From owner-freebsd-hackers@FreeBSD.ORG Mon Jan 5 16:53:29 2009 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1377A10656EA for ; Mon, 5 Jan 2009 16:53:29 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forwards4.yandex.ru (forwards4.yandex.ru [77.88.32.20]) by mx1.freebsd.org (Postfix) with ESMTP id 6BBBA8FC08 for ; Mon, 5 Jan 2009 16:53:28 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp12.yandex.ru (smtp12.yandex.ru [77.88.32.82]) by forwards4.yandex.ru (Yandex) with ESMTP id EE8294C52E0; Mon, 5 Jan 2009 19:53:26 +0300 (MSK) Received: from 38-83-113-92.pool.ukrtel.net ([92.113.83.38]:51204 "EHLO HOMEUSER" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S5325796AbZAEQxY (ORCPT + 2 others); Mon, 5 Jan 2009 19:53:24 +0300 X-Yandex-Spam: 1 X-Yandex-Front: smtp12 X-Yandex-TimeMark: 1231174404 X-BornDate: 1149541200 X-Yandex-Karma: 0 X-Yandex-KarmaStatus: 0 X-MsgDayCount: 8 X-Comment: RFC 2476 MSA function at smtp12.yandex.ru logged sender identity as: kes-kes Date: Mon, 5 Jan 2009 18:53:24 +0200 From: KES X-Mailer: The Bat! (v4.0.24) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <1873024003.20090105185324@yandex.ru> To: "matt donovan" In-Reply-To: <28283d910901041223x7210db5lcf8df9ef5f1da56b@mail.gmail.com> References: <179479624.20090104160500@yandex.ru> <20090104155638.GA76773@svzserv.kemerovo.su> <28283d910901041223x7210db5lcf8df9ef5f1da56b@mail.gmail.com> Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 05 Jan 2009 17:23:54 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: hackers@freebsd.org, Eugene Grosbein Subject: Re[2]: tcpdump filter for out/in traffic X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2009 16:53:29 -0000 Zdravstvujte, matt. Vy pisali 4 yanvarya 2009 g., 22:23:16: > On Sun, Jan 4, 2009 at 10:56 AM, Eugene Grosbein <[1]eugen@kuzbass.ru> wrote: On Sun, Jan 04, 2009 at 04:05:00PM +0200, KES wrote: > There will be very usefull to have options for tcpdump to monitor > incomint or outgoing traffic regardless of src/dst IPs or ports or protocol > > For example: > > kes# tcpdump -n -i rl4 out > EXPECTED: show traffic outgoing on rl4 > ACTUAL: tcpdump: syntax error > > kes# tcpdump -n -i rl4 in > EXPECTED: show traffic incoming on rl4 > ACTUAL: tcpdump: syntax error Hi! I use following trick for that: tcpdump -n -p -i rl4 ether src me-rl4 # for outgoing tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming And add MAC-address of rl4 to /etc/ethers with name 'me-rl4' or just 'me' if you need not watch other interfaces this way. Eugene Grosbein _______________________________________________ [2]freebsd-hackers@freebsd.org mailing list [3]http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[4]freebsd-hackers-unsubscribe@freebsd.org" don't even need an option you just have to filter the traffic correctly using tcpdump which Eugene already point out >tcpdump -n -p -i rl4 ether src me-rl4 # for outgoing >tcpdump -n -p -i tl4 not ether src me-rl4 # for incoming That will not help I can not add ether because of this is PPPoE interface. I can not use 'me' because of I need to view going through traffic. It is not originated from 'me'. For example I have mpd5. I set up PPPoE connection with my ISP. (ng0) I have VPN server for LAN users it also mpd5 (ng1 ng2 ng3 .... etc) I do NAT with MPD. so when I do tcpdump -n -i ng0 I get: 18:52:11.781281 IP 192.168.5.11.2348 > 95.57.143.109.64350: P 1853247053:1853247057(4) ack 1650009540 win 17080 18:52:11.783777 IP 81.19.80.166.80 > 192.168.4.5.2839: . 11790:13150(1360) ack 0 win 65535 18:52:11.784218 IP 192.168.4.9.3298 > 82.144.223.61.80: . ack 21761 win 17680 18:52:11.787732 IP 81.19.80.166.80 > 192.168.4.5.2839: . 13150:14510(1360) ack 0 win 65535 18:52:11.789122 IP 192.168.5.15.2903 > 89.178.118.23.16562: . 13601:14961(1360) ack 0 win 16659 18:52:11.790065 IP 192.168.5.15.1386 > 78.106.215.39.18155: . ack 18981 win 17680 18:52:11.791181 IP 192.168.5.15.1311 > 79.174.64.193.80: . ack 5441 win 17680 18:52:11.791889 IP 81.19.80.166.80 > 192.168.4.5.2839: . 14510:15870(1360) ack 0 win 65535 18:52:11.792176 IP 192.168.5.15.4969 > 87.241.174.129.41954: . ack 18 win 16635 18:52:11.792200 IP 192.168.8.13.1616 > 217.20.174.228.80: . ack 1361 win65535 So 'in/out' ouptions will help. -- S uvazheniem, KES [5]mailto:kes-kes@yandex.ru References 1. mailto:eugen@kuzbass.ru 2. mailto:freebsd-hackers@freebsd.org 3. http://lists.freebsd.org/mailman/listinfo/freebsd-hackers 4. mailto:freebsd-hackers-unsubscribe@freebsd.org 5. mailto:kes-kes@yandex.ru