tcpdump mailing list archives
Newbie user question: Getting packets from hosts I don't want
From: KEVIN ZEMBOWER <KZEMBOWE () jhuccp org>
Date: Mon, 27 Sep 2004 10:47:33 -0400
I apologize if this list is not the appropriate place for my question, as it seems to be a list for tcpdump code developers. I couldn't find a list for user questions, but if someone points one out to me, I'll go there. I'm trying to use tcpdump to diagnose problem I have passing packets through a state-less firewall for the Amanda backup system. I asked our firewall administrators to open these ports: Please open the following ports/protocols in BOTH directions, between 'centernet' and host 'www': 10080/UDP 10082/TCP 10083/TCP 880-899/UDP 50000-50040/TCP When I run this tcpdump command on host 'www' I get packets from hosts in addition to host 'centernet' www:~# tcpdump src host centernet.jhuccp.org and ip proto \\tcp or \\udp tcpdump: listening on eth0 10:37:31.136686 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain: 26452+ AAAA? centernet.jhuccp.org. (38) (DF) 10:37:31.138128 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862: 26452* 0/1/0 (97) (DF) 10:37:31.139641 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain: 26453+ A? centernet.jhuccp.org. (38) (DF) 10:37:31.141236 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862: 26453* 1/2/2 A 162.129.225.192 (130) (DF) 10:37:31.145226 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain: 26454+ PTR? 10.20.129.162.in-addr.arpa. (44) (DF) 10:37:31.148669 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862: 26454* 1/2/2 (134) (DF) 10:37:31.149253 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain: 26455+ PTR? 199.225.129.162.in-addr.arpa. (46) (DF) 10:37:31.154788 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862: 26455* 1/2/2 (154) (DF) 10:37:31.156053 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain: 26456+ PTR? 192.225.129.162.in-addr.arpa. (46) (DF) 10:37:31.159108 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862: 26456 NXDomain* 0/1/0 (105) (DF) 10 packets received by filter 0 packets dropped by kernel www:~# I don't understand why I'm seeing the packets from ns1.jhmi.edu, the DNS server, when I specified the source host should be 'centernet'. In this example, I haven't yet sent packets from centernet, so I'm not upset that they didn't appear. Finally, would anyone be generous enough to help me write the tcpdump statement that I can run on www which would allow me to show the results of testing the ports in my statement to my firewall administrators? Thank you all for your help and advice. And, thank you for working on this very useful tool. -Kevin Zembower ----- E. Kevin Zembower Internet Systems Group manager Johns Hopkins University Bloomberg School of Public Health Center for Communications Programs 111 Market Place, Suite 310 Baltimore, MD 21202 410-659-6139 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Newbie user question: Getting packets from hosts I don't want KEVIN ZEMBOWER (Sep 27)
- Re: Newbie user question: Getting packets from Guy Harris (Sep 27)