tcpdump filters for data collection

I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc).

The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose.

I used the "-s 0" option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets.

Thank you in advance.

NJ

Reply to
Neil Jones
Loading thread data ...

Have you tried -s xx where xx is header size (or at least the size required to snaffle the data you want)?

-s 0 is clearly the opposite of what you want.

Reply to
Cork Soaker

You might want to have a look at argus

formatting link
collects flow data and has clients for manipulating it.

Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada

Reply to
Peter Van Epp

In general - I capture to a file, and then process the results after. I filter when capturing only if necessary.

That way, things that might slow down the processing (DNS) won't affect the data capture.

The argument "ip" will only capture IP traffic ( and TCP/UDP, but not broadcast, etc.)

tcpdump -w file.tcpdump ip

You can use '-s #' and make sure # is small enough to just capture the header. The default (without -s at all) is usually sufficent. But unless there's a privacy issue, it's just a matter of ignoring the information you don't want to see.

Are you running two different captures?

Capturing (1) all IP and (2) all non-IP essentially says you are capturing everything.

Looking at the source (in print-udp.c) shows:

else if (dport == HSRP_PORT) hsrp_print((const u_char *)(up + 1), length); where #define HSRP_PORT 1985

so you can use the filter tcpdump .... udp and port 1985

Reply to
Maxwell Lol

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.