Tcpdump

(Différences entre les versions)

Version du 8 avril 2012 à 09:06

- Match any traffic involving 192.168.1.1 as destination or source

tcpdump -i eth1 host 192.168.1.1

- As soure only

tcpdump -i eth1 src host 192.168.1.1

- As destination only

tcpdump -i eth1 dst host 192.168.1.1

- Match any traffic involving port 25 as source or destination

tcpdump -i eth1 port 25

- Source

tcpdump -i eth1 src port 25

- Destination

tcpdump -i eth1 dst port 25

tcpdump -i eth1 net 192.168
tcpdump -i eth1 src net 192.168
tcpdump -i eth1 dst net 192.168

tcpdump -i eth1 arp
tcpdump -i eth1 ip

tcpdump -i eth1 tcp
tcpdump -i eth1 udp
tcpdump -i eth1 icmp

Negation : ! or "not" (without the quotes)

Concatanate : && or "and"

Alternate : || or "or"

- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host

tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05

tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200

tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

@@ Ligne 46 : / Ligne 46 : @@
 === Let's combine expressions : ===
-Negation    : ! or "not" (without the quotes)
+'''Negation    : ! or "not" (without the quotes)
 Concatanate : && or "and"
 Alternate   : || or "or"
+'''
 - This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host