TCPDump: Difference between revisions

TCPDump (view source)

394 bytes added , 2 years ago

4,400

edits

Revision as of 20:02, 2 October 2019 (view source) Amanjosan2008 (talk \| contribs) (→‎TCPDump Filters) ← Older edit		Latest revision as of 17:00, 2 May 2022 (view source) Amanjosan2008 (talk \| contribs) (→‎Command Line Options)
(2 intermediate revisions by the same user not shown)
Line 5: = Basics = * TCPDump done with "-i any" will result in packets with No Ethernet Headers captured in wireshark. tcpdump -i eth0 * TCPDump uses libpcap which processes packets before they get processed by IPTables. * Therefore TCPDump will see Incoming Ping packets though they are dropped by IPTables. * TCPDump will see inbound traffic before iptables, but will see outbound traffic only after the firewall has processed it. = Filters = Line 178 ⟶ 183: -y <type> Specify the data link type <br /> = Docker Packet Captures = docker exec -it 428947239426349 tcpdump -N -A 'port 80' -w capture.pcap = Advanced Packet Filtering = *List interesting traffic from all the PCAP files: <syntaxhighlight lang='bash'> ~~<pre style="width: 2000px; overflow-x: scroll;">~~ for i in `find . -type f \| egrep "All.pcap"`; do echo $i; tcpdump -r $i '((host 1.1.1.1 or host 2.2.2.2) and host 3.3.3.3) and port 445' ; echo -e "\n"; done </syntaxhighlight> ~~</pre>~~ <br />