Capturing tcpdump for local traffic - TCP-IP

This is a discussion on Capturing tcpdump for local traffic - TCP-IP ; Hi All, I am somewhat new to tcpdump caturing. I have a server lisetener on a linux box running on port say 5000. All the traffic to this port is from another process on the same host and from any ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Capturing tcpdump for local traffic

  1. Capturing tcpdump for local traffic

    Hi All,
    I am somewhat new to tcpdump caturing. I have a server lisetener on a
    linux box running on port say 5000. All the traffic to this port is
    from another process on the same host and from any other host. My
    question is can the traffic/packets for this port be captured? How?
    tcpdump does not seem to be working in this case. when socket related
    process run on the same host, does it mean that the packets do not go
    via the network interfaces?

    Thanks
    -Satish

  2. Re: Capturing tcpdump for local traffic

    On Sat, 12 Jan 2008 04:51:59 -0800, satish.burnwal wrote:

    > Hi All,
    > I am somewhat new to tcpdump caturing. I have a server lisetener on a
    > linux box running on port say 5000. All the traffic to this port is from
    > another process on the same host and from any other host. My question is
    > can the traffic/packets for this port be captured? How? tcpdump does not
    > seem to be working in this case. when socket related process run on the
    > same host, does it mean that the packets do not go via the network
    > interfaces?


    Traffic from a host to the same host always goes over the loopback
    interface, even if the IP used to connect belongs to another interface.

    HTH,
    M4

  3. Re: Capturing tcpdump for local traffic

    satish.burnwal@gmail.com writes:

    [...]

    > when socket related process run on the same host, does it mean that
    > the packets do not go via the network interfaces?


    If they are going across the loopback interface, you may have to tell
    tcpdump to read that interface. On Linux the interface is named lo,
    so you can use "-i lo".

    ----Scott.

  4. Re: Capturing tcpdump for local traffic

    In article ,
    Scott Gifford wrote:

    > satish.burnwal@gmail.com writes:
    >
    > [...]
    >
    > > when socket related process run on the same host, does it mean that
    > > the packets do not go via the network interfaces?

    >
    > If they are going across the loopback interface, you may have to tell
    > tcpdump to read that interface. On Linux the interface is named lo,
    > so you can use "-i lo".


    AFAIK this doesn't work on most operating systems.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  5. Re: Capturing tcpdump for local traffic

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    >>>>> "satish" == satish burnwal writes:

    satish> Hi All,
    satish> I am somewhat new to tcpdump caturing. I have a server lisetener on a
    satish> linux box running on port say 5000. All the traffic to this port is
    satish> from another process on the same host and from any other host. My
    satish> question is can the traffic/packets for this port be captured? How?
    satish> tcpdump does not seem to be working in this case. when socket related
    satish> process run on the same host, does it mean that the packets do not go
    satish> via the network interfaces?

    It'll be great if you've posted the command which you're
    trying. Anyways, if both endpoints of the connection are on same box
    then traffic is routed via loopback (lo) interface, so you need to
    listen for traffic on 'lo' interface. Following commandline will help
    you do this:

    # tcpdump -i lo port 5000

    satish> Thanks
    satish> -Satish

    HTH
    - --
    Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
    ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD4DBQFHi4eQHy+EEHYuXnQRAvquAJUY+36A+LvWG/Mn6FNO+h7Oh4eiAJ4zn6p1
    EazVTEe9woExArrDqRkXiQ==
    =bBhu
    -----END PGP SIGNATURE-----

  6. Re: Capturing tcpdump for local traffic

    Barry Margolin wrote:
    > AFAIK this doesn't work on most operating systems.


    True, although IIRC Linux is an exception. On HP-UX at least, where
    one indeed cannot run tcpdump against the loopback interface, if one
    doesn't want to use nettl, for traffic to local IP's at least, (other
    than 127.0.0.1) it is possible to set an ndd variable that will cause
    the stack to send the packets to be looped-back by the driver rather
    than by IP. This then makes them flow past the promiscuous tracing
    taps. (Note that this does not cause them to be sent out onto the NIC
    or network, only to be looped-back by the driver).

    rick jones
    --
    firebug n, the idiot who tosses a lit cigarette out his car window
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  7. Re: Capturing tcpdump for local traffic

    Barry Margolin writes:

    > In article ,
    > Scott Gifford wrote:


    [...]

    >> If they are going across the loopback interface, you may have to tell
    >> tcpdump to read that interface. On Linux the interface is named lo,
    >> so you can use "-i lo".

    >
    > AFAIK this doesn't work on most operating systems.


    Hi Barry,

    I just tried it on Linux, kernel 2.4.20, tcpdump 3.7.2, libpcap 0.7.2
    and it worked. It captured all of the traffic from the machine to
    itself, not just that over 127/8, which is what a previous poster
    predicted and I believe what the OP wanted. I have used this in the
    past on Linux, I don't remember if I've used it on other OS's or not.

    So, no guarantees, but it's worth a try.

    ----Scott.

  8. Re: Capturing tcpdump for local traffic

    On Jan 14, 11:19 pm, Scott Gifford wrote:
    > Barry Margolin writes:
    > > In article ,
    > > Scott Gifford wrote:

    >
    > [...]
    >
    > >> If they are going across the loopback interface, you may have to tell
    > >> tcpdump to read that interface. On Linux the interface is named lo,
    > >> so you can use "-i lo".

    >
    > > AFAIK this doesn't work on most operating systems.

    >
    > Hi Barry,
    >
    > I just tried it on Linux, kernel 2.4.20, tcpdump 3.7.2, libpcap 0.7.2
    > and it worked. It captured all of the traffic from the machine to
    > itself, not just that over 127/8, which is what a previous poster
    > predicted and I believe what the OP wanted. I have used this in the
    > past on Linux, I don't remember if I've used it on other OS's or not.
    >
    > So, no guarantees, but it's worth a try.
    >
    > ----Scott.


    Thank you very much guys.. It works fine with "-i lo" option.

  9. Re: Capturing tcpdump for local traffic

    Barry Margolin wrote:
    > In article ,
    > Scott Gifford wrote:
    >
    >
    >>satish.burnwal@gmail.com writes:
    >>
    >>[...]
    >>
    >>
    >>>when socket related process run on the same host, does it mean that
    >>>the packets do not go via the network interfaces?

    >>
    >>If they are going across the loopback interface, you may have to tell
    >>tcpdump to read that interface. On Linux the interface is named lo,
    >>so you can use "-i lo".

    >
    >
    > AFAIK this doesn't work on most operating systems.
    >

    b

+ Reply to Thread