tcpdump syntax...

evo22 · #1 (**permalink**) 2008-01-14

I'm new to IPSO and I have two Nokia IP560s and I need to run tcpdump on some of the interfaces. What is the syntax to do so?

Thank you in advance

cciesec2006 · #2 (**permalink**) 2008-01-14

dca-Nokia-1-P[admin]# tcpdump -i eth1 -nn -n port 22
tcpdump: listening on eth1
20:00:24.894795 O 192.168.0.253.22 > 192.168.15.10.42451: P 958050273:958050337(64) ack 3650470713 win 17376 <nop,nop,timestamp 626688 244304747> [tos 0x10]
20:00:24.895436 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 64 win 9328 <nop,nop,timestamp 244304750 626688> (DF) [tos 0x10]
20:00:25.895845 O 192.168.0.253.22 > 192.168.15.10.42451: P 64:256(192) ack 1 win 17376 <nop,nop,timestamp 626690 244304750> [tos 0x10]
20:00:25.896079 O 192.168.0.253.22 > 192.168.15.10.42451: P 256:432(176) ack 1 win 17376 <nop,nop,timestamp 626690 244304750> [tos 0x10]
20:00:25.896636 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 256 win 9328 <nop,nop,timestamp 244304850 626690> (DF) [tos 0x10]
20:00:25.896814 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 432 win 9328 <nop,nop,timestamp 244304850 626690> (DF) [tos 0x10]
20:00:26.895537 O 192.168.0.253.22 > 192.168.15.10.42451: P 432:608(176) ack 1 win 17376 <nop,nop,timestamp 626692 244304850> [tos 0x10]
20:00:26.895752 O 192.168.0.253.22 > 192.168.15.10.42451: P 608:784(176) ack 1 win 17376 <nop,nop,timestamp 626692 244304850> [tos 0x10]
20:00:26.895944 O 192.168.0.253.22 > 192.168.15.10.42451: P 784:960(176) ack 1 win 17376 <nop,nop,timestamp 626692 244304850> [tos 0x10]
20:00:26.896134 O 192.168.0.253.22 > 192.168.15.10.42451: P 960:1136(176) ack 1 win 17376 <nop,nop,timestamp 626692 244304850> [tos 0x10]
20:00:26.896692 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 608 win 9328 <nop,nop,timestamp 244304950 626692> (DF) [tos 0x10]
20:00:26.896889 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 784 win 9328 <nop,nop,timestamp 244304950 626692> (DF) [tos 0x10]
20:00:26.897088 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 960 win 9328 <nop,nop,timestamp 244304950 626692> (DF) [tos 0x10]
20:00:26.897226 I 192.168.15.10.42451 > 192.168.0.253.22: . ack 1136 win 9328 <nop,nop,timestamp 244304950 626692> (DF) [tos 0x10]
^C
76 packets received by filter
0 packets dropped by kernel
dca-Nokia-1-P[admin]#

icarus · #3 (**permalink**) 2008-01-15

Alternatively you can also use fw monitor.

More on fw monitor:
http://www.checkpoint.com/techsuppor...or_rev1_01.pdf

And then a little help when creating those hard to encode fw monitor input strings:
http://www.decock.org/ginspect/index...nfo=TRUE&mode=

have fun!

chillyjim · #4 (**permalink**) 2008-01-15

Also see our resource page at cpug (http://www.cpug.org/check_point_resources.htm) for some good how-tos

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode