[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

I've got a problem with tcpdump, HELP

Hi, all
    I've encountered a problem in using tcpdump.
    I tried to capture http traffic by using the following command:
  
    # tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
   (notes: the web application serves at 9003 port, not the conventional 80 instead)
  
   but different results was given by two hosts:

  skyshouter:~# tcpdump -Ani eth1 'host 10.20.156.9 and tcp port 9003 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:26:01.166216 IP 10.16.2.60.53837 > 10.20.156.9.9003: Flags [P.], seq 1867639697:1867639908, ack 2460048481, win 92, options [nop,nop,TS val 9412788 ecr 2507947432], length 211
E...K%@.@.<c
..<
..    .M#+oQ....\a...\.b.....
.....|=.GET /misc/ccs/deleteClubThread.html?id=20162669&type=MAINTYPE&operator=H&md5Code=072fa43b87b31865e60aa6f1111ceb24 HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/2.0.2
Host: club-dev.myhost.com:9003


20:26:01.179225 IP 10.20.156.9.9003 > 10.16.2.60.53837: Flags [P.], seq 1:363, ack 211, win 54, options [nop,nop,TS val 2507947436 ecr 9412788], length 362
E...a.@.<.)(
..   
..<#+.M..\aoQ.d...6%......
.|=.....HTTP/1.1 200 OK
Date: Thu, 31 Mar 2011 12:16:04 GMT
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Content-Language: cn,zh-cn
Content-Type: text/html; charset=GBK
Set-Cookie: JSESSIONID=1v9ac7714fmdc1447aj3eyhqxu;Path=/
Set-Cookie: ali_apache_tracktmp="c_c_signed=N";Version=1;Path=/;Domain=.myhost.com;Discard
Vary: Accept-Encoding
Content-Length: 7

SUCCESS
^C
2 packets captured
3 packets received by filter
0 packets dropped by kernel

the info in this result is in detail, and it's what I want.
the tcpdump version is:

# tcpdump -h
tcpdump version 4.1.1
libpcap version 1.1.1

then I ran the same command on another host, the different result was given

[Intranet root@ccbuqa141064 /root]
#tcpdump -Ani eth0 'host 10.20.141.138  and tcp port 6100 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:14:55.063351 IP 10.20.141.64.35246 > 10.20.141.138.synchronet-db: P 3812316275:3812316488(213) ack 3651694786 win 46 <nop,nop,timestamp 1778729508 1105987604>
E..     .X@.@...
..@
........;Ts..p......J.....
j.B$A...GET /misc/ccs/deleteClubThread
20:14:55.127121 IP 10.20.141.138.synchronet-db > 10.20.141.64.35246: P 1:363(362) ack 213 win 54 <nop,nop,timestamp 1105987621 1778729508>
E...x.@.@...
...
..@......p..;UH...6.k.....
A..%j.B$HTTP/1.1 200 OK
Date: Thu, 31

2 packets captured
2 packets received by filter
0 packets dropped by kernel

you see? the info in this one is quite little!! without request parameter, without http headers, and even without the essential data return by the server!!

the tcpdump version on this host is:

[Intranet root@ccbuqa141064 /root]
#tcpdump -h
tcpdump version 3.9.4
libpcap version 0.9.4
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
                [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -Z user ]
                [ _expression_ ]


can anyone give me some clue?? thanks!
Reply to: