Thursday, February 11, 2010

What is TCPDUMP and how to use it

TCPDUMP is a packet analyzer that runs under the command line.It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.I has a version for windows too named WinDump.

What is it good for?

Tcpdump is frequently used to debug applications that generate or receive network traffic. It can also be used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.


I.To see on which network interfaces tcpdump can capture packets type:

sudo tcpdump -D

Output of the above command :
2.any (Pseudo-device that captures on all interfaces)

II.How to capture packets from a interface

sudo tcpdump -i eth0 or if you want the output saved in a file for later analysis type  sudo tcpdump -i eth0 -w tcpdumpfile.log

III.How to see data in human readable format while captured:

sudo tcpdump  -l  |  tee dat

IV.Print packets ariveing from ubuntubox1( or departing from it using the host name or the ip:

sudo tcpdump host ubuntubox1 
              or like this:
sudo tcpdump host

V.To print traffic between ubuntumaster  and either ubuntubox1 or ubuntubox2:

tcpdump host ubuntumaster and \( ubuntubox1 or ubuntubox2 \)

VI.To print all IP packets between ubuntubox1 and any host except ubuntumaster:

tcpdump ip host ubuntubox1 and not ubuntumaster 

VII. How to print packets that are send and recived from port 22:

sudo tcpdump port 22 -w tcpdump.log

VIII. How to print trafic showing the ip-s of the sender and reciver
sudo tcpdump -nS
sudo tcpdump -nnvvS (to see a good amount of traffic with verbosity and no name)

IX.How to print traffic from only a source or destination ignoring one side of the host conversation

sudo tcpdump src
sudo tcpdump dst

X.How to capture traffic from an entire network

sudo tcpdump net
             or like this:
sudo tcpdump net

XI.How to print a specific number of packets  from a specific protocol (protocols supported are TCP, UDP,ICMP,ARP and IP):

sudo tcpdump -c20  TCP

XII. How to filter traffic based on source port and destination port

sudo tcpdump src port 22 and dst port 22

Note you can combine options using expressions.Accepted expresions are: and,or,not.

If you save the output to a file with -w option, it is not human readable.You must use another software like WireShark to be able to see it in human readable format.

No comments:

Post a Comment