Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using jnetTcpdump to Capture Packets

    Typically, when you want to capture the packet data surrounding a security event, you configure the packet logging option in security policy rules. In the course of monitoring your network, you might encounter suspicious traffic where you have not set up rule-based packet capture. In these cases, you can use the jnetTcpdump utility or the Linux-based tcpdump utility to capture the traffic.

    The jnetTcpdump utility copies packets from the JNET driver packet queuing module. This allows it to capture packets as they are received (Rx packets) or as they are transmitted (Tx packets). In contrast, on the IDP Series device, the tcpdump utility can capture only Rx packets. The command options for the jnetTcpdump utility are similar to the standard tcpdump utility options (though there are fewer options).

    The following example starts listening on interface eth4 for packets with a destination IP address of 4.0.0.4:


    [root@localhost ~]# jnetTcpdump -i eth4 -f 4.0.0.4 dst
    jnetPassiveAttach done
    jnet tcpdump Started on eth4 for both Receive & Transmit side
    Filter enabled - Host:4.0.0.4 as dst
    0 50 56 a4 21 6c 0 50 56 a4 d 9 8 0 45 0 0 54 0 0 40 0 40 1 32 a3 4 0 0 3 4 0 0 4 8 0 55 8e 8e 4f 0 0
    ba 9f 3e 4d 21 32 f 0 8 9 a b c d e f 10 11 12 13 14 15
    0 50 56 a4 21 6c 0 50 56 a4 d 9 8 0 45 0 0 54 0 0 40 0 40 1 32 a3 4 0 0 3 4 0 0 4 8 0 97 88 8e 4f 0 1
    bb 9f 3e 4d de 36 f 0 8 9 a b c d e f 10 11 12 13 14 15
    Done...No of Packet Captured is 2
    No of Packets filtered-out 2
    

    Type Ctrl-C to stop the capture.

    To view captured traffic, you can use tcpdump data display options or use a packet viewer, such as Wireshark.


    Published: 2011-02-08