Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tcpdump filters for data collection

1,003 views
Skip to first unread message

Neil Jones

unread,
Dec 2, 2008, 8:36:22 PM12/2/08
to
I want to collect data on a network and map the data flow and
system/port traffic. There are 2 scenarios of data collection here. The
first is to collect IP traffic only. In this method I do not want the
data portion of the IP packet (need IP address, source/destination ports
etc).

The second is to collect traffic that will show all the routing
protocols (non-IP) used on this network. Today while collecting the
data, I saw several HSRP packets. I don't know what portion of the
packet is sufficient to capture for this purpose.

I used the "-s 0" option on tcpdump which captures the whole packet.
That is making the dump file large. Any help with the filters is
appreciated to capture the non-data portion of the packets.

Thank you in advance.

NJ

Cork Soaker

unread,
Dec 2, 2008, 9:46:50 PM12/2/08
to


Have you tried -s xx where xx is header size (or at least the size
required to snaffle the data you want)?

-s 0 is clearly the opposite of what you want.

Peter Van Epp

unread,
Dec 3, 2008, 1:20:08 PM12/3/08
to
Neil Jones <castellan2...@remove-this.yahoo.com> writes:

>I want to collect data on a network and map the data flow and
>system/port traffic. There are 2 scenarios of data collection here. The
>first is to collect IP traffic only. In this method I do not want the
>data portion of the IP packet (need IP address, source/destination ports
>etc).

<snip>

You might want to have a look at argus (http://www.qosient.com/argus)
which collects flow data and has clients for manipulating it.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

alexd

unread,
Dec 3, 2008, 2:46:51 PM12/3/08
to
Neil Jones wrote:

> I want to collect data on a network and map the data flow and
> system/port traffic. There are 2 scenarios of data collection here. The
> first is to collect IP traffic only. In this method I do not want the
> data portion of the IP packet (need IP address, source/destination ports
> etc).

You could possibly export netflow from your Cisco. This wouldn't include the
content of the packets, just the data about the network flows [ie sockets].
Not sure if that would include HSRP. In what way do you want to map your
network?

> The second is to collect traffic that will show all the routing
> protocols (non-IP) used on this network. Today while collecting the
> data, I saw several HSRP packets.

If you specify what protocols you're interested in and don't capture
everything going across the interface, that will greatly reduce the size of
the capture file, eg:

# tcpdump -i ethN vrrp

will capture only VRRP packets [it may capture HSRP as they're similar but
incompatible]. Or possibly even 'not ip' would suffice. 'man tcpdump' will
explain more. HSRP is not a routing protocol by the way.

> I don't know what portion of the
> packet is sufficient to capture for this purpose.
> I used the "-s 0" option on tcpdump which captures the whole packet.

I would have thought it would be a matter of trial and error; Start off at
say, 100 bytes, review the dump in Wireshark and keep increasing the
capture size until it says it's not truncating packets any more [the ones
you're interested in, anyway].

--
<http://ale.cx/> (AIM:troffasky) (UnSoEs...@ale.cx)
19:35:06 up 17 min, 1 user, load average: 0.06, 0.14, 0.15
They call me titless because I have no tits

Maxwell Lol

unread,
Dec 8, 2008, 7:45:35 AM12/8/08
to
Neil Jones <castellan2...@remove-this.yahoo.com> writes:

> I want to collect data on a network and map the data flow and
> system/port traffic. There are 2 scenarios of data collection here. The
> first is to collect IP traffic only. In this method I do not want the
> data portion of the IP packet (need IP address, source/destination ports
> etc).

In general - I capture to a file, and then process the results after.
I filter when capturing only if necessary.

That way, things that might slow down the processing (DNS) won't
affect the data capture.

The argument "ip" will only capture IP traffic ( and TCP/UDP, but not
broadcast, etc.)

tcpdump -w file.tcpdump ip

You can use '-s #' and make sure # is small enough to just capture the
header. The default (without -s at all) is usually sufficent.
But unless there's a privacy issue, it's just a matter of
ignoring the information you don't want to see.

> The second is to collect traffic that will show all the routing
> protocols (non-IP) used on this network.

Are you running two different captures?

Capturing (1) all IP and (2) all non-IP essentially says you are
capturing everything.

>
> data, I saw several HSRP packets. I don't know what portion of the
> packet is sufficient to capture for this purpose.

Looking at the source (in print-udp.c) shows:

else if (dport == HSRP_PORT)
hsrp_print((const u_char *)(up + 1), length);
where
#define HSRP_PORT 1985

so you can use the filter
tcpdump .... udp and port 1985


0 new messages