6

I am using RedHat (6.5) bonding and my active interface is eth5.

Running the following command, I'm not able to see the traffic originated by my NIC IP address:

tcpdump -i eth5 src host actual_ip_address_of_external_client

I'm only able to see the source traffic too, via the command below (using wireshark): 

tcpdump -i eth5 src host actual_ip_address_of_external_client -w /tmp/<outputfile>

What might be the problem?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Selahattin
  • 83
  • 2
  • 2
  • 4
  • Not 100% but I believe `tcpdump` supports the `or` operator – Bratchley Mar 31 '15 at 19:04
  • thanks could you please me sample syntax regarding my situation ? or what else do you recommended instead of tcpdump command? please clarify – Selahattin Mar 31 '15 at 19:24
  • you should probably do something like `tcpdump -i eth5 host or host ` Just as an example: `tcpdump -i eth5 host 192.168.122.23 or 192.168.122.25`. – Bratchley Mar 31 '15 at 19:35
  • So are you saying that, without `-w /tmp/`, tcpdump doesn't print traffic from the `actual_ip_address_of_external_client`, but if you add `-w /tmp/` to the command, making no change to the filter or the `-i` argument, and then read the file in Wireshark, you *do* see traffic from that address? –  Apr 01 '15 at 02:47
  • @GuyHarris as you said I have facing same issue. Also I can see external IP address of host in wireshark as [source] from address. otherwise if an external host (say 118.168.141.172) made a connection, I would like to capture the traffic. OK? – Selahattin Apr 01 '15 at 05:52

1 Answers1

10

To monitor traffic on both directions between host_a and host_b you can use:

# tcpdump -nli eth6 host host_a and host_b
petry
  • 968
  • 1
  • 8
  • 14