tcpdump mailing list archives

Newbie user question: Getting packets from hosts I don't want

From: KEVIN ZEMBOWER <KZEMBOWE () jhuccp org>
Date: Mon, 27 Sep 2004 10:47:33 -0400

I apologize if this list is not the appropriate place for my question, as it seems to be a list for tcpdump code 
developers. I couldn't find a list for user questions, but if someone points one out to me, I'll go there.

I'm trying to use tcpdump to diagnose problem I have passing packets through a state-less firewall for the Amanda 
backup system. I asked our firewall administrators to open these ports:
Please open the following ports/protocols in BOTH directions, between 'centernet' and host 'www': 
   10080/UDP
   10082/TCP
   10083/TCP
   880-899/UDP
   50000-50040/TCP

When I run this tcpdump command on host 'www' I get packets from hosts in addition to host 'centernet'
www:~# tcpdump src host centernet.jhuccp.org and ip proto \\tcp or \\udp
tcpdump: listening on eth0
10:37:31.136686 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain:  26452+ AAAA? centernet.jhuccp.org. (38) (DF)
10:37:31.138128 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862:  26452* 0/1/0 (97) (DF)
10:37:31.139641 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain:  26453+ A? centernet.jhuccp.org. (38) (DF)
10:37:31.141236 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862:  26453* 1/2/2 A 162.129.225.192 (130) (DF)
10:37:31.145226 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain:  26454+ PTR? 10.20.129.162.in-addr.arpa. (44) (DF)
10:37:31.148669 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862:  26454* 1/2/2 (134) (DF)
10:37:31.149253 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain:  26455+ PTR? 199.225.129.162.in-addr.arpa. (46) (DF)
10:37:31.154788 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862:  26455* 1/2/2 (154) (DF)
10:37:31.156053 virtual.jhuccp.org.56862 > ns1.jhmi.edu.domain:  26456+ PTR? 192.225.129.162.in-addr.arpa. (46) (DF)
10:37:31.159108 ns1.jhmi.edu.domain > virtual.jhuccp.org.56862:  26456 NXDomain* 0/1/0 (105) (DF)

10 packets received by filter
0 packets dropped by kernel
www:~# 

I don't understand why I'm seeing the packets from ns1.jhmi.edu, the DNS server, when I specified the source host 
should be 'centernet'. In this example, I haven't yet sent packets from centernet, so I'm not upset that they didn't 
appear.

Finally, would anyone be generous enough to help me write the tcpdump statement that I can run on www which would allow 
me to show the results of testing the ports in my statement to my firewall administrators?

Thank you all for your help and advice. And, thank you for working on this very useful tool.

-Kevin Zembower


-----
E. Kevin Zembower
Internet Systems Group manager
Johns Hopkins University
Bloomberg School of Public Health
Center for Communications Programs
111 Market Place, Suite 310
Baltimore, MD  21202
410-659-6139

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Newbie user question: Getting packets from hosts I don't want KEVIN ZEMBOWER (Sep 27)
- Re: Newbie user question: Getting packets from Guy Harris (Sep 27)