Skip to content

Latest commit

 

History

History
215 lines (170 loc) · 7.02 KB

cix-tcpdump.org

File metadata and controls

215 lines (170 loc) · 7.02 KB
Raw

tcpdump

|≣|

AuthorsVan Jacobson
Craig Leres
Steven McCanne
Released1987
Sourcetcpdump.git
Homepagetcpdump.web

Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria.

Index

tcpdump (8)  - dump traffic on a network
tcpslice (8) - extract pieces of and/or merge together tcpdump files

Receipts

tcpdump

tcpdump::options

Davailable interfaces
iinterface
ndon’t resolve hostnames
ccount of number packages
Sabsolute sequence numbres
Xcontents in hex and ASCII
qless verbose
nndon’t resolve hostnames or part names

tcpdump::examples

tcpdump-161126180824

Capture active hosts on any interfaces for 10s on the:

#!/usr/bin/env bash

IPV4_RE="((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
TIME_STAMP="$(date +%Y%m%d%H%M%S)"
DUMP_FILE="tcpdump_dmp"

[[ "$UID" != "0" ]] && exit 1
echo "Start capturing at $TIME_STAMP"
timeout 10 tcpdump -nnvvS -i any > "$DUMP_FILE" 2>/dev/null

(echo "QTY IP";
 grep -oP "$IPV4_RE" "$DUMP_FILE"\
     | sort -n \
     | uniq -c \
     | sort -rn) | column -t

echo, grep (1), sort (1), uniq (1), column (1), timeout (1)

tcpdump-170619224419

See the list of interfaces on which tcpdump can listen:

   ~$ tcpdump -D

tcpdump-170619224520

Listen on interface eth0:

   ~# tcpdump -i eth0

tcpdump-170619224527

Listen on any available interface (Linux kernel 2.2 or greater):

   ~# tcpdump -i any

tcpdump-170619224727

Be verbose while capturing packets:

   ~# tcpdump -v -i any

tcpdump-170619224823

Be more verbose while capturing packets:

   ~# tcpdump -vv -i any

tcpdump-170619224836

Be very verbose while capturing packets:

   ~# tcpdump -vvv -i any

tcpdump-170619224858

Be verbose and print the data of each packet in both hex and ASCII:

   ~# tcpdump -v -X -i any

tcpdump-170619225001

Be less verbose (than the default) while capturing packets:

   ~# tcpdump -q -i any

tcpdump-170619225014

Limit the capture to 100 packets:

   ~# tcpdump -c 100 -i any

tcpdump-170619225109

Record the packet capture to a file called capture.cap:

   ~# tcpdump -w capture.cap -i any

tcpdump-170619225116

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:

   ~# tcpdump -v -w capture.cap -i any

tcpdump-170619225137

Display the packets of a file called capture.cap:

   ~# tcpdump -r capture.cap

tcpdump-170619225144

Display the packets using maximum detail of a file called capture.cap:

   ~# tcpdump -vvv -r capture.cap

tcpdump-170619225158

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):

   ~# tcpdump -n -i any

tcpdump-170619225212

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

   ~# tcpdump -n dst host 192.168.1.1 -i any

tcpdump-170619225228

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

   ~# tcpdump -n src host 192.168.1.1 -i any

tcpdump-170619225238

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

   ~# tcpdump -n host 192.168.1.1 -i any

tcpdump-170619225250

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

   ~# tcpdump -n dst net 192.168.1.0/24 -i any

tcpdump-170619225259

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

   ~# tcpdump -n src net 192.168.1.0/24 -i any

tcpdump-170619225309

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

   ~# tcpdump -n net 192.168.1.0/24 -i any

tcpdump-170619225321

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

   ~# tcpdump -n dst port 23 -i any

tcpdump-170619225330

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

   ~# tcpdump -n dst portrange 1-1023 -i any

tcpdump-170619225336

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

   ~# tcpdump -n tcp dst portrange 1-1023 -i any

tcpdump-170619225348

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

   ~# tcpdump -n udp dst portrange 1-1023 -i any

tcpdump-170619225353

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

   ~# tcpdump -n "dst host 192.168.1.1 and dst port 23" -i any

tcpdump-170619225407

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

   ~# tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)" -i any

tcpdump-170619225419

Capture any ICMP packets:

   ~# tcpdump -v icmp -i any

tcpdump-170619225427

Capture any ARP packets:

   ~# tcpdump -v arp -i any

tcpdump-170619225432

Capture either ICMP or ARP packets:

   ~# tcpdump -v "icmp or arp" -i any

tcpdump-170619225437

Capture any packets that are broadcast or multicast:

   ~# tcpdump -n "broadcast or multicast" -i any

tcpdump-170619225444

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

   ~# tcpdump -s 500 -i any

tcpdump-170619225455

Capture all bytes of data within the packet:

   ~# tcpdump -s 0 -i any

Reference

Books

Links