tcpdump filters for data collection

Discussion in 'Cisco' started by Neil Jones, Dec 3, 2008.

  1. Neil Jones

    Neil Jones Guest

    I want to collect data on a network and map the data flow and
    system/port traffic. There are 2 scenarios of data collection here. The
    first is to collect IP traffic only. In this method I do not want the
    data portion of the IP packet (need IP address, source/destination ports
    etc).

    The second is to collect traffic that will show all the routing
    protocols (non-IP) used on this network. Today while collecting the
    data, I saw several HSRP packets. I don't know what portion of the
    packet is sufficient to capture for this purpose.

    I used the "-s 0" option on tcpdump which captures the whole packet.
    That is making the dump file large. Any help with the filters is
    appreciated to capture the non-data portion of the packets.

    Thank you in advance.

    NJ
    Neil Jones, Dec 3, 2008
    #1
    1. Advertising

  2. Neil Jones

    Cork Soaker Guest

    Neil Jones wrote:
    > I want to collect data on a network and map the data flow and
    > system/port traffic. There are 2 scenarios of data collection here. The
    > first is to collect IP traffic only. In this method I do not want the
    > data portion of the IP packet (need IP address, source/destination ports
    > etc).
    >
    > The second is to collect traffic that will show all the routing
    > protocols (non-IP) used on this network. Today while collecting the
    > data, I saw several HSRP packets. I don't know what portion of the
    > packet is sufficient to capture for this purpose.
    >
    > I used the "-s 0" option on tcpdump which captures the whole packet.
    > That is making the dump file large. Any help with the filters is
    > appreciated to capture the non-data portion of the packets.
    >
    > Thank you in advance.
    >
    > NJ



    Have you tried -s xx where xx is header size (or at least the size
    required to snaffle the data you want)?

    -s 0 is clearly the opposite of what you want.
    Cork Soaker, Dec 3, 2008
    #2
    1. Advertising

  3. Neil Jones <> writes:

    >I want to collect data on a network and map the data flow and
    >system/port traffic. There are 2 scenarios of data collection here. The
    >first is to collect IP traffic only. In this method I do not want the
    >data portion of the IP packet (need IP address, source/destination ports
    >etc).

    <snip>

    You might want to have a look at argus (http://www.qosient.com/argus)
    which collects flow data and has clients for manipulating it.

    Peter Van Epp / Operations and Technical Support
    Simon Fraser University, Burnaby, B.C. Canada
    Peter Van Epp, Dec 3, 2008
    #3
  4. Neil Jones

    alexd Guest

    Neil Jones wrote:

    > I want to collect data on a network and map the data flow and
    > system/port traffic. There are 2 scenarios of data collection here. The
    > first is to collect IP traffic only. In this method I do not want the
    > data portion of the IP packet (need IP address, source/destination ports
    > etc).


    You could possibly export netflow from your Cisco. This wouldn't include the
    content of the packets, just the data about the network flows [ie sockets].
    Not sure if that would include HSRP. In what way do you want to map your
    network?

    > The second is to collect traffic that will show all the routing
    > protocols (non-IP) used on this network. Today while collecting the
    > data, I saw several HSRP packets.


    If you specify what protocols you're interested in and don't capture
    everything going across the interface, that will greatly reduce the size of
    the capture file, eg:

    # tcpdump -i ethN vrrp

    will capture only VRRP packets [it may capture HSRP as they're similar but
    incompatible]. Or possibly even 'not ip' would suffice. 'man tcpdump' will
    explain more. HSRP is not a routing protocol by the way.

    > I don't know what portion of the
    > packet is sufficient to capture for this purpose.
    > I used the "-s 0" option on tcpdump which captures the whole packet.


    I would have thought it would be a matter of trial and error; Start off at
    say, 100 bytes, review the dump in Wireshark and keep increasing the
    capture size until it says it's not truncating packets any more [the ones
    you're interested in, anyway].

    --
    <http://ale.cx/> (AIM:troffasky) ()
    19:35:06 up 17 min, 1 user, load average: 0.06, 0.14, 0.15
    They call me titless because I have no tits
    alexd, Dec 3, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. udo

    RSPAN - TCPDUMP Linux

    udo, Dec 11, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,020
  2. [blu|shark]

    Canon: EF filters = EF-S filters?

    [blu|shark], Jan 22, 2004, in forum: Digital Photography
    Replies:
    17
    Views:
    2,442
    Steve
    Jan 28, 2004
  3. Replies:
    0
    Views:
    553
  4. Giuen
    Replies:
    0
    Views:
    875
    Giuen
    Sep 12, 2008
  5. peter
    Replies:
    5
    Views:
    830
    peter
    Dec 13, 2010
Loading...

Share This Page