captures the whole  
> packet.  That is making the dump file large.  Any help with the  
> filters is appreciated to capture the non-data portion of the packets.
>
> Thank you in advance.

I strongly recommend having a look through this to find out what rules  
you want (ie. plain English):
http://www.networksorcery.com/enp/default1002.htm

Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter  
format, a quick Google suggests this as a good resource:
http://www.whitehats.ca/main/members/Malik/malik_tcpdump_filters/malik_tcpdump_filters.html


You might also consider using netflow instead of tcpdump, there are  
lots of tools available for processing netflow data in ways that are  
useful to network operators.

--
Nathan Ward

References:
- Tcpdump data collection
  - From: castellan2004-nsm at yahoo.com (Subba Rao)

Prev by Date: Tcpdump data collection
Next by Date: Tcpdump data collection
Previous by thread: Tcpdump data collection
Next by thread: Tcpdump data collection
Index(es):
- Date
- Thread