tcpdump command

John DeDourek dedourek at unb.ca
Fri May 18 22:02:35 UTC 2007 

Kaushal Shriyan wrote:
> Thanks Andy
>
> so running this command tcpdump -i eth0 -s 1500 -w dump host 
> www.example.com <http://www.example.com> will give me the network 
> traffic between src host to destination  host
> and destination host to src host
>
> is that correct what i understand
>
> Thanks and Regards
>
> Kaushal
>
>
> On 5/18/07, *Andy Green* <andy at warmcat.com <mailto:andy at warmcat.com>> 
> wrote:
>
>     Kaushal Shriyan wrote:
>     > Hi
>     >
>     > I have to capture network traffic between an appliance and
>     content server
>     > using tcpdump command and then dump to a file and read and
>     decode it using
>     > wireshark
>     >
>     > How do i proceed
>     >
>     > I have used tcpdump -i eth0 -s 1500 -w dump src host 192.168.0.1
>     <http://192.168.0.1> and dst
>     > host www.example.com <http://www.example.com>
>     >
>     > when i read the dump capture file using wireshark i could only
>     see packets
>     > being sent from src host to destination host, I could not see
>     any packets
>     > being sent from destination host to src host.
>
>     You specified what you wanted too tightly... ONLY packets coming FROM
>     ('src host') 192.168.0.1 <http://192.168.0.1> and going TO ('dst
>     host') www.example.com <http://www.example.com>.
>
>     Just using
>
>     -i eth0 -s 1500 -w dump host www.example.com <http://www.example.com>
>
>     will get you what you want: see
>
>     man tcpdump
>
>     -Andy
>
>     --
>     fedora-list mailing list
>     fedora-list at redhat.com <mailto:fedora-list at redhat.com>
>     To unsubscribe:
>     https://www.redhat.com/mailman/listinfo/fedora-list
>     <https://www.redhat.com/mailman/listinfo/fedora-list>
>
>
As was pointed out, this will get you all traffic from or to
www.example.com with the other host in the IP packet unspecified.
If you really want to be particular, try:

tcpdump -i eth0 -s 1500 -w dump host 192.168.0.1 <http://192.168.0.1> 
and  host www.example.com <http://www.example.com>


which, as you might guess from extrapolating the logic in the other 
examples described,
will give you all traffic where the source or destination is 192.168.0.1 
AND the
source or destination is www.example.com.  This would give you all traffic
between the hosts in either direction.  If you really analyze the logic, 
it will
also give you all traffic between www.example.com and itself, and likewise
all traffic between 192.168.0.1 and itself THAT APPEARS ON eth0.  But
there will be no such traffic (barring really bizarre configurations) 
because
such traffic will never appear on the external network.

Hope that helps

More information about the users mailing list