[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

tcpdump, where are the capture logs stored?

Posted on 2007-10-02
15
Medium Priority
?
1,597 Views
Last Modified: 2008-01-09
If I use putty to run tcpdump with the -w switch creating a log file, logged in as root, where is the log file saved?  I can't seem to locate it.
0
Comment
Question by:lloydr1l
  • 8
  • 5
  • 2
15 Comments
 
LVL 7

Accepted Solution

by:
HalldorG earned 1000 total points
ID: 20002272
should be able to place the file where ever you want

tcpdump -w /tmp/tcpdumpfile

should work
0
 

Author Comment

by:lloydr1l
ID: 20002307
So I would need to provide a path then, ok makes sense.   But what if I just put tcpdump -w capture.log?  Where would that be located?
0
 

Author Comment

by:lloydr1l
ID: 20002364
Just tried a test, tcpdump -i eth1 host xxx.xxx.xxx.xxx -w /tmp/capture.log

But when I go to that directory, no capture.log    ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:HalldorG
ID: 20002434
And are you getting any traffic to host xxx.xxx.xxx.xxx

try without the filter.

The file is created ok using
tcpdump -i eth0 /tmp/log.log

and reading the file afterwards with
tcpdump -r /tmp/log.log
also works

0
 

Author Comment

by:lloydr1l
ID: 20002550
Yes, I was getting traffic to the host.  Using "tcpdump -i eth1 /tmp/capture.log" without the -w switch yields a syntax error.  I did know about reading the file using the -r switch, but if I wanted to output for later, I can't seem to find it.
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 20002615
There should be a -w my typo
And you are sure that the traffic is going through eth0 as you are getting the log on console when not sending it to the file?
0
 

Author Comment

by:lloydr1l
ID: 20002646
Well it's eth1, but yes, I can see the traffic.  If I were to leave out the -w capturefile part, all the captured packets stream by on the screen.
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 20002742
And there is plenty of diskspace on the machine?
0
 

Author Comment

by:lloydr1l
ID: 20002779
Absolutely, almost 70 G free.   Here is some additional information if helpful.  I am using Putty through WinSCP, and sshing into a ClarkConnect box.  Using WinSCP to move around the directory structure.  Doing this does not reveal the capture log (as of yet).
0
 
LVL 7

Expert Comment

by:HalldorG
ID: 20009930
Sorry out of ideas for now
0
 

Author Comment

by:lloydr1l
ID: 20017352
Anyone else?
0
 
LVL 9

Expert Comment

by:michofreiha
ID: 20139807
Actually the tcpdump file is located in the work directory, it mean if the file located in /root directory cause the tcpdump then the dump file will be located there
0
 

Author Comment

by:lloydr1l
ID: 20167011
I looked in the root directory, and could not find the file though.
0
 
LVL 9

Assisted Solution

by:michofreiha
michofreiha earned 1000 total points
ID: 20169022
I regenerate the same scenario and I found the file in the /root directory. Please see below:

debian:~# pwd
/root
debian:~#tcpdump -w dump.log
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
349 packets captured
350 packets received by filter
debian:~# ls dump.log
dump.log

As you can see the file dump.log exist on /root, so please regenerate the case and let me know.

Regards
0
 

Author Comment

by:lloydr1l
ID: 20280821
As I mentioned, I was using WinSCP3 to do all this.  The issue was that I needed to refresh the view to see the capture.  If I was simply using putty and an "ls" command the file would show up there, but not in WinSCP3, until I did a refresh.  Thanks for the help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month19 days, 19 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question