Linux Command: tcpdump

From RHS Wiki
Revision as of 09:04, 9 October 2018 by Rafahsolis (talk | contribs) (→‎non icmp traffic going to a specific ip)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Options

-i any : Listen on all interfaces just to see if you’re seeing any traffic.
-i eth0 : Listen on the eth0 interface.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-A : Display output in ASCII.
-n : Don’t resolve hostnames.
-nn : Don’t resolve hostnames or port names.
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

1500 bytes capture excluding port 22

tcpdump -i eth1  -s 1500 port not 22

Skip ports

tcpdump -i eth1  -s 1500 port not 22 and port not 53

Filter ip or hostname

tcpdump -i eth1 port not 22 and host 1.2.3.4

Raw output view

tcpdump -ttttnnvvS

Hex output

tcpdump -nnvXSs 0 -c1 icmp

=== Filter by source or destination 

tcpdump src 2.3.4.5 
tcpdump dst 3.4.5.6

Filter by net

tcpdump net 1.2.3.0/24

Filter by port

tcpdump port 3389 
tcpdump src port 3389

Filter by protocol

tcpdump icmp

Filter by packet size

tcpdump less 32
tcpdump greater 64 
tcpdump <= 128

Read/Write File

Write

tcpdump port 80 -w capture_file

Read

tcpdump -r capture_file

Combinations

  • AND
and or &&
  • OR
or or ||
  • EXCEPT
not or !

traffic from 10.5.2.3 going to any host on port 3389

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

Traffic from one network to another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

non icmp traffic going to a specific ip

tcpdump dst 192.168.0.2 and src net and not icmp

More At

https://danielmiessler.com/study/tcpdump/#dns

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux_Command:_tcpdump&oldid=1532"