Networking :: Correct Command To Filter Outgoing Traffic With Tcpdump?
May 6, 2010
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site [URL]..witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?).
MY QUESTION IS: How can i feed the Opnet Guru with the flows data collected with the
Code: tcpdump with its different options?
NOTE: in the Opnet Guru invironment there is an object called the profile that is beeing used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.. i hope i was clear enough..
I have a couple of interfaces in a Fedora 14 box: eth0: internet provided by an adsl router eth1: LAN
I set up system-config-firewall to masquerade all outgoing traffic in eth0, as I did in other Fedora 13 boxes, but it seems it doesn't work. It sets to 1 /proc/sys/net/ipv4/ip_forward and also set the appropriate rules in iptables. But all traffic is blocked from the LAN to the Internet. "ping www.google.com" works in the Fedora box, but doesn't work in the LAN computers using the F14 IP as gateway. I have another F13 computer elsewhere configured this way and it works fine. But this one has Fedora 14.
eth0 192.168.2.100 (internal Web, Mail) eth1 192.168.3.100 (Default Gateway nic for clients) eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I have a Linux IPTables firewall on Centos 5.3.It has one physical interface to the internet and 2 internal interfaces to a DMZ and TRUSTED zone respectively.There are 10 virtual interfaces linked to the physical public interface.Emails are being sent from my server in the DMZ out to the internet, but it is being shown as coming from the firewall IP address.It must show as coming from one of the virtual interfaces.
I've noticed recently that a lot of outgoing internet traffic is generated by my laptop (running Ubuntu 10.04 - 64 bit). This wasn't the case previously. I only found out because my wireless broadband traffic allowance suddenly was used up very quickly. I've installed ntop to try to find out where all this traffic is going to.
I did find that there were a very high number (at one stage over 11.000) of active TCP/UDP sessions (see attached screenshot). Although the traffic generated by each is only small (about 100 bits/bytes - not sure what) multiplied by thousands, makes a fair bit of traffic. I wonder if I've got some kind of a virus/bug or do I have a configuration problem with my laptop?
OS : CentOS 5.3 64bit How to trace incoming and outgoing network traffic for a give user? User 'A' logs in to the system and does various network connectivity As root user need to find what are the outgoing and incoming connection that are related with user 'A'. basically need to check the connection flow. netstat will show ESTABLISHED, LISTEN etc.. need something like tcpdump
Eg:- --user option for tcpdump tcpdump -vv -nn -i eth0 host 10.200.2.1 and tcp dst port 8080 --user A Can someone tell me any tool which can do such thing? Even if it can show the process ID of the client application which is trying to establish network connectivity will do.
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
I'm using ubuntu server 10.04 with openvpn installed on it. My vpn is working fine, all the users can connect without any issue.My problem is that I'm unable to filter the VPN traffic using openvpn. I can't allow all users to be able to interact with other vpn users. I need to avoid this kind of traffic.I was trying to build an iptables firewall, but I just noticed that my openvpn traffic isn't being filtered by iptables.In FORWARD chain, no matter what rule I use openvpn would continue to allow traffic between my clients. It does appear that openvpn is skipping FORWARD chain?For example:
Im trying to get postfix to filter my outgoing mail and basically drop everything that is not in my hash table.
So far I managed to get this going
Code:
Code:
Unfortunately those rules also apply to incoming messages. My goal is to disallow users on my host to change their "MAIL FROM" to anything they like and restrict them to domains I specify. I'm aware that the local part still is variable and a user of domain "foo.com" could use a email of domain "bar.com", but still some of my troubles would be solved if I get this running.
I have a WAN network that i need to do some analysis on, for the traffic flows. I did lots of googling to figure out what useful tool to collect the packet informations.I found this site http://scrutin.wordpress.com/2007/04...-tcpdump/witch i made great use of to recognize the tcpdum tool. I also have a network simulator on windows platform wich is Opnet Guru, (by the way.. is there a linux version for this simulator?). MY QUESTION IS:: How can i feed the Opnet Guru with the flows data collected with the Code: tcpdumpwith its different options? NOTE: in the Opnet Guru invironment there is an object called the profile that is being used to customize and genarate data flows with the desired characteristics to simulate the real flows. So i need to feed the Opnet with the fresh data collected with the tcpdump tool (command) instead of using the built-in profile.
There is a big problem with opensuse 11.4 and virtual interfaces.Until 11.2 outgoing traffic by default was sent by the eth0 address nevertheless which virtual interfaces did exist if any was used.Now there seems to be sent by the last interface listed with ifconfig.The outgoing address in this case will be 10.0.0.3.This is very problematic with smtp control etc.
