Tcpdump dumps traffic on a network, tcpdump  prints out a description of the contents of packets on a network interface that match the boolean expression.

Tcpdump syntax

I don't like to show command syntax, but perhaps easier to get started with syntax.
The basic syntax is

tcpdump Protocol  Direction  Host(s)  Value  Logical  Operations   Other expression
tcp dst 80 and tcp dst 3128

Here are value list

Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied.
For example, "host" is equivalent to "src or dst host".
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src" is equivalent to "src host".
Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.
For example,
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".

Here are some examples:

Standard TCPdump output:

-c is to only show specified number of packets.

# tcpdump -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:25:22.343207 IP > aaa.bbb.ccc.47596: Flags [P.], seq 452683986:452684178, ack 2662406039, win 21, length 192

Check network interfaces available for the capture:

# tcpdump -v -D

-v verbose output, -D device

2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.usbmon4 (USB bus number 4)
6.usbmon5 (USB bus number 5)
7.usbmon6 (USB bus number 6)
8.usbmon7 (USB bus number 7)
9.any (Pseudo-device that captures on all interfaces)

Three often used parameters

 -i     Listen  on interface.  If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback).  Ties are broken by choosing the earliest match.
-q     Quick (quiet?) output.  Print less protocol information so output lines are shorter.
-n     Don't convert host addresses to names.  This can be used to avoid DNS lookups.

Capture the traffic of a particular interface:

Display all traffic coming from a host

#tcpdump -i eth0 src  and port 8080

Display all traffic to a host

tcpdump -i eth0 dst and port 8080

Display all traffic between you host to another host

tcpdump -i eth0

Network filtering :

# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering :

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip
# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Combined expressions :

Negation    : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate   : || or "or"

Example 1:

- This rule will match any TCP traffic on port 80 (web) with or as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'

Example 2:

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

Example 3:

- Will match any traffic for the destination network 192.168 except destination host
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'

It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which  causes  it to  read from a saved packet file rather than to read packets from a network interface.  In all cases, only packets that match expression will be processed by tcpdump

For more advanced use case, I found this one is good.






Comments powered by CComment