Tcpdump data collection
Hello, I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the -s 0 option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. Subba Rao
Re: Tcpdump data collection
On 3/12/2008, at 2:19 PM, Subba Rao wrote: Hello, I want to collect data on a network and map the data flow and system/ port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/ destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the -s 0 option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. I strongly recommend having a look through this to find out what rules you want (ie. plain English): http://www.networksorcery.com/enp/default1002.htm Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter format, a quick Google suggests this as a good resource: http://www.whitehats.ca/main/members/Malik/malik_tcpdump_filters/malik_tcpdump_filters.html You might also consider using netflow instead of tcpdump, there are lots of tools available for processing netflow data in ways that are useful to network operators. -- Nathan Ward
Re: Tcpdump data collection
Check out argus http://www.qosient.com/argus/ It can do exactly what you what. Cheers, Harry On Tue, 2008-12-02 at 17:19 -0800, Subba Rao wrote: Hello, I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the -s 0 option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. Subba Rao
Re: Tcpdump data collection
Maybe ntop? http://www.ntop.org/overview.html -Chris On Tue, Dec 2, 2008 at 8:19 PM, Subba Rao [EMAIL PROTECTED]wrote: Hello, I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc). The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose. I used the -s 0 option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets. Thank you in advance. Subba Rao