Wednesday, 24 September 2014

Packet Capturing using TCPDUMP

Packet Capturing using TCPDUMP

TCPdump has a powerful language you can use to describe and filter packets, ranging from matching semantic attributes of the packets, protocols, hosts, and ports being used right down to filtering attributes in the TCP and UDP headers. In this section, we’re going to go over how the packet filter language works and how you filter packets for certain attributes.

# tcpdump host

The above command will matches all the packets that will have as source or destination.

# tcpdump src host or dst host

The above command will match if in source or either in destination.

We can also match the whole subnet, for example:

# tcpdump net

We can also apply the filter on the ports:

# tcpdump net and tcp port 80

# tcpdump port 80

# tcpdump tcp

# tcpdump portrange 0-1024

For Ping responses, we can use some regular expressions:

# tcpdump ‘icmp[icmptype] & icmp-echo!= 0’

# tcpdump –i eth0

The above command will scan packets arriving under eth0.

# tcpdump –c 100

Will capture only 100 packets only.

# tcpdump –n

The above command will display IP addresses and port number instead of domain and services when capturing packets.

Below are some attributes that we can use in tcpdump.

dst, src, host, net, portrange, udp, tcp, icmp, arp etc.

# tcpdump –v icmp

# tcpdump –n “dst host and (dst port 80 or dst port 443)

# tcpdump –n dst net

No comments:

Post a Comment