TCPDump: Difference between revisions
→Command Line Options
| (3 intermediate revisions by the same user not shown) | |||
Line 4:
= Basics =
* TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark.
tcpdump -i eth0
* TCPDump uses libpcap which processes packets before they get processed by IPTables.
* Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables.
* TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it.
= Filters =
Source: [[http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/ thegeekstuff.com]]
Line 47 ⟶ 56:
<br />
{| class="wikitable"
Line 60 ⟶ 69:
|}
▲====Modifiers====
{| class="wikitable" style="width: 20%"
|-
Line 74 ⟶ 84:
|}
==
{| class="wikitable"
! Filter !! Description
Line 85 ⟶ 96:
|}
==
{| class="wikitable" style="width: 30%"
!colspan="3"|Keywords
Line 98 ⟶ 110:
|}
==
{| class="wikitable" style="width: 30%"
!colspan="3"|Flag Keywords
Line 109 ⟶ 122:
|}
==
{| class="wikitable"
|-
Line 145 ⟶ 159:
|}
=
-A Print frame payload in ASCII
Line 170 ⟶ 184:
<br />
docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap
= Advanced Packet Filtering =
*List interesting traffic from all the PCAP files:
<syntaxhighlight lang='bash'>
</syntaxhighlight>
<br />
| |||