12

The situation is this - There is one script on the server which make ping to somewhere and I don't know to where. I want to see to which machine is this ping make and why is returning FAILED.

What I make is to turn tcpdump in one terminal and at the same time turning the script which make ping in second terminal but I'm not sure that is capturing the actual ping.

This is the command I use

tcpdump -w - | tee ping.pcap | tcpdump -r -

Is this the right way of doing this or there is other way?

Edit:

The problem is that when I start tcpdump there is a lot of traffic and I can't recognize which one is from this ping...

S.I.
  • 435
  • 3
  • 7
  • 16

3 Answers3

18

Try:

tcpdump -i eth0 icmp

which will list ping traffic on interface eth0.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101
2

You can use tcpdump -n icmp to filter on ping requests and replies. I added the -n switch to prevent name lookups. You might have several interfaces in your host so it might be necessary to add the -i ethX switch to specify the correct interface.

Note that the filter - icmp in this case - should be the last part of the command.

Lambert
  • 12,495
  • 2
  • 26
  • 35
1

Always try going through the man pages of unix/linux commands before using them. tcpdump command has different options. It is very interesting to explore all of them.

You need to have root access in order to capture the dump using tcpdump command.

Example:

tcpdump -i any -s 0 -v -w ping.pcap

The above command will capture all the packets on all the available ethernet interfaces, with unlimited snaplength, verbose and will write the capture into file ping.pcap.

Similarly you can use inline filters to filter the packets for a specific host.

Example:

tcpdump -i any -s 0 -v -w ping.pcap 135.250.80.55

The above command will capture all the packets from 135.250.80.55 and to 135.250.80.55.

Rajendra C D
  • 11
  • 2