tcpdump filters for data collection

Discussion in 'Cisco' started by Neil Jones, Dec 3, 2008.

  1. Neil Jones

    Neil Jones Guest

    I want to collect data on a network and map the data flow and
    system/port traffic. There are 2 scenarios of data collection here. The
    first is to collect IP traffic only. In this method I do not want the
    data portion of the IP packet (need IP address, source/destination ports

    The second is to collect traffic that will show all the routing
    protocols (non-IP) used on this network. Today while collecting the
    data, I saw several HSRP packets. I don't know what portion of the
    packet is sufficient to capture for this purpose.

    I used the "-s 0" option on tcpdump which captures the whole packet.
    That is making the dump file large. Any help with the filters is
    appreciated to capture the non-data portion of the packets.

    Thank you in advance.

    Neil Jones, Dec 3, 2008
    1. Advertisements

  2. Neil Jones

    Cork Soaker Guest

    Have you tried -s xx where xx is header size (or at least the size
    required to snaffle the data you want)?

    -s 0 is clearly the opposite of what you want.
    Cork Soaker, Dec 3, 2008
    1. Advertisements

  3. <snip>

    You might want to have a look at argus (
    which collects flow data and has clients for manipulating it.

    Peter Van Epp / Operations and Technical Support
    Simon Fraser University, Burnaby, B.C. Canada
    Peter Van Epp, Dec 3, 2008
  4. Neil Jones

    alexd Guest

    You could possibly export netflow from your Cisco. This wouldn't include the
    content of the packets, just the data about the network flows [ie sockets].
    Not sure if that would include HSRP. In what way do you want to map your
    If you specify what protocols you're interested in and don't capture
    everything going across the interface, that will greatly reduce the size of
    the capture file, eg:

    # tcpdump -i ethN vrrp

    will capture only VRRP packets [it may capture HSRP as they're similar but
    incompatible]. Or possibly even 'not ip' would suffice. 'man tcpdump' will
    explain more. HSRP is not a routing protocol by the way.
    I would have thought it would be a matter of trial and error; Start off at
    say, 100 bytes, review the dump in Wireshark and keep increasing the
    capture size until it says it's not truncating packets any more [the ones
    you're interested in, anyway].
    alexd, Dec 3, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.