Freebsd – tcpdump don’t show src and dst address

freebsdtcpdump

I'm having a problem with a tcpdump. The output is:

21:53:53.877873 MPLS (label 266837, exp 0, [S], ttl 255), IP, length: 193
21:53:53.878037 MPLS (label 326819, exp 0, [S], ttl 255), IP, length: 1332
21:53:53.878037 MPLS (label 326819, exp 0, [S], ttl 255), IP, length: 1332
21:53:53.878050 MPLS (label 326819, exp 0, [S], ttl 255), IP, length: 1332
21:53:53.878070 MPLS (label 326819, exp 0, [S], ttl 255), IP, length: 1332
21:53:53.878149 MPLS (label 326819, exp 0, [S], ttl 255), IP, length: 1332
21:53:53.878430 MPLS (label 279951, exp 0, [S], ttl 255), IP, length: 50

And not the expected:

22:08:12.029608 IP 10.57.169.224.49612 > 68.171.231.64.51620: Flags [.], ack 2761, win 65535, length 0
22:08:12.029620 IP 10.57.169.224.49612 > 68.171.231.64.51620: Flags [.], ack 4141, win 65535, length 0
22:08:12.029631 IP 10.57.169.224.49612 > 68.171.231.64.51620: Flags [.], ack 5521, win 65535, length 0
22:08:12.029657 IP 206.51.26.193.19063 > 10.45.14.157.19060: UDP, length 386
22:08:12.029694 IP 206.51.26.193.19064 > 10.56.143.63.19060: UDP, length 1300

So, with this output, the host filter don't work.

When i put the -v option or -vv option, i get the IP's (src and dest):

21:54:04.727826 MPLS (label 299984, exp 0, [S], ttl 255)
        IP (tos 0x0, ttl 55, id 26147, offset 0, flags [DF], proto TCP (6), length 1500)
    72.21.91.19.http > 186.165.14.97.42408: Flags [.], seq 702450604:702452064, ack 2572860166, win 245, length 1460
21:54:04.727867 MPLS (label 262205, exp 0, [S], ttl 255)
        IP (tos 0x48, ttl 252, id 357, offset 0, flags [none], proto UDP (17), length 1328)
    10.101.12.105.19060 > 206.51.26.193.19061: UDP, length 1300
21:54:04.727880 MPLS (label 279961, exp 0, [S], ttl 255)
        IP (tos 0x0, ttl 49, id 50980, offset 0, flags [DF], proto TCP (6), length 109)
    69.167.149.108.9933 > 181.185.41.153.53120: Flags [P.], seq 3203122401:3203122470, ack 2844602734, win 63504, length 69
21:54:04.727891 MPLS (label 264603, exp 0, [S], ttl 255)
        IP (tos 0x0, ttl 81, id 59423, offset 0, flags [DF], proto TCP (6), length 200)
    69.171.247.29.https > 186.25.255.129.50605: Flags [P.], seq 2597755680:2597755840, ack 2375027064, win 35, length 160

But -v and -vv option don't work with -w option, so the filter don't work and the file generated is empty.

Anyone know how to make the tcpdump print the IP's and host filter works?

I'm using SVOS 9.20.0200 (FreeBSD 8.2 based), tcpdump version 4.0.0 and libpcap version 1.0.0

Best Answer

Host filtering in tcpdump works on MPLS-prefixed packets if you specify "mpls" before the "host" primitive.

$ tcpdump 'mpls and host example.com'

$ tcpdump 'host example.com or (mpls and host example.com)'

if you're dealing with packets with and without the MPLS prefix.

Related Solutions

Tcpdump and https

https://facebook.com redirects to https://www.facebook.com which has a different IP Address than facebook.com. There is also ssl.facebook.com but I am not sure what it is used for:

$ host facebook.com
facebook.com has address 69.171.229.11
facebook.com has address 69.171.224.37
facebook.com has address 66.220.158.11
facebook.com has address 66.220.149.11
facebook.com has address 69.171.242.11
facebook.com has IPv6 address 2a03:2880:10:1f02:face:b00c:0:25
facebook.com has IPv6 address 2a03:2880:2110:3f01:face:b00c::
facebook.com has IPv6 address 2a03:2880:10:8f01:face:b00c:0:25
facebook.com mail is handled by 10 smtpin.mx.facebook.com.

$ host www.facebook.com
www.facebook.com has address 69.171.237.16
www.facebook.com has IPv6 address 2a03:2880:10:1f03:face:b00c:0:25

$ host ssl.facebook.com
ssl.facebook.com is an alias for star.facebook.com.
star.facebook.com has address 69.171.234.39
star.facebook.com has IPv6 address 2a03:2880:10:cf02:face:b00c:0:4

For java.com on the other hand the entries are the same for both www.java.com and java.com:

$ host java.com             
java.com has address 137.254.16.66
java.com mail is handled by 10 mx5.sun.com.
java.com mail is handled by 10 mx6.sun.com.
java.com mail is handled by 10 mx8.sun.com.
java.com mail is handled by 10 mx9.sun.com.

$ host www.java.com                                                                               
www.java.com is an alias for java.com.
java.com has address 137.254.16.66
java.com mail is handled by 10 mx5.sun.com.
java.com mail is handled by 10 mx6.sun.com.
java.com mail is handled by 10 mx8.sun.com.
java.com mail is handled by 10 mx9.sun.com.

Shell – Running tcpdump, tee and scp

The tee command writes data to the output file as it receives it, but scp copies the file immediately and only copies it once. Since every command in the pipeline runs simultaneously (or nearly so), you only get a few (or no) packets output to the capture.txt file before the file gets copied by scp.

There are a couple ways to do what you seem to want to do.

If you want to copy a few packets from tcpdump, and then transfer the file to the remote host after it finishes, you can use the -c option to terminate tcpdump after it captures that number of packets. Separate your scp command from the pipeline using a semi colon so it gets executed after the tcpdump and tee commands complete:

tcpdump -l -c 10  | tee  /tmp/capture.txt; scp /tmp/capture.txt root@remotehost:/tmp

Or, if you want to see packets in real-time and also copy them in realtime, you could use tee to output the packets to /dev/tty so you can see them, and them pipe them into an ssh command that writes them to a file on the remote host:

tcpdump -l   | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"

Note that without the -c option here, tcpdump will run until you kill it.

If you wanted the packets stored in a local capture.txt file as well as the remote, you could use multiple tee commands:

tcpdump -l   | tee /tmp/capture.txt | tee /dev/tty | ssh root@remotehost "cat > /tmp/capture.txt"

Best Answer

Related Solutions

Tcpdump and https

Shell – Running tcpdump, tee and scp

Related Question