1. Run netstat -anp|grep httpd or any other required search string and get the destination ip address.
In below example it is "10.182.19.186"
netstat -anp|grep httpd
tcp 1 0 10.180.19.187:58543 10.182.19.186:7018 ESTABLISHED 20069/httpd.worker
2. Run ifconfig -a to get the interface type to which the destination IP is tied to(you need root or relavent permissions to run this command). From below example the destination IP is tied to "bond0" interface. There are lot of interfaces, I just copied only two Interface types for the shake of explanation.
Example:
[root@mywebapps ~]# ifconfig -a
bond0 Link encap:Ethernet HWaddr AC:16:2D:83:F8:04
inet addr:10.182.19.186 Bcast:10.186.19.255 Mask:255.255.254.0
inet6 addr: fe80::ae16:2dff:fe83:f804/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:482694532 errors:0 dropped:112 overruns:0 frame:4
TX packets:567039615 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:164226662863 (152.9 GiB) TX bytes:315480311689 (293.8 GiB)
eth0 Link encap:Ethernet HWaddr AC:16:2D:83:F8:04
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:475966852 errors:0 dropped:112 overruns:0 frame:4
TX packets:567039615 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:163565393724 (152.3 GiB) TX bytes:315480311689 (293.8 GiB)
Interrupt:179 Memory:f6bf0000-f6c00000
3. Run tcpdump using below command
Syntax: tcpdump -vvv -i <interface> port <port id> - w /tmp/tcpdump.ccap
Example: tcpdump -i bond0 port 7018 -w /tmp/tcpdump.ccap
tcpdump -vvv -i bond0 port 7018 -w /tmp/tcpdump.ccap --- captures detailed verbose.
4. To read tcpdump file , you can use tcpdump -r <filename>
5. Wireshark requires tcpdump file in ccap extension to read it.
No comments:
Post a Comment