i'm struggling with tcpdump in rcon.
Doing *tcpdump 100000 "/tmp/tcp.txt* i see e.g. host 10.253.170.12 in txt-File.
Because of the huge amount of data i then like to drill down with
*tcpdump 100000 "/tmp/tcp.txt" "host 10.253.170.12"
but no packets are saved, even there is a lot of communication with this server-address.
Can someone help?
Solved! Go to Solution.
do you have VLAN tags in your traffic?
If so, try using the following commands:
Capturing traffic with VLAN tags for a specific host:
tcpdump 0 "/tmp/vlan_host.cap" "vlan and host 18.104.22.168"
Capturing traffic with regular Ethernet frames or VLAN tagged frames for a specific host:
tcpdump 0 "/tmp/vlan_host.cap" "(host 22.214.171.124) or (vlan and host 126.96.36.199)"
This is usually the result of VLAN encapsulation and how the filters work with VLANs
tcpdump 100000 "/tmp/tcp.pcap" "(host 10.253.170.12) or (vlan and host 10.253.170.12)"
Should capture packets for that host unencapsulated or inside one layer of VLAN encapsulation.
Please note that the order is important in this scenario because of how the vlan tag is processed. "(host) or (vlan and host)" is *NOT* the same as "(vlan and host) or (host)" in capture filters.