about tcpdump

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Apr 15 21:07:04 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/04/2010 21:46:03, Gary Gatten wrote:
> I think by default it does only log "session" info not the full packet.  For that you'd need to add -vvv and set the packet length to zero to capture the full packet.
> 
> So, just run it without any args and you should be ok.
> 
> ----- Original Message -----
> From: owner-freebsd-questions at freebsd.org <owner-freebsd-questions at freebsd.org>
> To: freebsd-questions at freebsd.org <freebsd-questions at freebsd.org>
> Sent: Thu Apr 15 15:37:09 2010
> Subject: about tcpdump
> 
> I have a network. I wish to log all incoming and outgoing trafficc using 
> tcpdump on my gateway server. But I don't want to log these traffic's data 
> because of they take up much on disk.
> I only want to log which ports were used, which ip addresses were reached.
> How can I do these using tcpdump ?
> Could you give me an example or docs?
> I use freebsd7.2

nope -- when you use tcpdump to capture packets it defaults to capturing
just the first 68bytes of each packet -- that's just enough to get all
the packet headers (ie ethernet addresses, IP numbers, port numbers, tcp
options, etc.) for a tcp packet, plus quite a lot of protocol specific
packet headers for other types [assuming IPv4 -- you'll need to capture
a bit more for IPv6 because the addresses are longer].

Simply doing:

   # tcpdump -i em0 -w /tmp/capture.pcap

is actually pretty space efficient.  Even so, on any reasonably busy
server that's going to add up to megabytes per minute.  If that's too
much then try an application like pftop(1) or ntop(1) which can
categorize and summarize traffic on the fly.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvHf/EACgkQ8Mjk52CukIyz6wCfSiBEIYT/KGkJgD01WV4eTQDf
1t0AniH1+b1xWWkehPXMK3bpv121zhrz
=Bqsf
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list