- Listing possible network interfaces on the system
tcpdump -D
E.g.
$ tcpdump -D
1.eth0
2.eth1
3.usbmon1 (USB bus number 1)
4.eth2
- Capture packets from a particular interface
tcpdump -i interface-name
E.g. To capture packets from interface eth1 - tcpdump -i eth1
- Capture only N number of packets
tcpdump -c N
E.g. To capture 10 packets from interface eth1 - tcpdump -i eth1 -c 10
- Capture the packets and write into a file
tcpdump -w file.pcap
E.g. tcpdump -i eth1 -w tmp.pcap
- To capture and store network frames full-length
tcpdump -s 0
E.g. tcpdump -i eth1 -w tmp.pcap -s 0
- Reading the packets from a saved file
tcpdump -r file.pcap
E.g.tcpdump -tttt -r tmp.pcap
- Capture packets with proper readable timestamp
tcpdump -tttt
E.g. tcpdump -i eth1 -tttt
Filter Options
-
Possible qualifiers:
- Read packets longer than N bytes
tcpdump greater N
E.g. tcpdump -i eth1 -w tmp.pcap greater 1024
- Receive only the packets of a specific protocol type - fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp
E.g tcpdump -i eth1 arp
- Receive packets flows on a particular port
tcpdump port PORT_NO
E.g. tcpdump -i eth1 port 22
- Capture packets for particular destination IP and Port
tcpdump dst IPADDRESS and port PORT-NO
E.g. tcpdump -i eth1 dst 10.181.140.216 and port 22
type: host, net , port and portrange.
E.g., ‘host foo’, ‘net 128.3’, ‘port 20’, ‘portrange 6000-6008’.
dir: src, dst, src or dst and src and dst.
E.g., ‘src foo’, ‘dst net 128.3’, ‘src or dst port ftp-data’. If there is no dir qualifier, src or dst is assumed.
proto: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp.
E.g., ‘ether src foo’, ‘arp net 128.3’, ‘tcp port 21’, ‘udp portrange 7000-7009’.
If there is no proto qualifier, all protocols are assumed.
Display options
- Display more packet information
tcpdump -vvv
E.g. tcpdump -i eth1 -vvv
- Display link level header of every packet: -e
tcpdump -e
E.g.
tcpdump -i eth1 -e -t
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
52:54:00:e1:1c:10 (oui Unknown) > 01:80:c2:00:00:00 (oui Unknown), 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
52:54:00:e1:1c:10 (oui Unknown) > 01:80:c2:00:00:00 (oui Unknown), 802.3, length 60: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
- Don’t print a timestamp on each dump line: -t
tcpdump -t
E.g.
Without using -t option we can see the below output timestamp is dumped (In bold letters).
tcpdump -i eth2
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
08:44:51.295229 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
08:44:53.296795 STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
tcpdump -i eth2 -t
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
STP 802.1d, Config, Flags [none], bridge-id 8000.52:54:00:e1:1c:10.8003, length 43
- Display packets with IP address instead of DNS names: -n
Basically tcpdump converts the plain address to DNS names. Using n option we can make tcpdump to display ip address.
tcpdump -n
E.g. tcpdump -i eth1 -n
- Display Captured Packets in ASCII
tcpdump -A
E.g. tcpdump -i eth1 -A
- Display Captured Packets in HEX and ASCII
tcpdump -XX
Good job buddy
ReplyDelete