![]() |
|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
i would like to know about tcpdump
i would like to use tcpdump to get information about these - Date - time - source hostname - source mac address - source ip address - destination ip address - see outbound only then i use command like this tcpdump -i le0 -n -q -tttt -e src net 192.168.5.0/24 it will show 2008-07-01 00:04:56.032108 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 62: 192.168.5.250.1248 > 64.233.189.99.80: tcp 0 2008-07-01 00:04:56.043136 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0 2008-07-01 00:04:56.043186 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 396: 192.168.5.250.1247 > 208.109.162.150.80: tcp 342 2008-07-01 00:04:56.065106 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0 2008-07-01 00:04:56.066702 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1247 > 208.109.162.150.80: tcp 0 2008-07-01 00:04:56.088741 00:0c:29:4c:6d:ff > 00:0c:29:b9:4a:e8, IPv4, length 60: 192.168.5.250.1248 > 64.233.189.99.80: tcp 0 ok. i've already know about - Date - time - source mac address - source ip address - destination ip address - see outbound only but i haven't know "source hostname" yet. How can i add option for tcpdump to know "source hostname"? ?????? |
|
||||
![]()
From tcpdump(1):
Code:
-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. |
|
|||
![]()
sorry
i don't understand with your aswer dit u mean recommend me to don't use option -n ? but when i don't use option -n. i still don't know client hostname in my network. |
|
|||
![]()
If omitting the -n option still doesn't give you the client hostnames in your network, then you either have to configure a local DNS server for your network or if you already have one, fix it.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
![]()
when i don't use -n option it will show like this
tcpdump -i le0 -q -tttt -e src net 192.168.5.0/24 2008-06-30 23:52:33.039172 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.1220 > www.google.com.http: tcp 0 2008-06-30 23:52:33.280383 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 62: 192.168.5.250.nerv > www.blackle.com.http: tcp 0 2008-06-30 23:52:33.335474 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.nerv > www.blackle.com.http: tcp 0 2008-06-30 23:52:33.335763 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 257: 192.168.5.250.nerv > www.blackle.com.http: tcp 203 2008-06-30 23:52:33.801363 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.nerv > www.blackle.com.http: tcp 0 2008-06-30 23:52:33.864378 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 62: 192.168.5.250.1223 > www.blackle.com.http: tcp 0 2008-06-30 23:52:33.864428 00:0c:29:4c:6d:ff (oui Unknown) > 00:0c:29:b9:4a:e8 (oui Unknown), IPv4, length 60: 192.168.5.250.1220 > www.google.com.http: tcp 0 how can i do? T-T |
|
|||
![]()
It sounds like what you'd like to do is use tcpdump to discover the hostnames of machines within a particular subnet. If you use the -n flag it's going to display IPs and not perform the lookup to resolve the hostname and display that if the hostname exists in local DNS. Because you're using a private subnet you'd have to have some internal DNS server that mapped those private IPs to hostnames, otherwise it doesn't matter what those machines call themselves - the hostname of a machine isn't communicated within the packet, just the src and destination IPs.
A tool you could use, if you were interested in mapping a subnet, is nmap. Or, if you're motivated, a tool like OpenNMS. |
|
|||
![]()
You have to configure a local nameserver that can do reverse name lookups. In other words: convert an IP address to it's name.
On my local network I have a nameserver which can do these kind of lookups. In the following example I ask for the name of the 192.168.222.10 address Code:
$ dig -x 192.168.222.10 ; <<>> DiG 9.3.4 <<>> -x 192.168.222.10 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.222.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 10.222.168.192.in-addr.arpa. 604599 IN PTR parmenides.utp.xnet. ;; Query time: 1 msec ;; SERVER: 192.168.222.10#53(192.168.222.10) ;; WHEN: Fri Jul 4 00:59:43 2008 ;; MSG SIZE rcvd: 78 That is why on my local subnet I can do what you want Code:
tcpdump: listening on re0, link-type EN10MB 00:56:19.473722 hercules.utp.xnet.11467 > ntp.networking4all.com.ntp: v4 client strat 0 poll 0 prec 0 [tos 0x10] 00:56:19.484222 ntp.networking4all.com.ntp > hercules.utp.xnet.11467: v4 server strat 2 poll 0 prec -20 (DF) 00:56:20.114246 hercules.utp.xnet.8121 > parmenides.utp.xnet.domain: 58778+ PTR? 35.66.249.213.in-addr.arpa. (44) 00:56:25.123730 hercules.utp.xnet.37845 > parmenides.utp.xnet.domain: 58778+ PTR? 35.66.249.213.in-addr.arpa. (44) 00:56:25.136991 parmenides.utp.xnet.domain > hercules.utp.xnet.37845: 58778 1/0/0 (80) 00:56:25.137298 hercules.utp.xnet.40288 > parmenides.utp.xnet.domain: 46104+ PTR? 20.222.168.192.in-addr.arpa. (45) 00:56:25.137848 parmenides.utp.xnet.domain > hercules.utp.xnet.40288: 46104 1/0/0 (76) 00:56:26.134072 hercules.utp.xnet.47638 > parmenides.utp.xnet.domain: 39658+ PTR? 10.222.168.192.in-addr.arpa. (45) 00:56:26.135495 hercules.utp.xnet.9484 > parmenides.utp.xnet.domain: 57537+ A? parmenides.utp.xnet. (37) 00:56:26.136136 parmenides.utp.xnet.domain > hercules.utp.xnet.9484: 57537 1/0/0 A parmenides.utp.xnet (53) 00:56:26.136349 hercules.utp.xnet > parmenides.utp.xnet: icmp: echo request 00:56:26.136534 parmenides.utp.xnet > hercules.utp.xnet: icmp: echo reply 00:56:26.137082 parmenides.utp.xnet.domain > hercules.utp.xnet.47638: 39658 1/0/0 (78) 00:56:27.143727 hercules.utp.xnet > parmenides.utp.xnet: icmp: echo request 00:56:27.143863 parmenides.utp.xnet > hercules.utp.xnet: icmp: echo reply
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
![]()
aaaaaaaaaaa
|
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
echo tcpdump date to an output | bsdnewbie999 | Programming | 8 | 8th April 2009 02:58 PM |
tcpdump package | bsdnewbie999 | OpenBSD Packages and Ports | 6 | 30th March 2009 05:24 PM |
tcpdump snaplen WARNING | bsdnewbie999 | OpenBSD General | 1 | 17th March 2009 03:24 AM |
Help with tcpdump file | brokensilence | General software and network | 2 | 10th July 2008 03:45 PM |