LINUX AND VMWARE STUFF

This Blog is to share our knowledge and expertise on Linux System Administration and VMware Administration

Monday, November 9, 2015

Home / Linux General / Understanding the TCPDUMP command with an example - Linvirtshell

Understanding the TCPDUMP command with an example - Linvirtshell

by on in
In most cases you will need root permission to be able to capture packets on an interface. Using tcpdump (with root) to capture the packets and saving them to a file to analyze.

See the list of interfaces on which tcpdump can listen:

tcpdump -D

[root@nsk-linux nsk]# tcpdump -D

1.usbmon1 (USB bus number 1)
2.eth4
3.any (Pseudo-device that captures on all interfaces)
4.lo

Listen on interface eth0:

tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater)

tcpdump -i any

Capture only N number of packets using tcpdump -c

 [root@nsk-linux nsk]# tcpdump -c 2 -i eth4

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
18:35:51.382706 IP 10.0.2.15.ssh > 10.0.2.2.51879: Flags [P.], seq 4037059562:4037059770, ack 3747030, win 36432, length 208
18:35:51.383008 IP 10.0.2.2.51879 > 10.0.2.15.ssh: Flags [.], ack 208, win 65535, length 0
2 packets captured
6 packets received by filter
0 packets dropped by kernel

Display Captured Packets in ASCII using tcpdump -A

# tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII using tcpdump -XX

#tcpdump -XX -i eth0

Be verbose while capturing packets

#tcpdump –v

Be very verbose while capturing packets

#tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header

tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header

tcpdump -v -XX

Be less verbose (than the default) while capturing packets

tcpdump -q

Limit the capture to 100 packets

tcpdump -c 100

Record the packet capture to a file called capture.cap

tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time

tcpdump -v -w capture.cap

Display the packets of a file called capture.cap

tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap

tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers)

tcpdump -n

Capture any packets where the destination host is 10.0.2.2. Display IP addresses and port numbers

tcpdump -n dst host 10.0.2.2

Capture any packets where the source host is 10.0.2.2. Display IP addresses and port numbers

tcpdump -n src host 10.0.2.2

Capture any packets where the source or destination host is 10.0.2.15. Display IP addresses and port numbers

tcpdump -n host 10.0.2.15

Capture any packets where the destination network is 10.0.2.0/24. Display IP addresses and port numbers

tcpdump -n dst net 10.0.2.0/24

Capture any packets where the source network is 10.0.2.0/24. Display IP addresses and port numbers

tcpdump -n src net 10.0.2.0/24


Capture any packets where the source or destination network is 10.0.2.0/24. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n net 10.0.2.0/24

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes

18:56:07.471583 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 312243348:312243556, ack 3492510, win 65136, length 208
18:56:07.471790 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 208:384, ack 1, win 65136, length 176
18:56:07.471947 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 384:544, ack 1, win 65136, length 160
18:56:07.472093 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 544:704, ack 1, win 65136, length 160
18:56:07.472247 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 704:864, ack 1, win 65136, length 160
18:56:07.472370 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 864:1024, ack 1, win 65136, length 160
18:56:07.472576 IP 10.0.2.15.ssh > 10.0.2.2.60038: Flags [P.], seq 1024:1184, ack 1, win 65136, length 160
18:56:07.472605 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 208, win 65535, length 0
18:56:07.472619 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 384, win 65535, length 0
18:56:07.472624 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 544, win 65535, length 0
18:56:07.472627 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 704, win 65535, length 0
18:56:07.472629 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 864, win 65535, length 0
18:56:07.472632 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 1024, win 65535, length 0

Capture any packets where the destination port is 22. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n dst port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:54:41.047546 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 312125892, win 65535, length 0
18:54:41.047856 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 161, win 65535, length 0
18:54:41.048086 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 305, win 65535, length 0
18:54:41.048309 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 449, win 65535, length 0
18:54:41.048535 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 593, win 65535, length 0
18:54:41.048744 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 737, win 65535, length 0
18:54:41.048969 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 881, win 65535, length 0

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n dst portrange 1-1023

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:53:33.082176 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 311660756, win 65535, length 0
18:53:33.082872 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 161, win 65535, length 0
18:53:33.083288 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 305, win 65535, length 0
18:53:33.083668 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 449, win 65535, length 0
18:53:33.083860 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 593, win 65535, length 0
18:53:33.084131 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 737, win 65535, length 0
18:53:33.084410 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 881, win 65535, length 0
18:53:33.084655 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 1025, win 65535, length 0

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n tcp dst portrange 1-1023

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
18:51:43.154211 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 311537732, win 65535, length 0
18:51:43.155095 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 161, win 65535, length 0
18:51:43.155509 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 305, win 65535, length 0
18:51:43.155805 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 449, win 65535, length 0
18:51:43.156082 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 593, win 65535, length 0
18:51:43.156352 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 737, win 65535, length 0
18:51:43.156619 IP 10.0.2.2.60038 > 10.0.2.15.ssh: Flags [.], ack 881, win 65535, length 0


Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n udp dst portrange 1-1023


Capture any packets with destination IP 10.0.2.15 and destination port 23. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n "dst host 10.0.2.15 and dst port 23"


Capture any packets with destination IP 10.0.2.15 and destination port 80 or 443. Display IP addresses and port numbers

[root@nsk ~]# tcpdump -n "dst host 10.0.2.15 and (dst port 80 or dst port 443)"


Capture any ICMP packets

[root@nsk ~]# tcpdump -v icmp


Capture any ARP packets

[root@nsk ~]# tcpdump -v arp


Capture 500 bytes of data for each packet rather than the default of 68 bytes

[root@nsk-linux nsk]# tcpdump -s 500


Capture all bytes of data within the packet

[root@nsk-linux nsk]# tcpdump -s 0

 Capture the particular interface traffic and save as .cap file

 [root@nsk-linux nsk]# tcpdump -i enp0s3 -s 0 -vvv -w /home/nsk/file_18:03:54.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 65535 bytes
^C97390 packets captured
97855 packets received by filter
460 packets dropped by kernel
By v�o l�c
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)