Wednesday, January 12, 2011

How to use tcpdump command to capture the network packet?

1. Capture complete to tcp packets :


tcpdump -nnvXSs 1514 -c2 tcp


* host // look for traffic based on IP address (also works with hostname if you're not using -n)

# tcpdump host 1.2.3.4

* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6

* net // capture an entire network using CIDR notation

# tcpdump net 1.2.3.0/24

* proto // works for tcp, udp, and icmp. Note that you don't have to type proto

# tcpdump icmp

* port // see only traffic to or from a certain port

# tcpdump port 3389
* src, dst port // filter based on the source or destination port

# tcpdump src port 1025
# tcpdump dst port 389

* src/dst, port, protocol // combine all three

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53

* Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23

* Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32
tcpdump <= 128

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file

Much important * :
--------------
Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into tcpdump

# tcpdump -r capture_file
-------------

Logical expression :
1. AND
and or &&
2. OR
or or ||
3. EXCEPT
not or !

TCP traffic from 10.5.2.3 destined for port 3389:

# tcpdump -nnvvS tcp and src 10.5.2.3 and dst port 3389

Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:

# tcpdump -nvX src net 192.168.0.0/16 and dst net
10.0.0.0/8 or 172.16.0.0/16

Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:

# tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net
172.16.0.0/16 and not icmp

Traffic originating from Mars or Pluto that isn't to the SSH port: // requires name resolution

# tcpdump -vv src mars or pluto and not dst port 22
=========

PS: Made it more available in the internet.

No comments:

Post a Comment