Tcpdump data collection

Subba_Rao · December 3, 2008, 1:19am

Hello,

I want to collect data on a network and map the data flow and system/port traffic. There are 2 scenarios of data collection here. The first is to collect IP traffic only. In this method I do not want the data portion of the IP packet (need IP address, source/destination ports etc).

The second is to collect traffic that will show all the routing protocols (non-IP) used on this network. Today while collecting the data, I saw several HSRP packets. I don't know what portion of the packet is sufficient to capture for this purpose.

I used the "-s 0" option on tcpdump which captures the whole packet. That is making the dump file large. Any help with the filters is appreciated to capture the non-data portion of the packets.

Thank you in advance.

Subba Rao

Nathan_Ward · December 3, 2008, 1:33am

I strongly recommend having a look through this to find out what rules you want (ie. plain English):
http://www.networksorcery.com/enp/default1002.htm

Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter format, a quick Google suggests this as a good resource:
http://www.whitehats.ca/main/members/Malik/malik_tcpdump_filters/malik_tcpdump_filters.html

You might also consider using netflow instead of tcpdump, there are lots of tools available for processing netflow data in ways that are useful to network operators.

Harry_Hoffman · December 3, 2008, 2:32am

Check out argus http://www.qosient.com/argus/

It can do exactly what you what.

Cheers,
Harry

Chris_Mills · December 3, 2008, 3:08am

Maybe ntop?

http://www.ntop.org/overview.html

-Chris