On Wed, Oct 11, 2006 at 09:06:16AM +0100, Mark Rogers wrote:
Mark Rogers wrote:
Assuming I get two test PCs, one at a known good location, to which I have root access, what do I need to do to install tcpdump and set up a useful test?
OK, I now have root access to a machine with tcpdump available: what should I do next?
You'll need to do something along the lines of
tcpdump -i eth0 -s 0 -w myoutputfile host $nameofdesktop
and then a
tcpdump -i eth0 -s 0 -w myoutputfile host $nameofremote
-i chooses interface, -s 0 means to grab the entire packet, -w is the name of the output file (be careful if you are sending lots of data as the output packet could be large, and also if you have an ssh connection open you will log that and end up in a kind of positive feedback loop if you are not careful!) and the host bit means only grab packets going to<>from that remote machine, you can specify either an ip address or domain name.
Then you really want to get copies of the output files onto your desktop to examine them in the program Ethereal (which has recently changed its name to wireshark due to a trademark problem). You can also use ethereal for packet capture btw, and there is a command line version. I can't really help too much with packet analysis as it has been a while since I last played with this kind of thing.
You can at least examine packet headers and payloads and see how big the packets when they leave the machine, and how big they are at the other side. It will be a bit of a learning curve but I think the easiest way for you to make progress is to just try this and see what happens and ask for specific advice if you get stuck. Or alternately you could perhaps make some packet captures available for others to look at online.
Thanks Adam