0

I have 2 servers(serv1,serv2) that communicate and i'm trying to sniff packets matching certain criteria that gets transferred from serv1 to serv2. Tshark is installed on my Desktop(desk1). I have written the following script:

while true; do
tshark -a duration:10 -i eth0  -R "(sip.CSeq.method == "OPTIONS") && (sip.Status-Code) && ip.src eq serv1" -Tfields -e sip.response-time > response.time.`date +%F-%T`
 done

This script seems to run fine when run on serv1(since serv1 is sending packets to serv2). However, when i try to run this on desk1, it cant capture any packets. They all are on the same LAN. What am i missing?

Mike Pennington
  • 41,899
  • 19
  • 136
  • 174
Chander Shivdasani
  • 9,878
  • 20
  • 76
  • 107

3 Answers3

2

Assuming that either serv1 or serv2 are on the same physical ethernet switch as desk1, you can sniff transit traffic between serv1 and serv2 by using a feature called SPAN (Switch Port Analyzer).

Assume your server is on FastEtheret4/2 and your desktop is on FastEthernet4/3 of the Cisco Switch... you should telnet or ssh into the switch and enter these commands...

4507R#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

4507R(config)#monitor session 1 source interface fastethernet 4/2

!--- This configures interface Fast Ethernet 4/2 as source port.

4507R(config)#monitor session 1 destination interface fastethernet 4/3

!--- The configures interface Fast Ethernet 0/3 as destination port.



4507R#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa4/2
Destination Ports : Fa4/3


4507R#

This feature is not limited to Cisco devices... Juniper / HP / Extreme and other Enterprise ethernet switch vendors also support it.

Mike Pennington
  • 41,899
  • 19
  • 136
  • 174
1

How about using the misnamed tcpdump which will capture all traffic from the wire. What I suggest doing is just capturing packets on the interface. Do not filter at the capture level. After you can filter the pcap file. Something like this

tcpdump -w myfile.pcap -n -nn -i eth0
Adrian Cornish
  • 23,227
  • 13
  • 61
  • 77
0

If your LAN is a switched network (most are) or your desktop NIC doesn't support promiscuous mode, then you won't be able to see any of the packets. Verify both of those things.

Jake Feasel
  • 16,785
  • 5
  • 53
  • 66
  • Can this be a problem even when the same script, when run on serv1? My initial guess was that -i eth0 would be causing the problem. Does my command look ok? – Chander Shivdasani Nov 29 '11 at 05:04
  • Well, the problem of a switched network won't be a factor on serv1, since the packets are intended to flow to/from that machine (so the switch will of course be sending traffic to it). On desk1, the switch (if it exists) won't recognize your machine as a legitimate receiver of the packets, so won't send them to you. That is the main difference between running on serv1 and desk1 – Jake Feasel Nov 29 '11 at 05:11
  • This problem has nothing to do with promiscuous mode; if the switch has learned the destination mac-address of the servers, by default ethernet switches only send traffic to the port with that mac-address on it. – Mike Pennington Nov 29 '11 at 09:45