Re: tcpdump problems

Stephen W. Thompson (thompson@isc.upenn.edu)
Thu, 16 Dec 1999 04:02:26 -0500


"Trenton D. Adams" <adamst@telusplanet.net> wrote:
>
> I noticed that on one network that I tried TCPDUMP on, it didn't work the
> way I expected!
>
> I went
>
> "tcpdump -i eth0 -x -n -l src ipaddress and dst ipaddress"
>
> Why would it not display all data going from src to dst? When I set the src

I'm at a conference (SANS, see www.sans.org) and attended a class that
looked
at just this sort of thing. Some reasons that I recall for missing data
are:

* There might be missing packets if the host using tcpdump is being
overwhelmed by a high flow of packets, either because of bursty
data or because of denial of service (DoS) attacks.

* You might only see one direction of the connections if there is a
firewall blocking packets in one direction.

or

The route from A to B might be different from B to A.

or

There may be someone scanning you, say, with ACK packets for which
there *are* no preceding SYN packets. (A type of stealth scan.)

or

Someone may be spoofing packets to a destination with you as
the supposed "source". Responses to those packets will hit your
network,
but you won't see the initial packets because they were never on your
network.

You question was a bit vague. I hope, nonetheless, that this helps.

En paz,
Steve
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu