m.seaman at infracaninophile.co.uk
Thu Apr 15 21:07:04 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 15/04/2010 21:46:03, Gary Gatten wrote:
> I think by default it does only log "session" info not the full packet. For that you'd need to add -vvv and set the packet length to zero to capture the full packet.
> So, just run it without any args and you should be ok.
> ----- Original Message -----
> From: owner-freebsd-questions at freebsd.org <owner-freebsd-questions at freebsd.org>
> To: freebsd-questions at freebsd.org <freebsd-questions at freebsd.org>
> Sent: Thu Apr 15 15:37:09 2010
> Subject: about tcpdump
> I have a network. I wish to log all incoming and outgoing trafficc using
> tcpdump on my gateway server. But I don't want to log these traffic's data
> because of they take up much on disk.
> I only want to log which ports were used, which ip addresses were reached.
> How can I do these using tcpdump ?
> Could you give me an example or docs?
> I use freebsd7.2
nope -- when you use tcpdump to capture packets it defaults to capturing
just the first 68bytes of each packet -- that's just enough to get all
the packet headers (ie ethernet addresses, IP numbers, port numbers, tcp
options, etc.) for a tcp packet, plus quite a lot of protocol specific
packet headers for other types [assuming IPv4 -- you'll need to capture
a bit more for IPv6 because the addresses are longer].
# tcpdump -i em0 -w /tmp/capture.pcap
is actually pretty space efficient. Even so, on any reasonably busy
server that's going to add up to megabytes per minute. If that's too
much then try an application like pftop(1) or ntop(1) which can
categorize and summarize traffic on the fly.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-questions