 |
 |
tcpdump b0rked
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Here and there
Status:
Offline
|
|
Hey guys, I have a serious problem: tcpdump is not working the way it should. When I open terminal and run tcpdump with no expression as root, it works just fine.
When I use the -w parameter to have the results written into a file, there is no way to read the file. If I do a "less sniff.txt" I get the message that "sniff.txt" might be a binary file. If I chose to have it displayed either way, all I see are weird characters and stuff, nothing that makes sense. Same with TextEdit and vi
The next problem is, that starting tcpdump with the "port 6667" expression does not do anything at all. And even though a simple "tcpdump" reports tons of activity on port 6667 (I'm on IRC), "tcpdump port 6667" reports nothing. And again, the -w parameter to have it written into a file does nothing but produce a 24 Byte long file I cannot read.
So what is wrong with tcpdump? I've asked some other people on the MacNN IRC and they don't seem to have this problem. I've tried MacSniffer, the GUI frontend for tcpdump, and it's not working as well. Same problems, any ideas? Anybody?
|
|
"Life is not a journey to the grave with the intention of arriving safely in one
pretty and well preserved piece, but to skid across the line broadside,
thoroughly used up, worn out, leaking oil, shouting GERONIMO!"
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: May 1999
Location: San Jose, CA
Status:
Offline
|
|
First, when using the -w option, tcpdump records more information than just the packet data - it includes timstamps, and other associated data.
Consequently the file format is not designed to be read directly (e.g. via more/less/vi, etc.)
Instead you use the -r switch to read the file back in and have tcpdump parse the data. e.g:
tcpdump -w /var/tmp/tcpdump.out
will dump the data to /var/tmp/tcpdump.out
Later, you can run:
tcpdump -r /var/tmp/tcpdump.out
and have tcpdump process the file as if that were the traffic coming across your network.
The advantage of this is you can replay it as many times as you like using different display/formatting options.
Secondly, you might want to be specific as to what interface to use, using the -i switch:
tcpdump -i en1 port 6667
should capture all port 6667 traffic on the AirPort (en0) interface. Typically tcpdump will select the lowest-numbered interface when run, although I'm not sure why this would change when run with and without a specific port. Worth a try, though.
|
|
Gods don't kill people - people with Gods kill people.
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Here and there
Status:
Offline
|
|
The interface is en0 (DSL) and it makes no difference whether I run it with -i en0 or without it.
And thanks for the file thing, at least that's working. However he's still not sniffing anything when I want to sniff e.g. port 6667 or port 80 and then surf the web for few minutes... absolutely nothing 
|
|
"Life is not a journey to the grave with the intention of arriving safely in one
pretty and well preserved piece, but to skid across the line broadside,
thoroughly used up, worn out, leaking oil, shouting GERONIMO!"
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Jan 2003
Status:
Offline
|
|
did you try specifying tcp?
tcpdump -ni en0 tcp port 6667
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Here and there
Status:
Offline
|
|
Did that too, no go. I found something out though, after I restarted the computer, it's been working for around 30 minutes.
|
|
"Life is not a journey to the grave with the intention of arriving safely in one
pretty and well preserved piece, but to skid across the line broadside,
thoroughly used up, worn out, leaking oil, shouting GERONIMO!"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
