■ Requirement : tcpdump example
■ OS Environment : Linux[RHEL, Centos]
■ Application:tcpdump
■ Resolution :
$tcpdump -nnvXSs 1514 -c2 tcp
$ tcpdump host 1.2.3.4
$ tcpdump src 2.3.4.5
$ tcpdump dst 3.4.5.6
$ tcpdump net 1.2.3.0/24
$ tcpdump icmp
$tcpdump port 3389
$ tcpdump src port 1025
$ tcpdump dst port 389
$ tcpdump src port 1025 and tcp
$ tcpdump udp and src port 53
$tcpdump portrange 21-23
$tcpdump less 32
$tcpdump greater 128
$tcpdump > 32
$tcpdump <= 128
$ tcpdump -s 1514 port 80 -w capture_file
Much important :
Then, at some point in the future, you can then read the traffic back in like so:
$ tcpdump -r capture_file
Logical expression :
1. AND
and or &&
2. OR
or or ||
3. EXCEPT
not or !
$ tcpdump -nnvvS tcp and src 10.5.2.3 and dst port 3389
$ tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
$ tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp
$ tcpdump -vv src mars or pluto and not dst port 22
■ OS Environment : Linux[RHEL, Centos]
■ Application:tcpdump
■ Resolution :
- Capture complete to tcp packets :
$tcpdump -nnvXSs 1514 -c2 tcp
- host : look for traffic based on IP address (also works with hostname if you're not using -n)
$ tcpdump host 1.2.3.4
- src, dst : find traffic from only a source or destination (eliminates one side of a host conversation)
$ tcpdump src 2.3.4.5
$ tcpdump dst 3.4.5.6
- net : capture an entire network using CIDR notation
$ tcpdump net 1.2.3.0/24
- proto : works for tcp, udp, and icmp. Note that you don't have to type proto
$ tcpdump icmp
- port : see only traffic to or from a certain port
$tcpdump port 3389
- src, dst port: filter based on the source or destination port
$ tcpdump src port 1025
$ tcpdump dst port 389
- src/dst, port, protocol : combine all three
$ tcpdump src port 1025 and tcp
$ tcpdump udp and src port 53
- Port Ranges: see traffic to any port in a range
$tcpdump portrange 21-23
- Packet Size Filter : only see packets below or above a certain size (in bytes)
$tcpdump less 32
$tcpdump greater 128
$tcpdump > 32
$tcpdump <= 128
- Capture all Port 80 Traffic to a File:
$ tcpdump -s 1514 port 80 -w capture_file
Much important :
Then, at some point in the future, you can then read the traffic back in like so:
- Read Captured Traffic back into tcpdump:
$ tcpdump -r capture_file
Logical expression :
1. AND
and or &&
2. OR
or or ||
3. EXCEPT
not or !
- TCP traffic from 10.5.2.3 destined for port 3389:
$ tcpdump -nnvvS tcp and src 10.5.2.3 and dst port 3389
- Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
$ tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
- Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
$ tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp
- Traffic originating from Mars or Pluto that isn't to the SSH port: requires name resolution
$ tcpdump -vv src mars or pluto and not dst port 22
No comments:
Post a Comment