My internet gateway is 192.168.1.1 with a 255.255.255.0 subnet mask. I have a router connected to it running ddwrt with an ip 192.168.2.1/24 creating a second subnet behind it. I have a tenant moving in that will be wirelessly connecting to the ddwrt router, so to the 192.168.2.0/24 subnet. What I am looking for is a rule that will pass internet traffic to and from this client, but restrict him access from the 192.168.1.0/24 subnet otherwise. The ddwrt router is connected to the 192.168.1.1 gateway through its wan port, btw. For example, the client would get an ip address of 192.168.2.100 wirelessly from the ddwrt router. I want him to be able to surf the internet through the 192.168.1.1 gateway, but not to have any other access to the 192.168.1.0/24 subnet (ideally not have access to ANYTHING besides the internet).
As too my question, at this time I dont control the router/firewall an I would like to block a port thats used for guild wars on my workstation for a while. The reason for blocking is children have abused it an lost it.In this case I am trying to block outgoing traffic on port 6112. I have tried setting up a proxy server on the workstation, but the game seems to ignore it an jump on. Due to the environment, I enabled the workstation SuSEFirewall2 firewall an tried setting up "lo" as a internal an configure the firewall as a router, then disable 0/0 an configured for 0/0,tcp,443 an re route port 80 traffic to proxy.
When I had my own internet, I had a transparent proxy enforcing rules for access times. So setting up a proxy on each machine would not be a bad thing, even if it took some creative thinking. I am trying, but seem to be missing something.Ideally, I would like to setup a transparent proxy, as my kids have learned alot about system administration an know to check the proxy module. If all they have to do is un check "Use Proxy" an by pass a local proxy server, then I am kinda defeated. An applications such as firefox have a proxy setting they could set to none instead of system
I've read up some of the posts on this forum, but can't seem to find an answer. I have a web service within an Apache Tomcat instance installed on a Redhat linux server. I only have shell access to the server, and need to monitor outbound network traffic from my web service. Is there a unix command that will allow me to monitor all outbound traffic? I'm thinking fiddler, but a unix version? I've heard of things like ntop and iptraf, but I don't think those will help me in this instance.
when i send any packet to anu destination and want to see he mac address of source and destination i am using the command tcpdump -qec1 but rather then getting the mac address of source and destination each time i am getting mac address of the system which is broadcasting. will anybody tell me how can i get source and destination mac address even if any other packet is also being broadcast to my network.
I need to set up my centOS computer as a firewall in my home network. Ive got 2 interfaces, eth0 and eth1. I want to allow and forward all traffic on eth0 and block all traffic on eth1 except ssh, ping(icmp) and DNS. How do I do this? Ive tried some editing in /etc/sysconfig/iptables but no luck.
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
I'm trying to understand rsync filters .. but it isn't goig to well.I want to rsync only files with a specific extension (.gz.des3). Could someone please tell me how to add such filter to the rsync commandline (not a seperate filter filer).
I would like to know how to use grep command to filter the log files created between 3:00 PM to 4:30 PM in buch of log for whole day in different headings. This files resembles like sar file in linux.
I am trying to create a dump log using tcpdump. I want display the top 10 ip addresses sorted numerically showing how many times the ips are hitting the server. I'm getting frustrated because It's not working how I'd like it to.
Is there a way to do multiple interfaces in tcpdump? I have found that when using "-i any", not all packets are captured (compared to "-i eth0" on a machine with only one interface). I need to monitor traffic on some machines with as many as 6 interfaces, and get these packets that "-i any" misses. When I give the "-i" option multiple times, it seems to only use the last one.
I'm trying to capture packets to a file with the -w option but the file is empty yet if I use the '-w -' option to put data on stdout I see plenty of captured packets.I'm using CentOS 5.5 x86
I would like to set up tcpdump to rotate log file every 1 hour and retain files for the lat 14 days but I don't think any combination of -C and -W would allow me to do that (Atleast I haven't been able to figure it out), so I am trying to rotate the files every X number of MB and retain the last 20 files. This seems to be fairly simple with the '-C X -W 20' option but I am having some trouble in customizing the names of the log files. I have tried '-w capture-$(date +%Y-%M-%d-%H:%M-)' thinking that each file would start with the current date and time but all files are using the date and time when the capture was started so the only difference is the number at the end (which is done by -W). if I can customize the names of the file so that it has the date and time when the capture in started. In fact if I can do that, I dont need the numbers that '-W' appends at the end but I dont know how to get rid of them.
I'm running NetWare SLES 10 sp3 with OES2 sp2. I was working with the folks at Novell to resolve an iPrint Print Manager problem.
During the process they wanted to perform a packet capture using tcpdump. While logged in as the root user the error no suitable device was found, and I received no data at all. This server is running on a VMWare Center. On other SLES 10 sp3 systems (residing on that same VMWre Center), tcpdump captures packets just fine. I inherited all of these servers, so I wasn't here during the initial build, but I'd make the guess that they were configured similarly. On a Server that I built recently, tcpdump works fine. On two of my Servers it does not, and gives the mentioned error.
It's not that big a deal, otherwise the Servers are communicating and working just fine. But, I'd like to get it working just because it's supposed to work. Students are off for the summer, so I have time to play.
