Network Security Wiki

Packet Captures: Difference between revisions

Page Discussion

Packet Captures (view source)

Revision as of 22:37, 12 July 2017

4,871 bytes removed ,  6 years ago
m
→‎TCPDump Filters: m
Line 259:
| Content-Length || http.content_length_header
|}
<br />
 
== TCPDump Filters==
Source: [[http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ thegeekstuff.com]]
 
*General TCPDump command:
tcpdump -s 0 -i eth0 host 10.1.1.1 -v -w /tmp/packet_capture.cap
 
 
{| class="wikitable"
|-
! Description !! Command
|-
|Capture packets from a particular interface || tcpdump -i eth1
|-
|Capture only N number of packets || tcpdump -c 200 -i eth0
|-
|Display Captured Packets in ASCII || tcpdump -A -i eth0
|-
|Display Captured Packets in HEX and ASCII || tcpdump -XX -i eth0
|-
|Capture the packets and write into a file || tcpdump -w 08232010.pcap -i eth0
|-
|Capture packets with IP address without DNS resolution || tcpdump -n -i eth0
|-
|Capture packets with proper readable timestamp || tcpdump -n -tttt -i eth0
|-
|Read packets only longer or smaller than N bytes || tcpdump -w capture.pcap greater 1024<br />tcpdump -w capture.pcap less 1024
|-
|Receive only the packets of a specific protocol type || tcpdump -i eth0 arp
|-
|Receive packets flows on a particular port || tcpdump -i eth0 port 22
|-
|Capture packets for particular destination IP and Port || tcpdump -w xpackets.pcap -i eth0 dst 10.181.140.216 and port 22
|-
|Capture TCP communication packets between two hosts || tcpdump -w comm.pcap -i eth0 udp and \(host 172.20.68.176 and host 172.24.173.9\)
|-
|Capture all the packets other than arp and rarp<br />'and' 'or' and 'not' condition are used to filter the packets || tcpdump -i eth0 not arp and not rarp
|}
<br />
<br />
 
=== Reading PCAPs ===
 
{| class="wikitable"
|-
! Header text !! Header text
|-
|Reading pcap file || tcpdump -r data.pcap
|-
|Viewing all headers || tcpdump -e -nn -vv -r data.pcap
|-
|Viewing hexadecimal data || tcpdump -XX -r data.pcap
|}
 
=== TCPDump Parameters ===
 
====Modifiers====
{| class="wikitable" style="width: 20%"
|-
! Symbol !! Words
|-
| ! || not
|-
| && || and
|-
| <nowiki>||</nowiki> || or
|}
 
====Examples====
{| class="wikitable"
! Filter !! Description
|-
| udp dst port not 53 || UDP not bound for port 53
|-
| host 10.0.0.1 && host 10.0.0.2 || Traffic between these hosts
|-
| tcp dst port 80 or 8080 || Packets to either TCP port
|}
 
====Protocol keywords====
{| class="wikitable" style="width: 30%"
!colspan="3"|Keywords
|-
| arp || ether ||icmp
|-
| ip ||ip6 || ppp
|-
| rarp || tcp || udp
|-
| wlan|| ||
|}
 
====TCP Flags====
{| class="wikitable" style="width: 30%"
!colspan="3"|Flag Keywords
|-
| tcp-urg || tcp-rst
|-
| tcp-ack || tcp-syn
|-
| tcp-psh || tcp-fin
|}
 
====Capture Filter Primitives====
{| class="wikitable"
|-
! Filter !! Description
|-
| <nowiki>[src|dst]</nowiki> host <host> || Matches a host as the IP source, destination, or either
|-
| <nowiki>ether [src|dst] host <ehost></nowiki> || Matches a host as the Ethernet source, destination, or either
|-
| gateway host <host> || Matches packets which used host as a gateway
|-
| <nowiki>[src|dst] net <network>/<len></nowiki> || Matches packets to or from an endpoint residing in network
|-
| <nowiki>[tcp|udp] [src|dst] port <port></nowiki> || Matches TCP or UDP packets sent to/from port
|-
| <nowiki>[tcp|udp] [src|dst] portrange <p1>-<p2></nowiki> || Matches TCP or UDP packets to/from a port in the given range
|-
| less <length> || Matches packets less than or equal to length
|-
| greater <length> || Matches packets greater than or equal to length
|-
| <nowiki>(ether|ip|ip6) proto <protocol></nowiki> || Matches an Ethernet, IPv4, or IPv6 protocol
|-
| <nowiki>(ether|ip) broadcast</nowiki> || Matches Ethernet or IPv4 broadcasts
|-
| <nowiki>(ether|ip|ip6) multicast</nowiki> || Matches Ethernet, IPv4, or IPv6 multicasts
|-
| <nowiki>type (mgt|ctl|data) [subtype <subtype>]</nowiki> || Matches 802.11 frames based on type and optional subtype
|-
| <nowiki>vlan [<vlan>]</nowiki> || Matches 802.1Q frames, optionally with a VLAN ID of vlan
|-
| <nowiki>mpls [<label>]</nowiki> || Matches MPLS packets, optionally with a label of label
|-
| <nowiki><expr> <relop> <expr></nowiki> || Matches packets by an arbitrary expression
|}
 
====Command Line Options====
 
-A Print frame payload in ASCII
-c <count> Exit after capturing count packets
-D List available interfaces
-e Print link-level headers
-F <file> Use file as the filter expression
-G <n> Rotate the dump file every n seconds
-i <iface> Specifies the capture interface
-K Don't verify TCP checksums
-L List data link types for the interface
-n Don't convert addresses to names
-p Don't capture in promiscuous mode
-q Quick output
-r <file> Read packets from file
-s <len> Capture up to len bytes per packet
-S Print absolute TCP sequence numbers
-t Don't print timestamps
-v[v[v]] Print more verbose output
-w <file> Write captured packets to file
-x Print frame payload in hex
-X Print frame payload in hex and ASCII
-y <type> Specify the data link type
<br />
 
Retrieved from "https://aman.awiki.org/wiki/Special:MobileDiff/1537"