Jump to content

Search the Community

Showing results for tags 'tcpdump'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Categories

  • General
  • Birthdays
  • Clubs
  • Festivals
  • Parties
  • Weddings

Categories

  • General
  • Prayers
  • Sermons
  • Weddings

Categories

  • Files
  • Doco
    • Manuals
  • Linux's Linux Files Generic
  • Linux's Linux Files RPM
  • Linux's Linux Files DPKG
  • World of the Web's Web Files

Forums

  • Technology
    • General Technology Discussion
    • Software
  • Information
    • Animals
    • Electronics
    • Food & Drink
    • Games
    • Hobbies & Activities
    • Holidays & Festivals
    • Humor
    • Kids
    • Movies & Films
    • Music
    • People & Places
    • Products & Brands
    • Professions
    • Religion
    • Science & Technology
    • Sports
    • TV & Radio
    • Vehicles
  • Linux's Linux Discussions
  • Linux's SSL
  • Linux's UNIX
  • Tech Tools's Command Line Reference
  • Tech Tools's Logging
  • World of the Web's Web Topics
  • World of the Web's Hosting
  • World of the Web's Web
  • Apple's Apple Forum

Blogs

  • General-Tech
  • Religion
  • Architecture
  • K8 Strong the Jouney
  • Diabetes
  • My Horrible Divorce
  • MAF Managers's MAF Blog
  • MuSiC's DJ Blog
  • Our Holy Church's ohc Blog
  • F5's How To F5 Blog
  • DDI's How To DDI Blog
  • Linux's Linux Help Blog
  • Website's Site Blog
  • Website's Websites
  • Tech Tools's Monitoring Tools
  • Tech Tools's How to Tech Tools Blog
  • World of the Web's Web Blog
  • Networking's Blog
  • Programming's Blog
  • Programming's Learn Python
  • MWG Box Office App's BO Blog
  • DavisonRobotics's Blog
  • EventGuyZ's Blog
  • Gear Crushers's Blog
  • theZAh's ZAhBlog
  • theZAh's Bad Luck - Good Luck
  • Travel's APAC
  • Travel's AMERICAS
  • Travel's Travel Tools
  • Travel's EMEA

