Packet Capturing using TCPDUMP
TCPdump has a powerful language you can use to describe and filter packets, ranging from matching semantic attributes of the packets, protocols, hosts, and ports being used right down to filtering attributes in the TCP and UDP headers. In this section, we’re going to go over how the packet filter language works and how you filter packets for certain attributes.
# tcpdump host 10.14.148.91
The above command will matches all the packets that will have 10.14.148.91 as source or destination.
# tcpdump src host 10.14.153.81 or dst host 10.14.153.91
The above command will match if 10.14.153.81 in source or either 10.14.153.91 in destination.
We can also match the whole subnet, for example:
# tcpdump net 10.14.153.0/24
We can also apply the filter on the ports:
# tcpdump net 10.14.153.0/24 and tcp port 80
# tcpdump port 80
# tcpdump tcp
# tcpdump portrange 0-1024
For Ping responses, we can use some regular expressions:
# tcpdump ‘icmp[icmptype] & icmp-echo!= 0’
# tcpdump –i eth0
The above command will scan packets arriving under eth0.
# tcpdump –c 100
Will capture only 100 packets only.
# tcpdump –n
The above command will display IP addresses and port number instead of domain and services when capturing packets.
Below are some attributes that we can use in tcpdump.
dst, src, host, net, portrange, udp, tcp, icmp, arp etc.
# tcpdump –v icmp
# tcpdump –n “dst host 10.14.153.212 and (dst port 80 or dst port 443)
# tcpdump –n dst net 10.14.153.0/24
TCPdump has a powerful language you can use to describe and filter packets, ranging from matching semantic attributes of the packets, protocols, hosts, and ports being used right down to filtering attributes in the TCP and UDP headers. In this section, we’re going to go over how the packet filter language works and how you filter packets for certain attributes.
# tcpdump host 10.14.148.91
The above command will matches all the packets that will have 10.14.148.91 as source or destination.
# tcpdump src host 10.14.153.81 or dst host 10.14.153.91
The above command will match if 10.14.153.81 in source or either 10.14.153.91 in destination.
We can also match the whole subnet, for example:
# tcpdump net 10.14.153.0/24
We can also apply the filter on the ports:
# tcpdump net 10.14.153.0/24 and tcp port 80
# tcpdump port 80
# tcpdump tcp
# tcpdump portrange 0-1024
For Ping responses, we can use some regular expressions:
# tcpdump ‘icmp[icmptype] & icmp-echo!= 0’
# tcpdump –i eth0
The above command will scan packets arriving under eth0.
# tcpdump –c 100
Will capture only 100 packets only.
# tcpdump –n
The above command will display IP addresses and port number instead of domain and services when capturing packets.
Below are some attributes that we can use in tcpdump.
dst, src, host, net, portrange, udp, tcp, icmp, arp etc.
# tcpdump –v icmp
# tcpdump –n “dst host 10.14.153.212 and (dst port 80 or dst port 443)
# tcpdump –n dst net 10.14.153.0/24
No comments:
Post a Comment