On Sat, 12 Jan 2008 04:51:59 -0800, satish.burnwal wrote:

> Hi All,
> I am somewhat new to tcpdump caturing. I have a server lisetener on a
> linux box running on port say 5000. All the traffic to this port is from
> another process on the same host and from any other host. My question is
> can the traffic/packets for this port be captured? How? tcpdump does not
> seem to be working in this case. when socket related process run on the
> same host, does it mean that the packets do not go via the network
> interfaces?

Traffic from a host to the same host always goes over the loopback
interface, even if the IP used to connect belongs to another interface.

HTH,
M4

satish.burnwal@gmail.com writes:

[...]

> when socket related process run on the same host, does it mean that
> the packets do not go via the network interfaces?

If they are going across the loopback interface, you may have to tell
tcpdump to read that interface. On Linux the interface is named lo,
so you can use "-i lo".

----Scott.

In article ,
Scott Gifford wrote:

> satish.burnwal@gmail.com writes:
>
> [...]
>
> > when socket related process run on the same host, does it mean that
> > the packets do not go via the network interfaces?
>
> If they are going across the loopback interface, you may have to tell
> tcpdump to read that interface. On Linux the interface is named lo,
> so you can use "-i lo".

AFAIK this doesn't work on most operating systems.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "satish" == satish burnwal writes:
satish> Hi All,
satish> I am somewhat new to tcpdump caturing. I have a server lisetener on a
satish> linux box running on port say 5000. All the traffic to this port is
satish> from another process on the same host and from any other host. My
satish> question is can the traffic/packets for this port be captured? How?
satish> tcpdump does not seem to be working in this case. when socket related
satish> process run on the same host, does it mean that the packets do not go
satish> via the network interfaces?

It'll be great if you've posted the command which you're
trying. Anyways, if both endpoints of the connection are on same box
then traffic is routed via loopback (lo) interface, so you need to
listen for traffic on 'lo' interface. Following commandline will help
you do this:

# tcpdump -i lo port 5000

satish> Thanks
satish> -Satish

HTH
- --
Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFHi4eQHy+EEHYuXnQRAvquAJUY+36A+LvWG/Mn6FNO+h7Oh4eiAJ4zn6p1
EazVTEe9woExArrDqRkXiQ==
=bBhu
-----END PGP SIGNATURE-----

Barry Margolin wrote:
> AFAIK this doesn't work on most operating systems.

True, although IIRC Linux is an exception. On HP-UX at least, where
one indeed cannot run tcpdump against the loopback interface, if one
doesn't want to use nettl, for traffic to local IP's at least, (other
than 127.0.0.1) it is possible to set an ndd variable that will cause
the stack to send the packets to be looped-back by the driver rather
than by IP. This then makes them flow past the promiscuous tracing
taps. (Note that this does not cause them to be sent out onto the NIC
or network, only to be looped-back by the driver).

rick jones
--
firebug n, the idiot who tosses a lit cigarette out his car window
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Barry Margolin writes:

> In article ,
> Scott Gifford wrote:

[...]

>> If they are going across the loopback interface, you may have to tell
>> tcpdump to read that interface. On Linux the interface is named lo,
>> so you can use "-i lo".
>
> AFAIK this doesn't work on most operating systems.

Hi Barry,

I just tried it on Linux, kernel 2.4.20, tcpdump 3.7.2, libpcap 0.7.2
and it worked. It captured all of the traffic from the machine to
itself, not just that over 127/8, which is what a previous poster
predicted and I believe what the OP wanted. I have used this in the
past on Linux, I don't remember if I've used it on other OS's or not.

So, no guarantees, but it's worth a try.

----Scott.

On Jan 14, 11:19 pm, Scott Gifford wrote:
> Barry Margolin writes:
> > In article ,
> > Scott Gifford wrote:
>
> [...]
>
> >> If they are going across the loopback interface, you may have to tell
> >> tcpdump to read that interface. On Linux the interface is named lo,
> >> so you can use "-i lo".
>
> > AFAIK this doesn't work on most operating systems.
>
> Hi Barry,
>
> I just tried it on Linux, kernel 2.4.20, tcpdump 3.7.2, libpcap 0.7.2
> and it worked. It captured all of the traffic from the machine to
> itself, not just that over 127/8, which is what a previous poster
> predicted and I believe what the OP wanted. I have used this in the
> past on Linux, I don't remember if I've used it on other OS's or not.
>
> So, no guarantees, but it's worth a try.
>
> ----Scott.

Thank you very much guys.. It works fine with "-i lo" option.

Barry Margolin wrote:
> In article ,
> Scott Gifford wrote:
>
>
>>satish.burnwal@gmail.com writes:
>>
>>[...]
>>
>>
>>>when socket related process run on the same host, does it mean that
>>>the packets do not go via the network interfaces?
>>
>>If they are going across the loopback interface, you may have to tell
>>tcpdump to read that interface. On Linux the interface is named lo,
>>so you can use "-i lo".
>
>
> AFAIK this doesn't work on most operating systems.
>
b