1 Reply Latest reply on May 25, 2011 9:54 AM by asabban

    GUI TCPDUMP Parameters

    cestrada

      Various times, I'm asked by Mcafee Tech Support to create a tcpdump of the problem.  Anyone know of any ways to capture only specific traffic from a user or URL site ?  I can’t locate any articles on the parameters for this- if there is one can someone send link please.

       

      TCPDUMP.GIF

        • 1. Re: GUI TCPDUMP Parameters
          asabban

          Hi Carlos,

           

          if you create tcpdumps for us from the GUI, please always specify at least "-i any -s 0" as the parameters. Behind those parameters you can apply any kind of tcpdump compatible filters. A list can be found for example on

           

          http://www.cs.ucr.edu/~marios/ethereal-tcpdump.pdf

           

          Basically an "open" dump helps us most, because we can be sure that the data is actually in the trace and we can filter out everything that is not interesting. Otherwise a wrong filter can lead to a situation where the necessary information is (partly) not in the capture, and the engineer spends a lot of time analysing useless data.

           

          To filter the communication for a single client, the simple filter

           

          host 192.168.0.1

           

          can be enought. As an alternative you can filter out all communication going to the web Gateway port, by, for example

           

          port 9090

           

          or you filter all ports except one that you want to exclude (such as Web GUI port for example) by running

           

          not port 4711

           

          The thing is that when you filter our the Client IP only you will have the Client <-> MWG traffic in the dump, but not the MWG<->Internet traffic, which is a problem because many issues are caused by the data we get from the Internet. To filter that traffic you would need the public IP of the Web Server, such as

           

          host 192.168.0.1 or host 74.125.79.104

           

          Which would then include the communication from Client to MWG and from MWG to server. Unfortunately many servers use various IP addresses and sometimes it is hard to get the IP, which makes the filter useless for Support. Additionally that filter would not include DNS for example, or communication to the Domain Controllers, which may be necessary for troubleshooting.

           

          Actually if you know what data is exactly required you can build a filter with the PDF linked. If the root cause is unknown it would be beneficial to send a "wide open" tcpdump to support, not dropping any packets. In case there is data you do not want to share, maybe it makes sense to have a Non-Disclosure Agreement between McAfee and yourselves, or get a Test-Device (may be a VM) where you can replicate the issue, without confidential data going through.

           

          Best,

          Andre