Date: Thu, 15 Apr 2010 22:06:57 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Gary Gatten <Ggatten@waddell.com> Cc: "'yavuz.maslak@netiletisim.net'" <yavuz.maslak@netiletisim.net>, "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Re: about tcpdump Message-ID: <4BC77FF1.3040100@infracaninophile.co.uk> In-Reply-To: <D9B37353831173459FDAA836D3B434994A6F47BB@WADPMBXV0.waddell.com> References: <D9B37353831173459FDAA836D3B434994A6F47BB@WADPMBXV0.waddell.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/04/2010 21:46:03, Gary Gatten wrote:
> I think by default it does only log "session" info not the full packet. For that you'd need to add -vvv and set the packet length to zero to capture the full packet.
>
> So, just run it without any args and you should be ok.
>
> ----- Original Message -----
> From: owner-freebsd-questions@freebsd.org <owner-freebsd-questions@freebsd.org>
> To: freebsd-questions@freebsd.org <freebsd-questions@freebsd.org>
> Sent: Thu Apr 15 15:37:09 2010
> Subject: about tcpdump
>
> I have a network. I wish to log all incoming and outgoing trafficc using
> tcpdump on my gateway server. But I don't want to log these traffic's data
> because of they take up much on disk.
> I only want to log which ports were used, which ip addresses were reached.
> How can I do these using tcpdump ?
> Could you give me an example or docs?
> I use freebsd7.2
nope -- when you use tcpdump to capture packets it defaults to capturing
just the first 68bytes of each packet -- that's just enough to get all
the packet headers (ie ethernet addresses, IP numbers, port numbers, tcp
options, etc.) for a tcp packet, plus quite a lot of protocol specific
packet headers for other types [assuming IPv4 -- you'll need to capture
a bit more for IPv6 because the addresses are longer].
Simply doing:
# tcpdump -i em0 -w /tmp/capture.pcap
is actually pretty space efficient. Even so, on any reasonably busy
server that's going to add up to megabytes per minute. If that's too
much then try an application like pftop(1) or ntop(1) which can
categorize and summarize traffic on the fly.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvHf/EACgkQ8Mjk52CukIyz6wCfSiBEIYT/KGkJgD01WV4eTQDf
1t0AniH1+b1xWWkehPXMK3bpv121zhrz
=Bqsf
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BC77FF1.3040100>