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


First Name


Last Name


Source that brought you here


Focus


User URL


About Me


INTERESTS


OCCUPATION


ICQ


WEBSITE


WLM


YAHOO


AOL


LOCATION


FACEBOOK


GOOGLEPLUS


SKYPE


TWITTER


YOUTUBE


Festival Job Title

Found 2 results

  1. Tried to capture packets for a NAT address (192.168.2.0/24 is NAT Pool) for my VMWare Fusion session. When on my mac I ran the following command I'm getting some weird error messages. dennis$ sudo tcpdump -i any -v network 192.168.2.0/24 tcpdump: data link type PKTAP tcpdump: listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes pktap_filter_packet: pcap_add_if_info(en9, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(bridge100, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(bridge100, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en9, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en9, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(bridge100, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed pktap_filter_packet: pcap_add_if_info(en0, 1) failed: pcap_if_info_set_add: pcap_compile_nopcap() failed Anyone have any ideas?
  2. Just about any appliance you receive from the Enterprise world it comes with tcpdump, especially if the host operating system is linux based. Here are some commands that I run that have proven helpful and they may prove to help you as well. My main use is on our F5 appliances or our linux application servers. Below you will find different uses of tcpdump NO DNS RESOLUTION To disable name resolution, use the -n flag as in the following examples: tcpdump -n tcpdump -ni 0.0 CAPTURE TO FILE To save the tcpdump output to a binary file, type the following command: tcpdump -w dump1.pcap Note: The tcpdump utility does not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C. READ CAPTURED FILE To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command: tcpdump -r dump1.pcap In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would if it were reading from the network interface. As a result, you can use formatting commands and filters. FILTER ON HOST ADDRESS To view all packets that are traveling to or from a specific IP address, type the following command:tcpdump tcpdump host 10.40.89.188 To view all packets that are traveling from a specific IP address, type the following command:tcpdump src tcpdump src host 10.40.89.188 To view all packets that are traveling to a particular IP address, type the following command:tcpdump dst tcpdump dst host 10.40.89.188 ***NOTE: To get accurate IP Addresses on the F5, I like to check existing connections on the F5 device first so you aren’t just waiting for something that isn’t ever going to happen Looking for connections to a member IP Address # tmsh show sys connection | grep 10.40.89.188 10.40.89.188:48520 10.40.212.23:2075 10.40.89.188:48520 10.40.212.23:2075 tcp 37 (slot/tmm: 1/9) none Explanation of columns cs-client-addr:cs-client-port | cs-server-addr:cs-server-port | ss-client-addr:ss-client-port | ss-server-addr:ss-server-port Computer IP & PORT | Virtual Server IP & PORT | SNAT IP & PORT | Server IP & PORT FILTER ON PORT To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:tcpdump port <port number> For example: tcpdump port 80 To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:tcpdump src port <port number> For example: tcpdump src port 80 To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:tcpdump dst port <port number> For example: tcpdump dst port 80 FILTER ON TCP Flag To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command: tcpdump 'tcp[tcpflags] & (tcp-syn) != 0' To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command: tcpdump 'tcp[tcpflags] & (tcp-rst) != 0' Isolate TCP RST flags tcpdump 'tcp[13] & 4!=0' tcpdump 'tcp[tcpflags] == tcp-rst' Isolate TCP SYN flags tcpdump 'tcp[13] & 2!=0' tcpdump 'tcp[tcpflags] == tcp-syn' Isolate packets that have both the SYN and ACK flags set tcpdump 'tcp[13]=18' Isolate TCP URG flags tcpdump 'tcp[13] & 32!=0' tcpdump 'tcp[tcpflags] == tcp-urg' Isolate TCP ACK flags tcpdump 'tcp[13] & 16!=0' tcpdump 'tcp[tcpflags] == tcp-ack' Isolate TCP PSH flags tcpdump 'tcp[13] & 8!=0' tcpdump 'tcp[tcpflags] == tcp-psh' Isolate TCP FIN flags tcpdump 'tcp[13] & 1!=0' tcpdump 'tcp[tcpflags] == tcp-fin' COMBINING FILTERS You can use the and operator to filter for a mixture of output. Following are some examples of useful combinations: tcpdump host 10.40.89.188 and port 80 tcpdump src host 172.67.134.121 and dst port 80 tcpdump src host 172.67.134.121 and dst host 10.40.89.188 AND and or && OR or or || EXCEPT not or ! Let’s find all traffic from 10.40.89.188 going to any host on port 3389. tcpdump -nnvvS src 10.40.89.188 and dst port 3389 Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.67.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity. tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.67.0.0/16 tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)' Find HTTP Host Headers tcpdump -vvAls0 | grep 'Host:' Find HTTP Cookies tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:' Cleartext GET Requests tcpdump -vvAls0 | grep 'GET' As an example of Cleartext GET Requests tcpdump -vvAls0 -i 0.0 | grep 'GET' tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes (}.x.......4..ZP...Ye.."Splunk Logging"|"usfnt1slbdz02.thezah.com"|"1591809773553"|"1591809773553621"|"2.21.5.15"|"33289"|"/Production/vs.secure-prodd.thezah.com"|"192.168.8.64"|"443"|"/Production/pool.secure-prodd.thezah.com"|"10.43.197.68"|"33289"|"10.40.64.89"|"443"|"GET"|"/resources/apps/mobile/ipad/content/PersistentSectionVersions.json"|"HTTP/1.1"|""|"Mobile/1 CFNetwork/1125.2 Darwin/19.4.0"|"200"|"9"|257|"9693" (}......$...r.gP...Y..."Splunk" Find HTTP User Agents tcpdump -vvAls0 | grep 'User-Agent:' As an example of capturing User Agent tcpdump -vvAls0 -i 0.0 | grep 'User-Agent:' tcpdump: listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes User-Agent: Go-http-client/1.1 User-Agent: Go-http-client/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Both SYN and RST Set tcpdump 'tcp[13] = 6' Find SSH Connections This one works regardless of what port the connection comes in on, because it’s getting the banner response. tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D' Find DNS Traffic tcpdump -vvAs0 port 53 Find FTP Traffic tcpdump -vvAs0 port ftp or ftp-data Find NTP Traffic tcpdump -vvAs0 port 123 Find Cleartext Passwords tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user ' Find traffic with evil bit There’s a bit in the IP header that never gets set by legitimate applications, which we call the “Evil Bit”. Here’s a fun filter to find packets where it’s been toggled. tcpdump 'ip[6] & 128 != 0' Snarf/Snaplen The tcpdump utility provides an option that allows you to specify the amount of each packet to capture. You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero). For example: tcpdump -s0 src host 172.67.134.121 and dst port 80 Alternatively, you can specify a length large enough to capture the packet data you need to examine. For example: tcpdump -s200 src host 172.67.134.121 and dst port 80 If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output. For example: tcpdump -r dump1.pcap -X src host 172.67.134.121 and dst port 80 Disable DNS resolution with a -n but also disable port lookups with another n so you would have -nn For example: tcpdump -nn src host 172.67.134.121 and dst port 80 STOPPING tcpdump You can stop the tcpdump utility using the following methods: If you run the tcpdump utility interactively from the command line, you can stop it by pressing the Ctrl + C key combination. If you run the tcpdump utility in the background, you can return the tcpdump session to the foreground by typing the following command:fg To stop the session, press Ctrl + C. If you run multiple instances of tcpdump utility in the background, you can terminate all instances at the same time by typing the following command:killall tcpdump
×
×
  • Create New...