Packet Captures: Difference between revisions
→TCPDump Filters: added
m (→TCPDump Filters: tcp) |
(→TCPDump Filters: added) |
||
Line 280:
*Capture packets with IP address without DNS resolution
tcpdump -n -i eth0
*Reading the packets from a saved file▼
tcpdump -tttt -r data.pcap▼
*Capture packets with proper readable timestamp
Line 309 ⟶ 306:
<br />
<br />
=== Reading PCAPs ===
▲*Reading the packets from a saved file
▲ tcpdump -tttt -r data.pcap
tcpdump -e -nn -vv -r traffic.dump
tcpdump -XX -r eth0_Merged.pcap
=== TCPDump Parameters ===
! or not▼
&& or and▼
|| or or▼
▲ ! or not
;Examples▼
▲ && or and
▲ || or or
udp dst port not 53 UDP not bound for port 53▼
host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts▼
tcp dst port 80 or 8080 Packets to either TCP port▼
▲ udp dst port not 53 UDP not bound for port 53
▲ host 10.0.0.1 && host 10.0.0.2 Traffic between these hosts
▲ tcp dst port 80 or 8080 Packets to either TCP port
▲;Protocols
arp ether
icmp ip
Line 333 ⟶ 339:
rarp tcp
udp wlan
tcp-urg tcp-rst
tcp-ack tcp-syn
tcp-psh tcp-fin
[src|dst] host <host> Matches a host as the IP source, destination, or either
ether [src|dst] host <ehost> Matches a host as the Ethernet source, destination, or either
Line 359 ⟶ 365:
mpls [<label>] Matches MPLS packets, optionally with a label of label
<expr> <relop> <expr> Matches packets by an arbitrary expression
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
Line 386 ⟶ 392:
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
<br />
| |||