惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
Microsoft Security Blog
Microsoft Security Blog
云风的 BLOG
云风的 BLOG
B
Blog
The Register - Security
The Register - Security
L
LangChain Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
F
Full Disclosure
The GitHub Blog
The GitHub Blog
Recorded Future
Recorded Future
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Blog — PlanetScale
Blog — PlanetScale
Jina AI
Jina AI
美团技术团队
宝玉的分享
宝玉的分享
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
D
DataBreaches.Net
Martin Fowler
Martin Fowler
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - Franky
The Cloudflare Blog
博客园 - 【当耐特】
U
Unit 42
月光博客
月光博客
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
博客园 - 聂微东
I
InfoQ
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
Cyberwarzone
Cyberwarzone
V
V2EX
S
Securelist
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Hacker News
The Hacker News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog

博客园 - hunter_gio

用xargs处理带空格文件名 利用awk分割电子书大文件 linux中shell变量$#,$@,$0,$1,$2的含义解释 推荐几本Python电子书 学习Shell好书 C/C++ 电子书推荐 Unicode5.1版发布 GB18030编码研究以及GBK、GB18030与Unicode的映射[转] Unicode、GB2312、GBK和GB18030中的汉字[转] 中日韩统一表意文字(CJK Unified Ideographs)[转] Unicode介绍[转] Python语言浅议 巴菲特:我的工作是阅读 我喜欢的Ubuntu软件列表 del.icio.us导出到google书签 解决w950播放RM视频的问题[转] Python 3.0a1 Release [Ebook]The Definitive Guide to SQLite ORACLE----触发器,存储过程及JOB
simple usage of tcpdump
hunter_gio · 2007-11-21 · via 博客园 - hunter_gio

SOURCE:http://linux.byexamples.com/archives/283/simple-usage-of-tcpdump/

Tcpdump is a really great tool for network security analyst, you can dump packets that flows within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.

This post will only covers the fundamental of tcpdump usage, bare in mind tcpdump can do much much more than what I illustrate here.

Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.

tcpdump -w test.pcap -i eth1 tcp port 6881

Simple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?

tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \( 33210 or 33220 \)

‘\’ is an escape symbol for ‘(’ and ‘)’. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220. Careful with ‘and’ in tcpdump filter expression, it means intersection. Thats why I put ‘or’ instead of and within udp port 33210 and 33220. The usage of ‘and’ in tcpdump will be illustrate later.

Ok, how about reading pcap that I saved previously?

tcpdump -nnr test.pcap

The -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.

Adding -tttt to makes the timestamp appears more readable format.

tcpdump -ttttnnr test.pcap

How about capture based on IP ?
You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22, how should i write?

tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22

So the ‘and’ makes the intersection of destination IP and port.

By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.

tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22

Some version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.

tcpdump tcp portrange 20-24

Bare in mind, the line above I didn’t specified -w which it won’t write to a file but i will just print the captured packets on the screen.

Wanna try out tcpdump but donno what’s the port to try on?
You can obtain a lots of packets flows while you hook up to the Internet. Search a port through lsof to practise your tcpdump and have fun. Read Monitor who runs what, listen to what ports, established what connections for lsof examples.