From owner-freebsd-questions@FreeBSD.ORG Thu Apr 15 21:07:04 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10433106566B for ; Thu, 15 Apr 2010 21:07:04 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 760558FC08 for ; Thu, 15 Apr 2010 21:07:03 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o3FL6v9C076403 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 15 Apr 2010 22:06:57 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BC77FF1.3040100@infracaninophile.co.uk> Date: Thu, 15 Apr 2010 22:06:57 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Gary Gatten References: In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, SPF_FAIL autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on happy-idiot-talk.infracaninophile.co.uk Cc: "'yavuz.maslak@netiletisim.net'" , "'freebsd-questions@freebsd.org'" Subject: Re: about tcpdump X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2010 21:07:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/04/2010 21:46:03, Gary Gatten wrote: > I think by default it does only log "session" info not the full packet. For that you'd need to add -vvv and set the packet length to zero to capture the full packet. > > So, just run it without any args and you should be ok. > > ----- Original Message ----- > From: owner-freebsd-questions@freebsd.org > To: freebsd-questions@freebsd.org > Sent: Thu Apr 15 15:37:09 2010 > Subject: about tcpdump > > I have a network. I wish to log all incoming and outgoing trafficc using > tcpdump on my gateway server. But I don't want to log these traffic's data > because of they take up much on disk. > I only want to log which ports were used, which ip addresses were reached. > How can I do these using tcpdump ? > Could you give me an example or docs? > I use freebsd7.2 nope -- when you use tcpdump to capture packets it defaults to capturing just the first 68bytes of each packet -- that's just enough to get all the packet headers (ie ethernet addresses, IP numbers, port numbers, tcp options, etc.) for a tcp packet, plus quite a lot of protocol specific packet headers for other types [assuming IPv4 -- you'll need to capture a bit more for IPv6 because the addresses are longer]. Simply doing: # tcpdump -i em0 -w /tmp/capture.pcap is actually pretty space efficient. Even so, on any reasonably busy server that's going to add up to megabytes per minute. If that's too much then try an application like pftop(1) or ntop(1) which can categorize and summarize traffic on the fly. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvHf/EACgkQ8Mjk52CukIyz6wCfSiBEIYT/KGkJgD01WV4eTQDf 1t0AniH1+b1xWWkehPXMK3bpv121zhrz =Bqsf -----END PGP SIGNATURE-----