On second thoughts, I'll take that back. It looks like the front end is matching all hosts with that IP, now I'm stumped...
> -----Original Message----- > From: Hiren Joshi > Sent: 02 March 2010 17:43 > To: [email protected] > Subject: RE: [pfSense Support] Slow TCP connection > > This is where things get interesting... > > When I use "packet capture" which I'm assuming is a front end to > tcpdump, and enter a hostname, the filter works but when I use tcpdump > host something.com it does a lookup on something.com and matches all > packets with that IP. I have multiple hosts with the same IP > but need to > filter the packets for just one host. > > Any idea how I can do this? As it works via the front end, I figure > there must be a way to do this in the command line. > > Thanks, > Josh. > > > -----Original Message----- > > From: David Newman [mailto:[email protected]] > > Sent: 02 March 2010 16:08 > > To: [email protected] > > Subject: Re: [pfSense Support] Slow TCP connection > > > > On 3/2/10 7:59 AM, David Burgess wrote: > > > On Tue, Mar 2, 2010 at 8:54 AM, Hiren Joshi > > <[email protected]> wrote: > > > > > >> I'm using the "packet capture" bit in pfsense. Is there a > > way of doing > > >> this via the shell (I'm new to BSD, more of a Linux > > person) and leaving > > >> it running (filtered by hostname) for a few hours/days? > > This way I can > > >> dump it all and analyse it in wireshark. > > > > > > tcpdump. For example, > > > > > > tcpdump -i vr0 -n -w capture.pcap > > > > > > -i for the interface, -n to disable name resolution, > capture.pcap is > > > the capture file. I'm not sure if you have to do anything > special to > > > make it readable in wireshark. > > > > No special treatment needed -- wireshark will take pcap files > > as input. > > > > However, you might want to bear a couple of things in mind: > > > > 1. By default, tcpdump grabs only the first 68 bytes of each > > packet. You > > can override this with the '-s' flag, for example with a > > switch such as > > '-s 1500'. This is essential if you need to see deeper into > the packet > > but the tradeoff is increased processing time. If you just need TCP > > headers you shouldn't need this switch. > > > > 2. Depending on link utilization tcpdump can capture a *lot* > > of traffic. > > If you know you only want to see traffic from/to a specific > > host, or for > > a given protocol, there are filters you can add at the end of > > a tcpdump > > command to limit what it will capture -- and wireshark uses > identical > > capture filter syntax. The tcpdump manpage or wireshark docs > > have more info. > > > > dn > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > Commercial support available - https://portal.pfsense.org > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > Commercial support available - https://portal.pfsense.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
