Am 16.05.2007 15:47 schrieb Ola Lundqvist:
> There are a couple of things to do:
> * Do not run in graphic mode. Instead run in text mode, because the kernel
> may print information there.
> * In order to sniff the traffic you need the following:
> - An extra Linux PC with tcpdump installed (or the firewall if you can
> install
> tcpdump there).
> - Access to the traffic. This means that you should use a hub (not a switch)
> or a switch where you can redirect all traffic to a certain port. If you
> have the possibility to install tcpdump on the remote side of the
> laptop then that will of course have access to the traffic as well.
> - On the server run
> tcpdump -n -i ethX
> I think that is enough. You will see all traffic sent back and forth.
> See man tcpdump for more information about options, disc logging etc.
Since I'll capture the traffic on my router which is connected to the
internet via DSL, should I sniff the traffic on ppp0 or the eth0 (the
nic connected to the DSL modem)? Both will give you different output.
Sniffing on ppp0 will give you lines like
17:03:39.348240 IP 85.178.96.22 > 130.149.145.10: GREv1, call 50048, seq
497690, ack 957204, length 73: compressed PPP data
17:03:39.349089 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.349097 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.351072 IP 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq
957206, ack 497626, length 744: compressed PPP data
17:03:39.353123 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.353131 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.354238 IP 85.178.96.22 > 130.149.145.10: GREv1, call 50048, seq
497691, ack 957206, length 73: compressed PPP data
17:03:39.355073 IP 130.149.145.10 > 85.178.96.22: GREv1, call 0, seq
957207, length 744: compressed PPP data
17:03:39.357123 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.357132 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.357137 IP 130.149.145.10 > 192.168.1.32: gre
17:03:39.357142 IP 130.149.145.10 > 192.168.1.32: gre
while sniffing on ppp0 will give you
17:06:17.664578 PPPoE [ses 0x648] IP 85.178.96.22 > 130.149.145.10:
GREv1, call 50048, seq 521743, ack 1003988, length 73: compressed PPP data
17:06:17.665804 PPPoE [ses 0x648] IP truncated-ip - 512 bytes missing!
130.149.145.10 > 85.178.96.22: GREv1, call 0, seq 1003989, length 744:
compressed PPP data
17:06:17.667792 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
(0x22f4), length 778:
0x0000: 00a0 cc75 0255 0800 4500 02f4 927f 205d ...u.U..E......]
0x0010: 362f f996 8295 910a c0a8 0120 7d68 3aca 6/..........}h:.
0x0020: d8c4 03f7 5f9d 5e4c 3b2d 606e 1d24 0cb1 ...._.^L;-`n.$..
0x0030: 92f8 7bab 8bef e611 53f2 632d 2e52 de6a ..{.....S.c-.R.j
0x0040: b5a8 9fae 8e5c 94d7 64ba 15bf 947e 85cb .....\..d....~..
0x0050: 61d3 a.
17:06:17.667799 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
(0x22f4), length 75:
0x0000: 00a0 cc75 0255 0800 4500 0035 927f 00b9 ...u.U..E..5....
0x0010: 362f 1bfa 8295 910a c0a8 0120 1e09 b727 6/.............'
0x0020: 54eb 0d89 73f0 3767 1462 2dd5 1c1c 68ac T...s.7g.b-...h.
0x0030: 41e5 76a3 1e7a 0218 3046 1ba9 5d A.v..z..0F..]
17:06:17.671972 PPPoE [ses 0x648] IP truncated-ip - 512 bytes missing!
130.149.145.10 > 85.178.96.22: GREv1, call 0, seq 1003990, ack 521683,
length 744: compressed PPP data
17:06:17.672049 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
(0x22f4), length 778:
0x0000: 00a0 cc75 0255 0800 4500 02f4 9280 205d ...u.U..E......]
0x0010: 362f f995 8295 910a c0a8 0120 ed9e 33a3 6/............3.
0x0020: 9114 d298 bd67 4ef6 cd8b 4ea1 4e89 187c .....gN...N.N..|
0x0030: c002 75b6 386e 09e6 22f1 b95a fbf5 7c14 ..u.8n.."..Z..|.
0x0040: fb22 5c88 5a7c e425 a33c fd45 6744 0196 ."\.Z|.%.<.EgD..
0x0050: caf3 ..
17:06:17.672056 00:00:00:16:41:ad > 00:c0:4f:a9:ba:a5, ethertype Unknown
(0x22f4), length 79:
0x0000: 00a0 cc75 0255 0800 4500 0039 9280 00b9 ...u.U..E..9....
0x0010: 362f 1bf5 8295 910a c0a8 0120 2669 32c4 6/..........&i2.
0x0020: dd09 1cc0 6d4f 0797 0eac 64da 723f 4f08 ....mO....d.r?O.
0x0030: c9f5 6995 7fd9 2420 607c 3508 fa6a e044 ..i...$.`|5..j.D
0x0040: bf
Cheers,
Bastian
--
Bastian Venthur http://venthur.de
Debian Developer venthur at debian org
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
