You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
# cat > filterfile<br />
dst host spider and "(udp or proto 51)" and not "(src host daffy or src host fulton)"<br />
Ctrl-D<br />
# tcpdump -F filterfile<br />
So we can save compound filters that interest us and capture traffic with ease.<br />
By the way, the above command captures all IP traffic involving host spider as<br />
destination but not involving host daffy nor host fulton as sources. A second<br />
protocol must be either UDP or AH.<br />
4. how to display packet information<br />
The fourth and final approach at taming tcpdump is specifying how our data is to<br />
be displayed. It is important to realize that our filter (or the lack of one)<br />
determines what data is actually captured. After that, we tell tcpdump how to<br />
output that data. We have already looked at how to output certain kinds of data<br />
(subsection 2). In this section, we look at how to format that output.<br />
We can format data output in the following ways:<br />
1. "-a " -- force all name resolution (the default)<br />
2. "-n " -- remove all name resolution<br />
3. "-N " -- remove domain name resolution<br />
4. "-f " -- remove all remote host name resolution<br />
5. "-t " -- remove timestamp<br />
6. "-tt " -- no timestamp formatting (use epoch time)<br />
7. "-ttt " -- format timestamp with day and month<br />
So there's nothing spectacular here. The most we can say is that removing name<br />
resolution can speed things up. Removing timestamps also unclutters the screen<br />
quite well. I leave it up to you, dear reader, to experiment with these formatting<br />
options.<br />
Let me end with two more examples.<br />
Let's say I am working at my desk and I want to keep tabs at what bastards are<br />
bombarding my firewall with junk. I could issue the following command and take<br />
a look from time to time:<br />
# tcpdump -i tun0 -nq \<br />
not "(port 22 and host spider)" \<br />
and not "(port 53 or 80 or 110 or 119 or 443)" \<br />
and dst host 216.209.50.188<br />
on my system the interface is 'tun0'<br />
so as not to have my ssh session interfer<br />
so as not to show valid packets<br />
if this is the IP currently assigned to t<br />
What if I am interested in what my firewall is actually sending out onto the<br />
internet? I can remove some known good outgoing traffic and observe the rest<br />
(which ideally should not exist):<br />
# tcpdump -i tun0 -nq \<br />
and not port '(20 or 21 or 25 or 53 or 80 or 110 or 119 or 123 or 443)' \<br />
and not icmp \