Wednesday, January 12, 2011

How to use tcpdump command to capture the network packet?

1. Capture complete to tcp packets :

tcpdump -nnvXSs 1514 -c2 tcp

* host // look for traffic based on IP address (also works with hostname if you're not using -n)

# tcpdump host

* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

# tcpdump src
# tcpdump dst

* net // capture an entire network using CIDR notation

# tcpdump net

* proto // works for tcp, udp, and icmp. Note that you don't have to type proto

# tcpdump icmp

* port // see only traffic to or from a certain port

# tcpdump port 3389
* src, dst port // filter based on the source or destination port

# tcpdump src port 1025
# tcpdump dst port 389

* src/dst, port, protocol // combine all three

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53

* Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23

* Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32
tcpdump <= 128

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file

Much important * :
Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into tcpdump

# tcpdump -r capture_file

Logical expression :
1. AND
and or &&
2. OR
or or ||
not or !

TCP traffic from destined for port 3389:

# tcpdump -nnvvS tcp and src and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:

# tcpdump -nvX src net and dst net or

Non-ICMP traffic destined for from the 172.16 network:

# tcpdump -nvvXSs 1514 dst and src net and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port: // requires name resolution

# tcpdump -vv src mars or pluto and not dst port 22

PS: Made it more available in the internet.

No comments:

Post a Comment