tcpflow not seeing traffic between a client and server
57 views
Skip to first unread message
Steven Kass
Sep 2, 2017, 9:23:23 PM9/2/17
to tcpflow-users
Hello,
I'm a newbie user of tcpflow, and have been having some problems getting it to work properly - which probably means I've misconfigured or misunderstood something about how it works. Any help will be appreciated! My apologies in advance if there is too much information here, but I'm trying not to leave out anything observed that might be significant. My experience is in software, not in networking...
I have a Windows based server on VM-S (192.168.2.48), a Windows based client on VM-C (192.168.2.47), and Fedora-21 VM-F (192.168.2.11) running tcpflow (1.4.4) is on VM-F. Each of my 3 VMs are able to successfully ping the other two.
I have found that I need to specify the ethernet device; otherwise I receive an error as shown below (I can live with entering the device name, but
I'm not sure if this is indicative of a larger problem):
[root@root-pc bin]# ./tcpflow -a -o outdir -c -D host 192.168.1.20
./tcpflow: <default>: No such device exists (SIOCGIFHWADDR: No such device)
[root@root-pc bin]# ./tcpflow -a -i eth0 -o outdir -c -D host 192.168.1.20
./tcpflow: listening on eth0
^C./tcpflow: terminating
[root@root-pc bin]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.11 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::20c:29ff:fe57:9c7 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:57:09:c7 txqueuelen 1000 (Ethernet)
RX packets 2061636 bytes 384551947 (366.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37686 bytes 2991909 (2.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 32 bytes 2816 (2.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32 bytes 2816 (2.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@root-pc bin]#
Here is the main issue:
tcpflow (on VM-F) does not capture the transmissions between VM-S and VM-C. But it does appear to capture other traffic (which I'm not interested in capturing) on the .2 segment. I can capture data for 10 minutes while the server and client are swapping information, but nothing appears in my outdir directory indicating 2.48 or 2.47 even exist (Wireshark on VM-S is able to capture the transmissions, but I need the tcpflow format for Radamsa. Here is a snippet of my outdir directory, which indicates nothing from 2.47 and 2.48. I believe the command entered was "[root@root-pc bin]# ./tcpflow -a -o outdir -c -D host 192.168.2.48"
-rw-r--r--. 1 root root 31 Sep 1 09:49 192.168.002.011.36593-209.132.181.016.00443
-rw-r--r--. 1 root root 763 Sep 1 09:49 192.168.002.011.39738-209.132.181.015.00443
-rw-r--r--. 1 root root 885 Sep 1 09:45 192.168.002.087.55658-192.168.001.166.01947
-rw-r--r--. 1 root root 885 Sep 1 09:45 192.168.002.087.55659-192.168.001.020.01947
Can anybody point me in a direction that can help identify this issue? THANK YOU!
Steve.
I'm a newbie user of tcpflow, and have been having some problems getting it to work properly - which probably means I've misconfigured or misunderstood something about how it works. Any help will be appreciated! My apologies in advance if there is too much information here, but I'm trying not to leave out anything observed that might be significant. My experience is in software, not in networking...
I have a Windows based server on VM-S (192.168.2.48), a Windows based client on VM-C (192.168.2.47), and Fedora-21 VM-F (192.168.2.11) running tcpflow (1.4.4) is on VM-F. Each of my 3 VMs are able to successfully ping the other two.
