DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd July 2008
chamnanpol chamnanpol is offline
New User
 
Join Date: Jun 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default i would like to know about tcpdump

i would like to know about tcpdump
i would like to use tcpdump to get information about these
- Date
- time
- source hostname
- source mac address
- source ip address
- destination ip address
- see outbound only
then i use command like this
tcpdump -i le0 -n -q -tttt -e src net 192.168.5.0/24
it will show
2008-07-01 00:04:56.032108 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 62: 192.168.5.250.1248 > 64.233.189.99.80: tcp 0
2008-07-01 00:04:56.043136 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0
2008-07-01 00:04:56.043186 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 396: 192.168.5.250.1247 > 208.109.162.150.80: tcp 342
2008-07-01 00:04:56.065106 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0
2008-07-01 00:04:56.066702 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0
2008-07-01 00:04:56.088741 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1248 > 64.233.189.99.80: tcp 0
ok. i've already know about
- Date
- time
- source mac address
- source ip address
- destination ip address
- see outbound only
but i haven't know "source hostname" yet.
How can i add option for tcpdump to know "source hostname"? ??????
Reply With Quote
  #2   (View Single Post)  
Old 3rd July 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is online now
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,075
Thanked 198 Times in 156 Posts
Default

From tcpdump(1):
Code:
       -n     Don't convert addresses (i.e.,  host  addresses,  port  numbers,
              etc.) to names.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 3rd July 2008
chamnanpol chamnanpol is offline
New User
 
Join Date: Jun 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

sorry

i don't understand with your aswer

dit u mean recommend me to don't use option -n ?

but when i don't use option -n. i still don't know client hostname in my network.
Reply With Quote
  #4   (View Single Post)  
Old 3rd July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,156
Thanked 182 Times in 149 Posts
Default

If omitting the -n option still doesn't give you the client hostnames in your network, then you either have to configure a local DNS server for your network or if you already have one, fix it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 3rd July 2008
chamnanpol chamnanpol is offline
New User
 
Join Date: Jun 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

when i don't use -n option it will show like this

tcpdump -i le0 -q -tttt -e src net 192.168.5.0/24


2008-06-30 23:52:33.039172 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.1220 > www.google.com.http: tcp 0
2008-06-30 23:52:33.280383 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 62: 192.168.5.250.nerv > www.blackle.com.http: tcp 0
2008-06-30 23:52:33.335474 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.nerv > www.blackle.com.http: tcp 0
2008-06-30 23:52:33.335763 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 257: 192.168.5.250.nerv > www.blackle.com.http: tcp 203
2008-06-30 23:52:33.801363 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.nerv > www.blackle.com.http: tcp 0
2008-06-30 23:52:33.864378 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 62: 192.168.5.250.1223 > www.blackle.com.http: tcp 0
2008-06-30 23:52:33.864428 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.1220 > www.google.com.http: tcp 0

how can i do? T-T
Reply With Quote
  #6   (View Single Post)  
Old 3rd July 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Thanked 7 Times in 7 Posts
Default

It sounds like what you'd like to do is use tcpdump to discover the hostnames of machines within a particular subnet. If you use the -n flag it's going to display IPs and not perform the lookup to resolve the hostname and display that if the hostname exists in local DNS. Because you're using a private subnet you'd have to have some internal DNS server that mapped those private IPs to hostnames, otherwise it doesn't matter what those machines call themselves - the hostname of a machine isn't communicated within the packet, just the src and destination IPs.

A tool you could use, if you were interested in mapping a subnet, is nmap. Or, if you're motivated, a tool like OpenNMS.
Reply With Quote
  #7   (View Single Post)  
Old 3rd July 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,156
Thanked 182 Times in 149 Posts
Default

You have to configure a local nameserver that can do reverse name lookups. In other words: convert an IP address to it's name.

On my local network I have a nameserver which can do these kind of lookups. In the following example I ask for the name of the 192.168.222.10 address
Code:
$ dig -x 192.168.222.10            

; <<>> DiG 9.3.4 <<>> -x 192.168.222.10
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63082
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.222.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
10.222.168.192.in-addr.arpa. 604599 IN  PTR     parmenides.utp.xnet.

;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Fri Jul  4 00:59:43 2008
;; MSG SIZE  rcvd: 78
The answer is parmenides.utp.xnet.

That is why on my local subnet I can do what you want
Code:
tcpdump: listening on re0, link-type EN10MB
00:56:19.473722 hercules.utp.xnet.11467 > ntp.networking4all.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10]
00:56:19.484222 ntp.networking4all.com.ntp > hercules.utp.xnet.11467: v4 server strat 2 poll 0 prec -20 (DF)
00:56:20.114246 hercules.utp.xnet.8121 > parmenides.utp.xnet.domain: 58778+ PTR? 35.66.249.213.in-addr.arpa. (44)
00:56:25.123730 hercules.utp.xnet.37845 > parmenides.utp.xnet.domain: 58778+ PTR? 35.66.249.213.in-addr.arpa. (44)
00:56:25.136991 parmenides.utp.xnet.domain > hercules.utp.xnet.37845: 58778 1/0/0 (80)
00:56:25.137298 hercules.utp.xnet.40288 > parmenides.utp.xnet.domain: 46104+ PTR? 20.222.168.192.in-addr.arpa. (45)
00:56:25.137848 parmenides.utp.xnet.domain > hercules.utp.xnet.40288: 46104 1/0/0 (76)
00:56:26.134072 hercules.utp.xnet.47638 > parmenides.utp.xnet.domain: 39658+ PTR? 10.222.168.192.in-addr.arpa. (45)
00:56:26.135495 hercules.utp.xnet.9484 > parmenides.utp.xnet.domain: 57537+ A? parmenides.utp.xnet. (37)
00:56:26.136136 parmenides.utp.xnet.domain > hercules.utp.xnet.9484: 57537 1/0/0 A parmenides.utp.xnet (53)
00:56:26.136349 hercules.utp.xnet > parmenides.utp.xnet: icmp: echo request
00:56:26.136534 parmenides.utp.xnet > hercules.utp.xnet: icmp: echo reply
00:56:26.137082 parmenides.utp.xnet.domain > hercules.utp.xnet.47638: 39658 1/0/0 (78)
00:56:27.143727 hercules.utp.xnet > parmenides.utp.xnet: icmp: echo request
00:56:27.143863 parmenides.utp.xnet > hercules.utp.xnet: icmp: echo reply
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 16th September 2008
chamnanpol chamnanpol is offline
New User
 
Join Date: Jun 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default aaaaaaaaa

aaaaaaaaaaa
Reply With Quote
  #9   (View Single Post)  
Old 17th September 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is online now
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,075
Thanked 198 Times in 156 Posts
Default

uuhh ...?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
echo tcpdump date to an output bsdnewbie999 Programming 8 8th April 2009 02:58 PM
tcpdump package bsdnewbie999 OpenBSD Packages and Ports 6 30th March 2009 05:24 PM
tcpdump snaplen WARNING bsdnewbie999 OpenBSD General 1 17th March 2009 03:24 AM
Help with tcpdump file brokensilence General software and network 2 10th July 2008 03:45 PM


All times are GMT. The time now is 04:09 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick