cancel
Showing results for 
Search instead for 
Did you mean: 
cestrada
Level 7

GUI TCPDUMP Parameters

Various times, I'm asked by Mcafee Tech Support to create a tcpdump of the problem.  Anyone know of any ways to capture only specific traffic from a user or URL site ?  I can’t locate any articles on the parameters for this- if there is one can someone send link please.

TCPDUMP.GIF

0 Kudos
1 Reply
asabban
Level 17

Re: GUI TCPDUMP Parameters

Hi Carlos,

if you create tcpdumps for us from the GUI, please always specify at least "-i any -s 0" as the parameters. Behind those parameters you can apply any kind of tcpdump compatible filters. A list can be found for example on

http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

Basically an "open" dump helps us most, because we can be sure that the data is actually in the trace and we can filter out everything that is not interesting. Otherwise a wrong filter can lead to a situation where the necessary information is (partly) not in the capture, and the engineer spends a lot of time analysing useless data.

To filter the communication for a single client, the simple filter

host 192.168.0.1

can be enought. As an alternative you can filter out all communication going to the web Gateway port, by, for example

port 9090

or you filter all ports except one that you want to exclude (such as Web GUI port for example) by running

not port 4711

The thing is that when you filter our the Client IP only you will have the Client <-> MWG traffic in the dump, but not the MWG<->Internet traffic, which is a problem because many issues are caused by the data we get from the Internet. To filter that traffic you would need the public IP of the Web Server, such as

host 192.168.0.1 or host 74.125.79.104

Which would then include the communication from Client to MWG and from MWG to server. Unfortunately many servers use various IP addresses and sometimes it is hard to get the IP, which makes the filter useless for Support. Additionally that filter would not include DNS for example, or communication to the Domain Controllers, which may be necessary for troubleshooting.

Actually if you know what data is exactly required you can build a filter with the PDF linked. If the root cause is unknown it would be beneficial to send a "wide open" tcpdump to support, not dropping any packets. In case there is data you do not want to share, maybe it makes sense to have a Non-Disclosure Agreement between McAfee and yourselves, or get a Test-Device (may be a VM) where you can replicate the issue, without confidential data going through.

Best,

Andre