topic Re: outgoing traffic logging with tcpdump in Operating System - HP-UX

outgoing traffic logging with tcpdump

Rosli Ahmad — Wed, 02 Apr 2003 02:43:19 GMT

Hi,
I need to log outgoing traffic from my RHL 8 box thru tcpdump. I've tried tcpdump -p -i eth0 dst net xxx.xx, but I just keep getting the following messages running.
10:39:53.629112 xxx.xx.xx.xx.1182 > jumpoff.ssh: . ack 48092 win 64240 (DF)
10:39:53.640372 jumpoff.ssh > xxx.xx.xx.xx.1182: P 48092:48288(196) ack 1 win 6432 (DF) [tos 0x10]
10:39:53.652068 jumpoff.ssh > xxx.xx.xx.xx.1182: P 48288:48404(116) ack 1 win 6432 (DF) [tos 0x10]
10:39:53.652502 xxx.xx.xx.xx.1182 > jumpoff.ssh: . ack 48404 win 63928 (DF)
10:39:53.663808 jumpoff.ssh > xxx.xx.xx.xx.1182: P 48404:48600(196) ack 1 win 6432 (DF) [tos 0x10]
10:39:53.675520 jumpoff.ssh > xxx.xx.xx.xx.1182: P 48600:48716(116) ack 1 win 6432 (DF) [tos 0x10]

This is not what I want, it's too details and eating up my diskspace should I keeping logging them. I just need to know the time, target address and who the made the connection to other hosts via this box. Simple task I believe. Pls advise on what option should I use. I need this very URGENTLY, live or death kinda situation.
Thank you.

Re: outgoing traffic logging with tcpdump

Sridhar Bhaskarla — Wed, 02 Apr 2003 03:13:48 GMT

Hi,

I do not remember the filtering syntax on top of my head

You would need to use filters. Following may help you

tcpdump ip and not host xx.xx.xx.xx

Replace xx.xx.xx.xx with your local IP.

-Sri

Re: outgoing traffic logging with tcpdump

Sridhar Bhaskarla — Wed, 02 Apr 2003 03:16:32 GMT

Hi,

Also look at the following man page of 'tcpdump' filtering to get more details.

http://www.ethereal.com/tcpdump.8.html

-Sri

Re: outgoing traffic logging with tcpdump

S.K. Chan — Wed, 02 Apr 2003 03:25:08 GMT

Take a look at the first couple of examples. It may be what you wanted.
http://www.tcpdump.org/tcpdump_man.html