Tcpdump

De Linuxmemo.

Sommaire 1 Basic syntax : 1.1 Filtering hosts : 1.2 Filtering ports : 1.3 Network filtering : 1.4 Protocol filtering : 1.5 Let's combine expressions : 2 Output 3 Interprétation FLAGs 4 Astuces

[modifier] Basic syntax :

[modifier] Filtering hosts :

- Match any traffic involving 192.168.1.1 as destination or source

tcpdump -i eth1 host 192.168.1.1

- As soure only

tcpdump -i eth1 src host 192.168.1.1

- As destination only

tcpdump -i eth1 dst host 192.168.1.1

[modifier] Filtering ports :

- Match any traffic involving port 25 as source or destination

tcpdump -i eth1 port 25

- Source

tcpdump -i eth1 src port 25

- Destination

tcpdump -i eth1 dst port 25

[modifier] Network filtering :

tcpdump -i eth1 net 192.168
tcpdump -i eth1 src net 192.168
tcpdump -i eth1 dst net 192.168

[modifier] Protocol filtering :

tcpdump -i eth1 arp
tcpdump -i eth1 ip
tcpdump -i eth1 not ip6

tcpdump -i eth1 tcp
tcpdump -i eth1 udp
tcpdump -i eth1 icmp

[modifier] Let's combine expressions :

Negation  : ! or "not" (without the quotes)

Concatanate : && or "and"

Alternate  : || or "or"

- This rule will match any TCP traffic on port 80 (web) with 192.168.1.254 or 192.168.1.200 as destination host

tcpdump -i eth1 '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05

tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host 192.168.1.200

tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host 192.168.1.200)))'

[modifier] Output

tcpdump -w capture.pcap -s 0 -i eth0

tcpdump -s65535 -G 3600 -C 100 -w 'trace_%Y-%m-%d_%H:%M:%S.pcap'
 -s ou --snapshot-length=snaplen            Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes.
 -G rotate_seconds
 -C file_size

[modifier] Interprétation FLAGs

• type de paquets:

   [S] - SYN (Start Connection)
   [S.] - SYN-ACK packet
   [.] - No Flag Set
   [P] - PSH (Push Data)
   [F] - FIN (Finish Connection)
   [R] - RST (Reset Connection)

   ACK sudo tcpdump 'tcp[13] & 16 != 0'
   SYN sudo tcpdump 'tcp[13] & 2 != 0'
   FIN sudo tcpdump 'tcp[13] & 1 != 0'
   URG sudo tcpdump 'tcp[13] & 32 != 0'
   PSH sudo tcpdump 'tcp[13] & 8 != 0'
   RST sudo tcpdump 'tcp[13] & 4 != 0'

[modifier] Astuces

• DNS

tcpdump -pni eth0 'port domain'