What I need to do (via 'tcpdump' through Linux):
• ECommerce App Servers: 192.168.1.2, 192.168.1.3, 192.168.1.4. – This is what I want to capture on (filtered on these exact IPs). Not an IP range (subnet) or an individual IP address, just several IP addresses/servers.
• There are other applications within this range, e.g. PayRoll App is on 192.168.1.5, and I don't want to see any of this traffic in my capture.
I have a tried:
tcpdump 0 "/tmp" "host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4" 100000
and also:
tcpdump 0 "/tmp" "ip.host==192.168.1.2 or ip.host==192.168.1.3 or ip.host==192.168.1.4" 100000
Both return syntax errors.
Any help is much appreciated.
Best Answer
the basic syntax in your case would be
The
<filters>
would expand to something likeif your eCommerce application would use ports 80 and 443 for communications. The single quotes are important, otherwise your shell might see the brackets () which are important for grouping parameters as special characters.
adding -v and -n parameters at the beginning (
tcpdump -v -n -i ...
)would add verbosity to the output and disable name resolution (speeds up output)