I'm running the following command on my backbone to monitor multicast traffic. I'm new to tcpdump usage and looking for some help:
sudo tcpdump -i eth1 -n -p multicast
I see a output like this – this is only part of it. I really don't know how to interpret this output. Can someone shed some light please. The first few lines I see seem to be normal traffic, but then I see the rest and I don't know what to make of it. And why is it only showing ARP? Sorry if some of those questions seem basic. Thank you in advance.
22:18:22.038264 ARP, Request who-has 10.147.0.62 tell 10.147.0.64, length 46
22:18:22.244856 ARP, Request who-has 10.147.0.64 tell 10.147.0.61, length 46
22:18:22.245149 ARP, Request who-has 10.147.0.61 tell 10.147.0.64, length 46
22:18:22.888851 b4:99:ba:02:18:66 > Broadcast, ethertype Unknown (0xcafe), length 90:
0x0000: 0500 0100 0900 0000 0100 ffff 0c00 0002 ..... ...........
0x0010: 4c00 0000 0000 0000 8300 0080 0000 0000 L...............
0x0020: 0000 0000 4a59 7a55 ffff ffff 0000 0000 ....JYzU........
0x0030: 8002 c000 0620 b499 ba02 1866 0103 0300 ...........f....
0x0040: 0101 0402 515d 7303 7cda ca52 ....Q]s.|..R
22:18:22.888860 b4:99:ba:02:18:66 > Broadcast, ethertype Unknown (0xcafe), length 90:
0x0000: 0500 0100 0961 0200 0100 ffff 0c00 3a02 .....a........:.
0x0010: 4c00 0000 0000 0000 8300 0080 0000 0000 L...............
0x0020: 0000 0000 4a59 7a55 ffff ffff f74a 1789 ....JYzU.....J..
0x0030: 5010 c000 0614 b499 ba02 1866 0a0a 0a00 P..........f....
0x0040: 0101 0402 0000 0000 7cda ca52 ........|..R
Best Answer
Basic information about how to interpret tcpdump output can be found in the tcpdump man page. Just do
man tcpdumpon your machine and read (and make some notes, there's a lot of stuff there). Next, you may find google and querytcpdump tutorialhelpful, as again - a lot of information shown by tcpdump will be protocol-specific. Couple of good, introductory tutorials:You may also find Wireshark, an GUI tool built on tcpdump fundamentals a good resource to use in daily work and as a base reference for protocol decoding.
Answering your specific question: why you're trying to monitor multicast on this specific node? If you want to monitor multicast in core of the network, you should SPAN/RSPAN your traffic to this host and then sniff it using favorite tool - be it tcpdump. If that's a switched network you're connected to, you'll see few if any multicast packets - your station doesn't have (by default) means to become active destination of all multicast traffic unless it registers to be it (and that requires additional work, besides running sniffer alone).