A common mistake made by engineers using tcpdump in linux is not reviewing the options. There is only so many times i had to correct engineers not able to grep specific ip-address from a tcpdump when reverse dns lookup is enabled.
As an example, if you use: "tcpdump -i eth0 | grep 172.16.1.1" and expect a response, but fail, please remove the pipe command and grep to see the raw data first. If you host has DNS configured, and that specific IP you trying to grep actually exists in the reverse-DNS, the tcpdump will post the dnsname instead of the ip. So always use the "-n" option to not resolve ips to DNS.
$tcpdump -i -n eth0 | grep <ip address>
If you want to avoid tcpdump to resolve known port number, add another "n"
$tcpdump -i -nn eth0 | grep <ip address>
for more option and more verbose you can add "-v" ir "-vv" or type "man tcpdump"
As an example, if you use: "tcpdump -i eth0 | grep 172.16.1.1" and expect a response, but fail, please remove the pipe command and grep to see the raw data first. If you host has DNS configured, and that specific IP you trying to grep actually exists in the reverse-DNS, the tcpdump will post the dnsname instead of the ip. So always use the "-n" option to not resolve ips to DNS.
$tcpdump -i -n eth0 | grep <ip address>
If you want to avoid tcpdump to resolve known port number, add another "n"
$tcpdump -i -nn eth0 | grep <ip address>
for more option and more verbose you can add "-v" ir "-vv" or type "man tcpdump"
No comments:
Post a Comment