15

What I need to do (via 'tcpdump' through Linux):

• ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. - This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several IP addresses/servers.

• There are other applications within this range, e.g. PayRoll App is on 192.168.1.5, and I don't want to see any of this traffic in my capture.

I have a tried:

tcpdump 0 "/tmp" "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4" 100000

and also:

tcpdump 0 "/tmp" "ip.host==192.168.1.2 or ip.host==192.168.1.3 or ip.host==192.168.1.4" 100000

Both return syntax errors.

Any help is much appreciated.

Derek
  • 183
  • 1
  • 2
  • 5
  • You could also try: tcpdump -D This will list all interfaces, if you aren't sure what interface to capture traffic on. Based on what you've tried, it seems that the 0 might be throwing it off. Also the "/tmp" and the "" when listing hosts. You shouldn't need "" to list hosts, but you do need to specify the interface prior to directories or options. – injector Nov 11 '14 at 15:27

2 Answers2

21

the basic syntax in your case would be

tcpdump -i <interface to capture on> <filters>

The <filters> would expand to something like

'(host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and (port 80 or port 443)'

if your eCommerce application would use ports 80 and 443 for communications. The single quotes are important, otherwise your shell might see the brackets () which are important for grouping parameters as special characters.

adding -v and -n parameters at the beginning (tcpdump -v -n -i ...)would add verbosity to the output and disable name resolution (speeds up output)

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
2
tcpdump -vvv -enni <interface> host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4 and port XYX -s0 -w /var/tmp/yourfile.pcap

This filter captures port XYX only for 192.168.1.4 and all traffic for other hosts

Paul
  • 2,755
  • 6
  • 24
  • 35
marin
  • 31
  • 1