What is it good for?
Tcpdump is frequently used to debug applications that generate or receive network traffic. It can also be used for debugging the network setup itself, by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem.
It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as TELNET or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.
Examples:
I.To see on which network interfaces tcpdump can capture packets type:
sudo tcpdump -D
Output of the above command :
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
II.How to capture packets from a interface
sudo tcpdump -i eth0 or if you want the output saved in a file for later analysis type sudo tcpdump -i eth0 -w tcpdumpfile.log
III.How to see data in human readable format while captured:
sudo tcpdump -l | tee dat
IV.Print packets ariveing from ubuntubox1(192.168.2.3) or departing from it using the host name or the ip:
sudo tcpdump host ubuntubox1
or like this: sudo tcpdump host 192.168.2.3
V.To print traffic between ubuntumaster and either ubuntubox1 or ubuntubox2:
tcpdump host ubuntumaster and \( ubuntubox1 or ubuntubox2 \)
VI.To print all IP packets between ubuntubox1 and any host except ubuntumaster:
tcpdump ip host ubuntubox1 and not ubuntumaster
VII. How to print packets that are send and recived from port 22:
sudo tcpdump port 22 -w tcpdump.log
VIII. How to print trafic showing the ip-s of the sender and reciver
sudo tcpdump -nS
sudo tcpdump -nnvvS (to see a good amount of traffic with verbosity and no name)IX.How to print traffic from only a source or destination ignoring one side of the host conversation
sudo tcpdump src 192.168.2.4
sudo tcpdump dst 192.168.2.5
X.How to capture traffic from an entire network
sudo tcpdump net mynetworkdomain.com
or like this:sudo tcpdump net 192.168.2.0/24
XI.How to print a specific number of packets from a specific protocol (protocols supported are TCP, UDP,ICMP,ARP and IP):
sudo tcpdump -c20 TCP
XII. How to filter traffic based on source port and destination port
sudo tcpdump src port 22 and dst port 22
Note you can combine options using expressions.Accepted expresions are: and,or,not.
If you save the output to a file with -w option, it is not human readable.You must use another software like WireShark to be able to see it in human readable format.
No comments:
Post a Comment