Tcpdump data collection


I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc).

The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose.

I used the "-s 0" option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets.

Thank you in advance.

Subba Rao

I strongly recommend having a look through this to find out what rules you want (ie. plain English):

Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter format, a quick Google suggests this as a good resource:

You might also consider using netflow instead of tcpdump, there are lots of tools available for processing netflow data in ways that are useful to network operators.

Check out argus

It can do exactly what you what.


Maybe ntop?