Technical Documentation

Using tcpdump to Capture Packets

Typically, you configure the packet logging option in security policy rules to capture the packet data surrounding a security event. In the course of monitoring your network, you might encounter suspicious traffic where you have not set up rule-based packet capture. In these cases, you can use the tcpdump utility to capture the traffic you are interested in.

By default, the IDP device supports only unidirectional packet capture with tcpdump.

To enable bidirectional packet capture with tcpdump:

  1. Log into the command-line interface and switch to root.
  2. Enter the following command to enable packet capture for outbound packets:

    [root@localhost ~]# scio const set sc_pcap_outbound_pkts 1
    scio: setting sc_pcap_outbound_pkts to 0x1
    [root@localhost ~]#
    

Note: To restore the default behavior, enter scio const set sc_pcap_outbound_pkts 0.

Note: To restore the default behavior, enter scio const set sc_pcap_outbound_pkts 0.

To display a reference of tcpdump options and Berkeley Packet Filter (BFT) primitive expressions, enter man tcpdump.

The following example shows the syntax for capturing SMTP traffic on port 25. Here, tcpdump listens on the eth1 interface for traffic matching the expression tcp port 25.


[root@localhost ~]# tcpdump -i eth1 -s 0 -w /tmp/smtp.pcap tcp port 25

The following example shows the syntax for capturing all traffic except your SSH session to the IDP device:


[root@localhost ~]# tcpdump -s 0 -I eth2 -w eth2-all-but-ssh.pcap not tcp port 22

If you later decide you want to extract only HTTP traffic from the “all-but” pcap, you can use the following syntax to filter the previously collected file:


[root@localhost ~]# tcpdump -r eth2-all-but-ssh.pcap -w http.pcap tcp port 80

To view captured traffic, you can use tcpdump data display options or use a packet viewer, such as Wireshark.


Published: 2010-01-12