Debian 7.11 - How to capture SMPP all arrived and sent packets by some ports

Asked 12/7, 2017 at 18:32 Answered 15/5, 2020 at 0:32

Solved tcp wireshark tcpdump smpp packets

I'm using following code for capturing incoming and outgoing tcp packets by ports:

tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 -w /home/admin/dump1.cap

But tcpdump captures only incoming packets, I need incoming and outgoing packets at the same time. Anybody know where my mistake?

Thanks in advance.

Eward answered 12/7, 2017 at 18:32 Comment(6)

Your command should work. Have you tried only capturing outgoing packets to test if there are any outgoing packets on these ports? – Tepid 15/7, 2017 at 20:29

@Lukas yes work but just for incoming packets. But not exists outgoing packets. I can capture outgoing packets, but can't capture incoming and together thereof in the same time with same line command why? – Eward 17/7, 2017 at 4:10

this is my capture outgoing packets command: tcpdump -s0 -vvv -A -n src host 80.81.110.111 -w /home/admin/aaa_tmp/dump3.cap : this command works just for outgoing packets – Eward 17/7, 2017 at 4:12

tcpdump -i eth1 -vvv -s 0 -w /home/sunetadmin/aaa_tmp/dmp7.pcap - this command works to both packets, but here i can't add ports, if i will add ports it is works only for incoming packets – Eward 17/7, 2017 at 4:13

I need tcpdump command by ports for capturing incoming and outgoing packets in the same time – Eward 17/7, 2017 at 4:14

The command should work fine. You must update your question with the following details: 1. What trafic (TCP, UDP, application layer protocols) are you trying to capture? 2. How do you read your results? What command/script? Show details. – Seventy 21/7, 2017 at 18:44

This can happen if your traffic is going through an ipsec tunnel (check whether this is the case by running ipsec statusall). To capture decrypted packets you can add IPtables rules to forward ipsec traffic to the nflog interface:

iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Then tcpdump the nflog interface:

tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724

Remember to remove the nflog rules when you're done!

iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump

Dissonant answered 15/5, 2020 at 0:32 Comment(0)

tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 --direction=in --direction=out -w /home/admin/dump1.cap

--direction=in for the incoming traffic --direction=out for the outgoing traffic.

More you can find on the manual page of tcpdump. http://www.tcpdump.org/tcpdump_man.html

Marbut answered 21/7, 2017 at 19:44 Comment(3)

hi, thank you for answer, tried your answer but not works 0 packets did capture. – Eward 23/7, 2017 at 7:25

@mr.boyfox, in my computer it captures, probably, you should find your firewall settings or something. I ran via root. – Marbut 23/7, 2017 at 13:53

Maybe, i did run with root, too. Because, just a root can start tcpdump in our server, i will searching firewall settings and other problems related to tcpdump – Eward 24/7, 2017 at 4:31

iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Then tcpdump the nflog interface:

tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724

Remember to remove the nflog rules when you're done!

iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump

Dissonant answered 15/5, 2020 at 0:32 Comment(0)

Recommended topics

Hot tags