Conference smurf::dec_mls_plus

461.0. "tcpdump quick reference" by SMURF::BAT (Segui la tua beatitudine) Tue Mar 18 1997 18:20

Run tcpdump to capture network traffic between two hosts.
    
                 (in V3.1a tcpdump must be run on a machine on the same LAN 
		but not involved in the network traffic you are 
		trying to capture. with V4, you can monitor yourself)

a)  on a unrelated MLS machine, configure the kernel to include
                the option "packetfilter".

    b)  reboot using the new kernel

    c)  # cd /dev; ./MAKEDEV pfilt

    d)  # tcpdump -w <filename> -s 256 -N ip host <client> and host <master>

    e)  reproduce the hang

    f)  exit out of tcpdump and send <filename> to us.


MORE:

    Here are some useful commands to monitor the ethernet, if you have
    tcpdump at your disposal 
    
    To see if you can monitor the ethernet:
    
    # pfconfig -a
    
    To enable monitoring (assuming kernel is built with packetfilter etc.)
    
    # pfconfig +p ln0	# or whatever your ethernet adaptor is
			# (nothing if you want the default)

    For Ethernet monitoring:
    
    To define the association between hostname and ethernet address:
    
    # arp -s sidney 08:00:2b:30:a7:ae	# i.e., hostname ethernet address
    
    To capture and display all the activity on the ethernet wire that has
    to do with a given ethernet address:
    
    # /tcb/bin/tcpdump -l -s 200 ether host 08:00:2b:30:a7:ae | tee \
    	/usr/tmp/tcpdump.log
    
    For IP monitoring:

    To capture and display the IP traffic associated with a given host:
    
    # /tcb/bin/tcpdump -l -s 200 ip host sidney | tee /usr/tmp/tcpdump.log
    
    To capture and display the IP traffic between two hosts, sidney 
    and gorilla, in hex, with verbose output, without the timestamps
    on each line, displaying the first 128 bytes from the packet:

    # /tcb/bin/tcpdump -xvts128 ip host sidney and gorilla | tee /usr/tmp/log