tcpdump - dump traffic on a network
1)To capture ipv6 traffic
tcpdump ip6 -i eth0
2)tcpdump host hope
In the above example tcpdump would print all packets arriving at or departing from hope.
3)tcpdump -i eth0
Capture data on eth0 interface.
4)tcpdump host helios and \( hot or ace \)
Print traffic between helios and either hot or ace.
5)tcpdump 'gateway snup and (port ftp or ftp-data)'
Print
all ftp traffic through Internet gateway snup: (note that the
expression is quoted to prevent the shell from (mis-)interpreting the
parentheses).
6)To print all IP packets between ace and any host except helios
tcpdump ip host ace and not helios
7)To print all ICMP packets that are not echo requests/replies (i.e., not ping packets)
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
8)tcpdump -w ./log
Write the raw packets to file rather than parsing and printing them out.
9)
option -s1514 for the tcpdump which will cause the tcpdump NOT to truncate any packets10)-vv : More verbose output-x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.-X
: hen parsing and printing, in addition to printing the headers of each
packet, print the data of each packet (minus its link level header) in
hex and ASCII. This is very handy for analysing new protocols.-s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.-i eth1 : Monitor eth1 interface
10) tcpdump udp and src port 53
11)It's
also important to note that tcpdump only takes the first 96 bytes of
data from a packet by default. If you would like to look at more, add
the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option.
12)TCPDump on RTP
tcpdump -T rtp -vvv src 192.168.0.2 and dst port 1234
tcpdump -i eth1 -T rtp -vvv src 8.8.8.53 and dst port 20000
1)To capture ipv6 traffic
tcpdump ip6 -i eth0
2)tcpdump host hope
In the above example tcpdump would print all packets arriving at or departing from hope.
3)tcpdump -i eth0
Capture data on eth0 interface.
4)tcpdump host helios and \( hot or ace \)
Print traffic between helios and either hot or ace.
5)tcpdump 'gateway snup and (port ftp or ftp-data)'
all ftp traffic through Internet gateway snup: (note that the
expression is quoted to prevent the shell from (mis-)interpreting the
parentheses).
6)To print all IP packets between ace and any host except helios
tcpdump ip host ace and not helios
7)To print all ICMP packets that are not echo requests/replies (i.e., not ping packets)
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
8)tcpdump -w ./log
Write the raw packets to file rather than parsing and printing them out.
9)
option -s1514 for the tcpdump which will cause the tcpdump NOT to truncate any packets10)-vv : More verbose output-x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.-X
: hen parsing and printing, in addition to printing the headers of each
packet, print the data of each packet (minus its link level header) in
hex and ASCII. This is very handy for analysing new protocols.-s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.-i eth1 : Monitor eth1 interface
10) tcpdump udp and src port 53
11)It's
also important to note that tcpdump only takes the first 96 bytes of
data from a packet by default. If you would like to look at more, add
the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option.
12)TCPDump on RTP
tcpdump -T rtp -vvv src 192.168.0.2 and dst port 1234
tcpdump -i eth1 -T rtp -vvv src 8.8.8.53 and dst port 20000
No comments:
Post a Comment