Sunday, July 3, 2016

TCPDUMP - How to



#### TCPDUMP ####    www.tcpdump.org 
Tcpdump is a utility used to capture and analyze packets on network interfaces. Details about these packets can either be displayed to the screen or they can be saved to a file
for later analysis. Tcpdump utilizes the libpcap library for packet capturing 

 #sudo tcpdump -i any -c 5
#sudo tcpdump -i any
#sudo tcpdump -i any -c 5 -n   # -n : Shows IP Address and Port Number
#sudo tcpdump -i any -c 5 -n -S96 # -S96 : Specify the capture size of the packet 
#sudo tcpdump -i any -c 20 -n tcp and dst port 49952 -t 

 #### DNS Traffic Example ####
#wget youtube.com     #DNS : Traffic is UDP 
#sudo tcpdump -i eth0 port 53 -n

 ### Save Capture to a File ### 
#sudo tcpdump -i any -w capture.pcap -v
#Limit upto 20 packets
#sudo tcpdump -i any -w capture.pcap -v -c 20

 ### Reading Capture File ###
#sudo tcpdump -n -r capture.pcap

 ### TCPDUMP Filters ### 
Only Host Specific Traffic [ SRC and DST ]
#sudo tcpdump -i eth1 -n host 10.0.0.3 -c 5 
#ping 10.0.0.3
#sudo tcpdump -i eth1 -n src host 10.0.0.3 -c 5 

 Traffic Between the 2 IP Address
#sudo tcpdump -i eth1 -n host 10.0.0.1 and host 10.0.0.3 -c 5
#sudo tcpdump -i eth0 -n host 192.168.1.91 and port 80
#wget google.com  

 ### Port 80 and port 443 ###
#sudo tcpdump -i eth0 -n "host 192.168.1.191 and (port 80 and port 443)"

 ### Subnet Traffic ### 
#sudo tcpdump -i eth0 -n -c100 "src net 192.168.0.0/16 and not dst net 1968.0.0/16 and not dst net 10.0.0.0/8"

 ## Filters on MAC Address ###
#sudo tcpdump -i eth0 ether host -n -c 10 # -e [option] used to see the MAC Address
#sudo tcpdump -i eth0 ether host -n -c10 -e

 ## IP6 Traffic to view ##
#sudo tcpdump -i any ip6
#ping6 2000.2

 ## only packets with Syn and Play 
#sudo tcpdump -i any "tcp [tcp flags]" & tcp-syn!=0"
$nc 10.0.0.3 80
$nc 10.0.0.3 801
$nc 10.0.0.3 802

 #sudo tcpdump -i any "tcp [tcp flags]" & tcp-rst!=0"
$nc 10.0.0.3 80
$nc 10.0.0.3 801
$nc 10.0.0.3 802

 Details output with Verbose
$sudo tcpdump -i eth0 port 80 -c7 -XX
   wget www.google.com

 $sudo tcpdump -i eth0 port 80 -c7 -A  # Ascii Data 
   wget www.google.com

 $sudo tcpdump -i eth1 -c15 -vvv  # Display more verbosity 

 ### Time Difference Between Packets
$sudo tcpdump -i eth1 -c5 -q -t  # Time Difference between packets 
$sudo tcpdump -i eth1 -c5 -q -ttt
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)