JP Vossen on 7 Jan 2012 12:20:26 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Need Help with TCPDump

Date: Sat, 07 Jan 2012 10:41:34 -0500
Subject: [PLUG] Need Help with TCPDump
> I therefore tried this command on my firewall.
tcpdump -i eth1 host

I then used the web page to successfully send a message to the clock.

My first thought is that you are using a switch, so you simply will NOT see the traffic, not matter how PROMISC you make your interface. But that really depends on where you are doing each of the pieces.

You are sunning tcpdump as root or via sudo, right?

Oddly, I'm not getting anything recorded by tcpdump.  If I drop the host
portion and just grab everything, the address of the clock never shows up.

That really makes me think switch.

Could somebody suggest what I'm doing wrong, or some other approach that might
let me figure out how this thing communicates?

Ideally, I want to be able to directly send messages to the clock, without
using the company's web service.

What pieces are where?  You've got:
	firewall, with NAT
		So, incoming rule so vendor can talk to clock?
		What FW?
	External web site

My knee-jerk reaction is to simplify. If you have an old **hub** laying around, plug the clock, the FW and the Sniffer into the hub, with nothing else, and sniff everything. And it has to be a real hub, some of the later ones said hub when it was really a switch.

Failing that, you can try to "mirror" or "span" a port, but most low-end switches, esp. those built-in to FW/WAP appliances, can't do that. That's why we should all have an old hub or two laying around. :-)

Or you can try to do as much as possible on the choke point, in this case the FW, which is what I think you are doing. I'd think that would work, but since it seems not to be... Again, where are the pieces, as above?

Also, I'd use WireShark instead of tcpdump. I assume you are using tcpdump on the FW for the choke point thing and because it has no GUI, and that makes sense. Once you get the traffic, you can have tcpdump write to a binary PCAP file and then read that using Wireshark, which has a ton of decoders and just makes life much easier. But if you can do the hub thing, you can sniff from the machine with the GUI & browser, so you are guaranteed to see something at least.

Then there's the whole PROMISC thing. I usually run 'gksudo wireshark' which then tells me I shouldn't do that, but it works for me. Or for tcpdump, run as root/sudo as noted above.

Side note: If you try to put a VMware VM into PROMISC mode, it'll kill it. The VMware GUI will pop up a dialog box telling you what you did and how to fix it, but in the meantime it kills all networking, including the SSH session into the VM that you ran the command from. Can you tell how often I do this to myself? Easy to fix when you see the dialog box, but if you use SSH instead of the GUI console...

Good luck,
JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --