Re: [ILUG-BOM] howto use tcpdump, was kget can resume downloads, other download managers can't
Reply in-line :-
On Tue, Jan 27, 2009 at 02:30, steve steve@lonetwin.net wrote:
<snip>
If you really want to get to the bottom of this, I'd suggest running tcpdump (normally, i use the options tcpdump -s0 -w <output>.cap host <youripaddress>) and then reading the capture file using wireshark, both with kget and with wget.
<snip>
Hi Steve, sorry for jumping on the thread. I am on kernel 2.6.27 and there is a big possibility I haven't really understood your command.
You gave
tcpdump -s0 -w <output>.cap host <youripaddress>
I used :-
tcpdump -s0 -w output.cap host 59.95.28.28
(ouput.cap most probably is a file-name and the IP Address is the IP Address being assigned by my provider)
but both for this I get
tcpdump: no suitable device found
Doing a cursory look at dmesg came across this .
[37479.042325] tcpdump uses obsolete (PF_INET,SOCK_PACKET)
My ifconfig.
$ ifconfig eth0 Link encap:Ethernet HWaddr 00:07:95:44:10:db UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:18 Base address:0xc800
eth1 Link encap:Ethernet HWaddr 00:08:a1:92:56:33 inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::208:a1ff:fe92:5633/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1990826 errors:0 dropped:0 overruns:0 frame:0 TX packets:2204997 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1271599953 (1.2 GB) TX bytes:537487624 (537.4 MB) Interrupt:22 Base address:0xcc00
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:556 errors:0 dropped:0 overruns:0 frame:0 TX packets:556 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:50924 (50.9 KB) TX bytes:50924 (50.9 KB)
As can be seen the active connection here is eth1.
The connection is between ethernet card and router.
regards,
- steve
On Tue, Jan 27, 2009 at 10:01 AM, shirish shirishag75@gmail.com wrote:
Hi Steve, sorry for jumping on the thread. I am on kernel 2.6.27 and there is a big possibility I haven't really understood your command.
You gave
tcpdump -s0 -w <output>.cap host <youripaddress>
I used :-
tcpdump -s0 -w output.cap host 59.95.28.28
(ouput.cap most probably is a file-name and the IP Address is the IP Address being assigned by my provider)
but both for this I get
tcpdump: no suitable device found
Did you try it as root? I tried the same comand as root and non-root. Got the same error as you have got, when run as non-root. Worked when done as root.
Reply in-line :-
On Tue, Jan 27, 2009 at 10:36, Mehul Ved mehul.n.ved@gmail.com wrote:
On Tue, Jan 27, 2009 at 10:01 AM, shirish shirishag75@gmail.com wrote:
Hi Steve, sorry for jumping on the thread. I am on kernel 2.6.27 and there is a big possibility I haven't really understood your command.
You gave
tcpdump -s0 -w <output>.cap host <youripaddress>
I used :-
tcpdump -s0 -w output.cap host 59.95.28.28
(ouput.cap most probably is a file-name and the IP Address is the IP Address being assigned by my provider)
but both for this I get
tcpdump: no suitable device found
Did you try it as root? I tried the same comand as root and non-root. Got the same error as you have got, when run as non-root. Worked when done as root.
Hi Mehul, Thanks for replying. Got it working, had to modify the command just a bit.
$ sudo tcpdump -s0 -i eth1 -w output.cap host 59.95.28.28 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C34 packets captured 36 packets received by filter 0 packets dropped by kernel
Then ran wireshark on output.cap and was able to see the results.
It is a pretty good tool. Trying to find more about the same.
--
"I once witnessed a long-winded, month-long flamewar over the use of mice vs. trackballs...It...
Reply in-line :-
On Tue, Jan 27, 2009 at 13:56, shirish shirishag75@gmail.com wrote:
<snip>
$ sudo tcpdump -s0 -i eth1 -w output.cap host 59.95.28.28 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C34 packets captured 36 packets received by filter 0 packets dropped by kernel
I dunno what is this capture size is 65535 bytes and what it is being influenced by?
shirish wrote:
Reply in-line :-
On Tue, Jan 27, 2009 at 13:56, shirish shirishag75@gmail.com wrote:
<snip>
$ sudo tcpdump -s0 -i eth1 -w output.cap host 59.95.28.28 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C34 packets captured 36 packets received by filter 0 packets dropped by kernel
I dunno what is this capture size is 65535 bytes and what it is being influenced by?
That is the number of bytes the tcpdump defaults to capturing with the -s0 option. From the tcpdump manpage ...
-s Snarf snaplen bytes of data from each packet ....Setting snaplen to 0 means use the required length to catch whole packets.
eg: [root@laptop ~]# tcpdump -s1500 -w output.cap host 59.95.28.28 tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes ^C0 packets captured ... ...
HTH - steve
Addition
On Tue, Jan 27, 2009 at 13:56, shirish shirishag75@gmail.com wrote:
Reply in-line :-
<snip>
Hi Mehul, Thanks for replying. Got it working, had to modify the command just a bit.
$ sudo tcpdump -s0 -i eth1 -w output.cap host 59.95.28.28 tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C34 packets captured 36 packets received by filter 0 packets dropped by kernel
<snip>
Also isn't it queer that it showing link-type EN10MB (Ethernet) from what I know its supposed to be a 100 mbps ethernet card.
$ lspci | grep Realtek 03:02.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10)
-- Regards, Shirish Agarwal My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com 065C 6D79 A68C E7EA 52B3 8D70 950D 53FB 729A 8B17
shirish wrote:
Also isn't it queer that it showing link-type EN10MB (Ethernet) from what I know its supposed to be a 100 mbps ethernet card.
$ lspci | grep Realtek 03:02.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 10)
Heh, I had to google for this, because, it showed the same for me, and the weird part is I had never really noticed it till now (although i keep using tcpdump every once in a while).
Answer is fairly simple ... http://www.usenet-forums.com/linux-networking/69123-tcpdump.html
cheers, - steve
-
Mehul Ved -
shirish -
steve