This is where things get interesting... When I use "packet capture" which I'm assuming is a front end to tcpdump, and enter a hostname, the filter works but when I use tcpdump host something.com it does a lookup on something.com and matches all packets with that IP. I have multiple hosts with the same IP but need to filter the packets for just one host.
Any idea how I can do this? As it works via the front end, I figure there must be a way to do this in the command line. Thanks, Josh. > -----Original Message----- > From: David Newman [mailto:[email protected]] > Sent: 02 March 2010 16:08 > To: [email protected] > Subject: Re: [pfSense Support] Slow TCP connection > > On 3/2/10 7:59 AM, David Burgess wrote: > > On Tue, Mar 2, 2010 at 8:54 AM, Hiren Joshi > <[email protected]> wrote: > > > >> I'm using the "packet capture" bit in pfsense. Is there a > way of doing > >> this via the shell (I'm new to BSD, more of a Linux > person) and leaving > >> it running (filtered by hostname) for a few hours/days? > This way I can > >> dump it all and analyse it in wireshark. > > > > tcpdump. For example, > > > > tcpdump -i vr0 -n -w capture.pcap > > > > -i for the interface, -n to disable name resolution, capture.pcap is > > the capture file. I'm not sure if you have to do anything special to > > make it readable in wireshark. > > No special treatment needed -- wireshark will take pcap files > as input. > > However, you might want to bear a couple of things in mind: > > 1. By default, tcpdump grabs only the first 68 bytes of each > packet. You > can override this with the '-s' flag, for example with a > switch such as > '-s 1500'. This is essential if you need to see deeper into the packet > but the tradeoff is increased processing time. If you just need TCP > headers you shouldn't need this switch. > > 2. Depending on link utilization tcpdump can capture a *lot* > of traffic. > If you know you only want to see traffic from/to a specific > host, or for > a given protocol, there are filters you can add at the end of > a tcpdump > command to limit what it will capture -- and wireshark uses identical > capture filter syntax. The tcpdump manpage or wireshark docs > have more info. > > dn > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > Commercial support available - https://portal.pfsense.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
