Packet Captures: Difference between revisions
Content added Content deleted
(→Advanced Packet Filtering: formatted) |
m (→TCPDump Filters: m) |
||
Line 259: | Line 259: | ||
| Content-Length || http.content_length_header |
| Content-Length || http.content_length_header |
||
|} |
|} |
||
<br /> |
|||
== TCPDump Filters== |
|||
Source: [[http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ thegeekstuff.com]] |
|||
*General TCPDump command: |
|||
tcpdump -s 0 -i eth0 host 10.1.1.1 -v -w /tmp/packet_capture.cap |
|||
{| class="wikitable" |
|||
|- |
|||
! Description !! Command |
|||
|- |
|||
|Capture packets from a particular interface || tcpdump -i eth1 |
|||
|- |
|||
|Capture only N number of packets || tcpdump -c 200 -i eth0 |
|||
|- |
|||
|Display Captured Packets in ASCII || tcpdump -A -i eth0 |
|||
|- |
|||
|Display Captured Packets in HEX and ASCII || tcpdump -XX -i eth0 |
|||
|- |
|||
|Capture the packets and write into a file || tcpdump -w 08232010.pcap -i eth0 |
|||
|- |
|||
|Capture packets with IP address without DNS resolution || tcpdump -n -i eth0 |
|||
|- |
|||
|Capture packets with proper readable timestamp || tcpdump -n -tttt -i eth0 |
|||
|- |
|||
|Read packets only longer or smaller than N bytes || tcpdump -w capture.pcap greater 1024<br />tcpdump -w capture.pcap less 1024 |
|||
|- |
|||
|Receive only the packets of a specific protocol type || tcpdump -i eth0 arp |
|||
|- |
|||
|Receive packets flows on a particular port || tcpdump -i eth0 port 22 |
|||
|- |
|||
|Capture packets for particular destination IP and Port || tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22 |
|||
|- |
|||
|Capture TCP communication packets between two hosts || tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\) |
|||
|- |
|||
|Capture all the packets other than arp and rarp<br />'and' 'or' and 'not' condition are used to filter the packets || tcpdump -i eth0 not arp and not rarp |
|||
|} |
|||
<br /> |
|||
<br /> |
|||
=== Reading PCAPs === |
|||
{| class="wikitable" |
|||
|- |
|||
! Header text !! Header text |
|||
|- |
|||
|Reading pcap file || tcpdump -r data.pcap |
|||
|- |
|||
|Viewing all headers || tcpdump -e -nn -vv -r data.pcap |
|||
|- |
|||
|Viewing hexadecimal data || tcpdump -XX -r data.pcap |
|||
|} |
|||
=== TCPDump Parameters === |
|||
====Modifiers==== |
|||
{| class="wikitable" style="width: 20%" |
|||
|- |
|||
! Symbol !! Words |
|||
|- |
|||
| ! || not |
|||
|- |
|||
| && || and |
|||
|- |
|||
| <nowiki>||</nowiki> || or |
|||
|} |
|||
====Examples==== |
|||
{| class="wikitable" |
|||
! Filter !! Description |
|||
|- |
|||
| udp dst port not 53 || UDP not bound for port 53 |
|||
|- |
|||
| host 10.0.0.1 && host 10.0.0.2 || Traffic between these hosts |
|||
|- |
|||
| tcp dst port 80 or 8080 || Packets to either TCP port |
|||
|} |
|||
====Protocol keywords==== |
|||
{| class="wikitable" style="width: 30%" |
|||
!colspan="3"|Keywords |
|||
|- |
|||
| arp || ether ||icmp |
|||
|- |
|||
| ip ||ip6 || ppp |
|||
|- |
|||
| rarp || tcp || udp |
|||
|- |
|||
| wlan|| || |
|||
|} |
|||
====TCP Flags==== |
|||
{| class="wikitable" style="width: 30%" |
|||
!colspan="3"|Flag Keywords |
|||
|- |
|||
| tcp-urg || tcp-rst |
|||
|- |
|||
| tcp-ack || tcp-syn |
|||
|- |
|||
| tcp-psh || tcp-fin |
|||
|} |
|||
====Capture Filter Primitives==== |
|||
{| class="wikitable" |
|||
|- |
|||
! Filter !! Description |
|||
|- |
|||
| <nowiki>[src|dst]</nowiki> host <host> || Matches a host as the IP source, destination, or either |
|||
|- |
|||
| <nowiki>ether [src|dst] host <ehost></nowiki> || Matches a host as the Ethernet source, destination, or either |
|||
|- |
|||
| gateway host <host> || Matches packets which used host as a gateway |
|||
|- |
|||
| <nowiki>[src|dst] net <network>/<len></nowiki> || Matches packets to or from an endpoint residing in network |
|||
|- |
|||
| <nowiki>[tcp|udp] [src|dst] port <port></nowiki> || Matches TCP or UDP packets sent to/from port |
|||
|- |
|||
| <nowiki>[tcp|udp] [src|dst] portrange <p1>-<p2></nowiki> || Matches TCP or UDP packets to/from a port in the given range |
|||
|- |
|||
| less <length> || Matches packets less than or equal to length |
|||
|- |
|||
| greater <length> || Matches packets greater than or equal to length |
|||
|- |
|||
| <nowiki>(ether|ip|ip6) proto <protocol></nowiki> || Matches an Ethernet, IPv4, or IPv6 protocol |
|||
|- |
|||
| <nowiki>(ether|ip) broadcast</nowiki> || Matches Ethernet or IPv4 broadcasts |
|||
|- |
|||
| <nowiki>(ether|ip|ip6) multicast</nowiki> || Matches Ethernet, IPv4, or IPv6 multicasts |
|||
|- |
|||
| <nowiki>type (mgt|ctl|data) [subtype <subtype>]</nowiki> || Matches 802.11 frames based on type and optional subtype |
|||
|- |
|||
| <nowiki>vlan [<vlan>]</nowiki> || Matches 802.1Q frames, optionally with a VLAN ID of vlan |
|||
|- |
|||
| <nowiki>mpls [<label>]</nowiki> || Matches MPLS packets, optionally with a label of label |
|||
|- |
|||
| <nowiki><expr> <relop> <expr></nowiki> || Matches packets by an arbitrary expression |
|||
|} |
|||
====Command Line Options==== |
|||
-A Print frame payload in ASCII |
|||
-c <count> Exit after capturing count packets |
|||
-D List available interfaces |
|||
-e Print link-level headers |
|||
-F <file> Use file as the filter expression |
|||
-G <n> Rotate the dump file every n seconds |
|||
-i <iface> Specifies the capture interface |
|||
-K Don't verify TCP checksums |
|||
-L List data link types for the interface |
|||
-n Don't convert addresses to names |
|||
-p Don't capture in promiscuous mode |
|||
-q Quick output |
|||
-r <file> Read packets from file |
|||
-s <len> Capture up to len bytes per packet |
|||
-S Print absolute TCP sequence numbers |
|||
-t Don't print timestamps |
|||
-v[v[v]] Print more verbose output |
|||
-w <file> Write captured packets to file |
|||
-x Print frame payload in hex |
|||
-X Print frame payload in hex and ASCII |
|||
-y <type> Specify the data link type |
|||
<br /> |
<br /> |
||