TCPDump: Difference between revisions
→Command Line Options
(5 intermediate revisions by the same user not shown) | |||
Line 1:
[[Category:Lab]]
__TOC__
<br />
= Basics =
* TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.
tcpdump -i eth0
* TCPDump uses libpcap which processes packets before they get processed by IPTables.
* Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables.
* TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.
= Filters =
Source: [[http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ thegeekstuff.com]]
*General TCPDump command:
sudo tcpdump -s 0 -i
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port 22 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and port not 22 and port not 80 -v -w /tmp/packet_capture.cap
sudo tcpdump -s 0 -i ens160 host 10.1.1.1 and tcp port not 22 and tcp port not 80 -v -w /tmp/packet_capture.cap
Line 39 ⟶ 56:
<br />
{| class="wikitable"
Line 52 ⟶ 69:
|}
▲====Modifiers====
{| class="wikitable" style="width: 20%"
|-
Line 66 ⟶ 84:
|}
==
{| class="wikitable"
! Filter !! Description
Line 77 ⟶ 96:
|}
==
{| class="wikitable" style="width: 30%"
!colspan="3"|Keywords
Line 90 ⟶ 110:
|}
==
{| class="wikitable" style="width: 30%"
!colspan="3"|Flag Keywords
Line 101 ⟶ 122:
|}
==
{| class="wikitable"
|-
Line 137 ⟶ 159:
|}
=
-A Print frame payload in ASCII
Line 162 ⟶ 184:
<br />
docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap
= Advanced Packet Filtering =
*List interesting traffic from all the PCAP files:▼
<syntaxhighlight lang='bash'>
</syntaxhighlight>
<br />
;References
<references/>
<br />
<br />
<br />
{{DISQUS}}
▲List interesting traffic from all the PCAP files:
▲ for i in `find . -type f | egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done
|