TCP Dump 101

I love the concept of tcpdump however I can not seem to master it.

I get all this "arp" trash on the screen.  

How do I "tcpdump not 9 -i eth0"  so I do not get all the arp stuff.  

I am trying to build a firewall and can not get past the tcpdump.

I am sitting here so I am making this 500 points.  I may ask a few other questions but would like to get this resolve soon.

using tcpdump,  I want to filter out the 90% of the crap that does not pertain to my firewall filtering.
bitmechanicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bitmechanicAuthor Commented:
Correction:

tcpdump proto not  9 -i eth1
bitmechanicAuthor Commented:
How do I tell what ports to open from tcpdump info ?
MysidiaCommented:
Try

tcpdump -i eth1 proto not 9


The order of parameters matter, the expression should follow
all options
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

bitmechanicAuthor Commented:
Actually I do not know the protocol or port.  What protocol or port should I filter out to get rid of all this arp stuff.  

Duncan RoeSoftware DeveloperCommented:
tcpdump '!arp'

or, for non-default ethernet interface

tcpdump -i eth1 '!arp'
MysidiaCommented:
Ok, I assumed you were using 9 because you had checked a
table and looked up arp's number for the protocol field
in a table something like /etc/protocols

You  can do that if you have the right protocol number but
you do not need to, because tcpdump provides symbolic
names for the protocols, i.e.:

tcpdump -i eth1 "proto not arp"


You can even be more specific than that, if you only
want to see tcp write

tcpdump -i eth1 "proto tcp"

If you only want to see udp you can use

tcpdump -i eth1 "proto udp"

The expression language is fairly flexible in that you can string
primitives together and you can say things along the lines of

'port not 22 and proto tcp'

also.
bitmechanicAuthor Commented:
I tried this but this is my result

thegeekdom:/etc # tcpdump -i eth0 "proto not arp"
tcpdump: syntax error
MysidiaCommented:
Sorry, just write

tcpdump -i eth0 "not arp"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bitmechanicAuthor Commented:
I just tried that and I still get the arp.  

I have two screens next to each other and one is your command and the other is just tcpdump -i eth0

They   have the same stuff.  
bitmechanicAuthor Commented:
You are proving my point.  TCPdump is hard to understand.
bitmechanicAuthor Commented:
15:05:10.115067 IP ns1.mindspring.com.domain > user-0c8hqmn.cable.mindspring.com.33487:  35783 1/2/2 (183)
15:05:10.115483 IP user-0c8hqmn.cable.mindspring.com.33487 > ns1.mindspring.com.domain:  35784+ PTR? 121.255.65.71.in-addr.arpa. (44)
15:05:10.155235 IP ns1.mindspring.com.domain > user-0c8hqmn.cable.mindspring.com.33487:  35784 1/2/2 (183)
15:05:10.156238 IP user-0c8hqmn.cable.mindspring.com.33487 > ns1.mindspring.com.domain:  35785+ PTR? 123.255.65.71.in-addr.arpa. (44)
15:05:10.195290 IP ns1.mindspring.com.domain > user-0c8hqmn.cable.mindspring.com.33487:  35785 1/2/2 (183)
15:05:10.196751 IP user-0c8hqmn.cable.mindspring.com.33487 > ns1.mindspring.com.domain:  35786+ PTR? 127.255.65.71.in-addr.arpa. (44)
15:05:10.238297 IP ns1.mindspring.com.domain > user-0c8hqmn.cable.mindspring.com.33487:  35786 1/2/2 (183)
15:05:10.362655 IP user-0c8hqmn.cable.mindspring.com.33487 > ns1.mindspring.com.domain:  35787+ PTR? 33.89.184.65.in-addr.arpa. (43)
MysidiaCommented:
Those are not ARP protocol requests you are seeing, that is DNS
over TCP/IP.

You could issue

tcpdump -i eth1 "not arp and port not domain"

To filter both arp requests and DNS requests
bitmechanicAuthor Commented:
Um, my silly

problem resolved, you were right.  I just get all this trash traffic.  I need to filter out a lot more.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.