Live Chat!
simple usage of tcpdump
May 23rd, 2007 mysurface Posted in Network, tcpdump | Hits: 30423 |
This is what I learn from geek00l today. Tcpdump is a really great tool for network security analyst, you can dump packets that flows within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.
This post will only covers the fundamental of tcpdump usage, bare in mind tcpdump can do much much more than what I illustrate here.
Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.
tcpdump -w test.pcap -i eth1 tcp port 6881Simple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?
tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)|
|
‘\’ is an escape symbol for ‘(’ and ‘)’. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220.
Careful with ‘and’ in tcpdump filter expression, it means intersection. Thats why I put ‘or’ instead of and within udp port 33210 and 33220. The usage of ‘and’ in tcpdump will be illustrate later.
Ok, how about reading pcap that I saved previously?
tcpdump -nnr test.pcapThe -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.
Adding -tttt to makes the timestamp appears more readable format.
tcpdump -ttttnnr test.pcapHow about capture based on IP ?
You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22, how should i write?
tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22So the ‘and’ makes the intersection of destination IP and port.
By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.
tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.
tcpdump tcp portrange 20-24Bare in mind, the line above I didn’t specified -w which it won’t write to a file but i will just print the captured packets on the screen.
Wanna try out tcpdump but donno what’s the port to try on?
You can obtain a lots of packets flows while you hook up to the Internet. Search a port through lsof to practise your tcpdump and have fun. Read Monitor who runs what, listen to what ports, established what connections for lsof examples.
ï¼»ä¸æ–‡ç¿»è¯‘ï¼½
[tags] sniffer, pcap, network analysis, network security [/tags]
July 1st, 2008 at 1:58 am
How come when I run..
sudo tcpdump -v -i wlan0 src 192.168.0.2
it’s fine.. but when I try to specify only ICMP it gives a syntax error as such..
sudo tcpdump -v -i wlan0 src 192.168.0.2 ip proto \\icmp
or
sudo tcpdump -v -i wlan0 ip proto 1 src 192.168.0.2
:/
July 14th, 2008 at 4:59 pm
hello
can i save the captured file in text format or can i view .pcap file in txt format in linux
please tell me about filter option for example if i want to capture packets from one ip address to other.
July 20th, 2008 at 8:33 am
Surendra:
Any command that displays the .pcap file can be redirected to a text file, or example:
# display a .pcap file
tcpdump -nnr test.pcap
# redirect .pcap file to a test file
tcpdump -nnr test.pcap > test.pcap.txt
-George
August 16th, 2008 at 12:47 am
When doing binary dumps with tcpdump, what tools do you guys use for analyzing? Having a hard time settling with Wireshark, so looking for others.