Difference between revisions of "Linux Command: tcpdump"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 48: | Line 48: | ||
=== Filter by protocol === | === Filter by protocol === | ||
tcpdump icmp | tcpdump icmp | ||
| + | === Filter by packet size === | ||
| + | tcpdump less 32 | ||
| + | tcpdump greater 64 | ||
| + | tcpdump <= 128 | ||
| + | === Read/Write File === | ||
| + | ==== Write ==== | ||
| + | tcpdump port 80 -w capture_file | ||
| + | ==== Read ==== | ||
| + | tcpdump -r capture_file | ||
| + | |||
| + | == Combinations == | ||
| + | * AND | ||
| + | and or && | ||
| + | * OR | ||
| + | or or || | ||
| + | * EXCEPT | ||
| + | not or ! | ||
| + | === traffic from 10.5.2.3 going to any host on port 3389 === | ||
| + | tcpdump -nnvvS src 10.5.2.3 and dst port 3389 | ||
| + | === Traffic from one network to another === | ||
| + | tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16 | ||
| + | === non icmp traffic going to a specific ip === | ||
| + | tcpdump dst 192.168.0.2 and src net and not icmp | ||
| + | |||
| + | == More At == | ||
| + | https://danielmiessler.com/study/tcpdump/#dns | ||
Latest revision as of 09:04, 9 October 2018
Options[edit]
-i any : Listen on all interfaces just to see if you’re seeing any traffic. -i eth0 : Listen on the eth0 interface. -D : Show the list of available interfaces -l : Line-readable output (for viewing as you save, or sending to other commands) -A : Display output in ASCII. -n : Don’t resolve hostnames. -nn : Don’t resolve hostnames or port names. -q : Be less verbose (more quiet) with your output. -t : Give human-readable timestamp output. -tttt : Give maximally human-readable timestamp output. -X : Show the packet’s contents in both hex and ascii. -XX : Same as -X, but also shows the ethernet header. -v, -vv, -vvv : Increase the amount of packet information you get back. -c : Only get x number of packets and then stop. -s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. -S : Print absolute sequence numbers. -e : Get the ethernet header as well. -q : Show less protocol information. -E : Decrypt IPSEC traffic by providing an encryption key.
1500 bytes capture excluding port 22[edit]
tcpdump -i eth1 -s 1500 port not 22
Skip ports[edit]
tcpdump -i eth1 -s 1500 port not 22 and port not 53
Filter ip or hostname[edit]
tcpdump -i eth1 port not 22 and host 1.2.3.4
Raw output view[edit]
tcpdump -ttttnnvvS
Hex output[edit]
tcpdump -nnvXSs 0 -c1 icmp
=== Filter by source or destination
tcpdump src 2.3.4.5 tcpdump dst 3.4.5.6
Filter by net[edit]
tcpdump net 1.2.3.0/24
Filter by port[edit]
tcpdump port 3389 tcpdump src port 3389
Filter by protocol[edit]
tcpdump icmp
Filter by packet size[edit]
tcpdump less 32 tcpdump greater 64 tcpdump <= 128
Read/Write File[edit]
Write[edit]
tcpdump port 80 -w capture_file
Read[edit]
tcpdump -r capture_file
Combinations[edit]
- AND
and or &&
- OR
or or ||
- EXCEPT
not or !
traffic from 10.5.2.3 going to any host on port 3389[edit]
tcpdump -nnvvS src 10.5.2.3 and dst port 3389
Traffic from one network to another[edit]
tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
non icmp traffic going to a specific ip[edit]
tcpdump dst 192.168.0.2 and src net and not icmp