Re: tcpdump problems

Stephen W. Thompson (
Thu, 16 Dec 1999 04:02:26 -0500

"Trenton D. Adams" <> wrote:
> I noticed that on one network that I tried TCPDUMP on, it didn't work the
> way I expected!
> I went
> "tcpdump -i eth0 -x -n -l src ipaddress and dst ipaddress"
> Why would it not display all data going from src to dst? When I set the src

I'm at a conference (SANS, see and attended a class that
at just this sort of thing. Some reasons that I recall for missing data

* There might be missing packets if the host using tcpdump is being
overwhelmed by a high flow of packets, either because of bursty
data or because of denial of service (DoS) attacks.

* You might only see one direction of the connections if there is a
firewall blocking packets in one direction.


The route from A to B might be different from B to A.


There may be someone scanning you, say, with ACK packets for which
there *are* no preceding SYN packets. (A type of stealth scan.)


Someone may be spoofing packets to a destination with you as
the supposed "source". Responses to those packets will hit your
but you won't see the initial packets because they were never on your

You question was a bit vague. I hope, nonetheless, that this helps.

En paz,
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to