I have found that I need to specify the ethernet device; otherwise I receive an error as shown below (I can live with entering the device name, but
I'm not sure if this is indicative of a larger problem):
[root@root-pc bin]# ./tcpflow -a -o outdir -c -D host 192.168.1.20
./tcpflow: <default>: No such device exists (SIOCGIFHWADDR: No such device)
[root@root-pc bin]# ./tcpflow -a -i eth0 -o outdir -c -D host 192.168.1.20
./tcpflow: listening on eth0
^C./tcpflow: terminating
[root@root-pc bin]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.11 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::20c:29ff:fe57:9c7 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:57:09:c7 txqueuelen 1000 (Ethernet)
RX packets 2061636 bytes 384551947 (366.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37686 bytes 2991909 (2.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 32 bytes 2816 (2.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32 bytes 2816 (2.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@root-pc bin]#
Here is the main issue:
tcpflow (on VM-F) does not capture the transmissions between VM-S and VM-C. But it does appear to capture other traffic (which I'm not interested in capturing) on the .2 segment. I can capture data for 10 minutes while the server and client are swapping information, but nothing appears in my outdir directory indicating 2.48 or 2.47 even exist (Wireshark on VM-S is able to capture the transmissions, but I need the tcpflow format for Radamsa. Here is a snippet of my outdir directory, which indicates nothing from 2.47 and 2.48. I believe the command entered was "[root@root-pc bin]# ./tcpflow -a -o outdir -c -D host 192.168.2.48"
-rw-r--r--. 1 root root 31 Sep 1 09:49 192.168.002.011.36593-209.132.181.016.00443
-rw-r--r--. 1 root root 763 Sep 1 09:49 192.168.002.011.39738-209.132.181.015.00443
-rw-r--r--. 1 root root 885 Sep 1 09:45 192.168.002.087.55658-192.168.001.166.01947
-rw-r--r--. 1 root root 885 Sep 1 09:45 192.168.002.087.55659-192.168.001.020.01947
Can anybody point me in a direction that can help identify this issue? THANK YOU!
Steve.
Message has been deleted
Steven Kass
Sep 3, 2017, 1:54:43 PM9/3/17
to tcpflow-users
Sorry - copy / paste error... This is what should have been in the description of the main issue.....
Note that 192.168.2.47 and 192.168.2.48 do not appear in outdir1, yet Wireshark on a Windows VM shows them to be sending messages to each other every 5 seconds.
Below is the command I used, which I terminated after about 5 minutes:
[root@root-pc bin]# ./tcpflow -a -i eth0 -o outdir1
./tcpflow: listening on eth0
^C./tcpflow: terminating
[root@root-pc bin]#
Here is the result shown in outdir1:
<snipped>
-rw-r--r--. 1 root root 31 Sep 3 13:39 192.168.002.011.41357-152.019.134.198.00443
-rw-r--r--. 1 root root 763 Sep 3 13:39 192.168.002.011.46434-140.211.169.196.00443
-rw-r--r--. 1 root root 1956 Sep 3 13:39 192.168.002.069.00139-192.168.002.087.54038
-rw-r--r--. 1 root root 117 Sep 3 13:37 192.168.002.087.50781-065.052.108.219.00443
-rw-r--r--. 1 root root 885 Sep 3 13:38 192.168.002.087.54032-192.168.001.166.01947
-rw-r--r--. 1 root root 885 Sep 3 13:38 192.168.002.087.54033-192.168.001.020.01947
<snipped>
-rw-r--r--. 1 root root 0 Sep 3 13:37 alerts.txt
-rw-r--r--. 1 root root 14916 Sep 3 13:37 report.pdf
-rw-r--r--. 1 root root 20940 Sep 3 13:40 report.xml
[sisco@root-pc outdir1]$
Thanks...
<snipped>
-rw-r--r--. 1 root root 31 Sep 3 13:39 192.168.002.011.41357-152.019.134.198.00443
-rw-r--r--. 1 root root 763 Sep 3 13:39 192.168.002.011.46434-140.211.169.196.00443
-rw-r--r--. 1 root root 1956 Sep 3 13:39 192.168.002.069.00139-192.168.002.087.54038
-rw-r--r--. 1 root root 117 Sep 3 13:37 192.168.002.087.50781-065.052.108.219.00443
-rw-r--r--. 1 root root 885 Sep 3 13:38 192.168.002.087.54032-192.168.001.166.01947
-rw-r--r--. 1 root root 885 Sep 3 13:38 192.168.002.087.54033-192.168.001.020.01947
<snipped>
-rw-r--r--. 1 root root 0 Sep 3 13:37 alerts.txt
-rw-r--r--. 1 root root 14916 Sep 3 13:37 report.pdf
-rw-r--r--. 1 root root 20940 Sep 3 13:40 report.xml
[sisco@root-pc outdir1]$
Thanks...
Reply all
Reply to author
Forward
0 new messages