4/04/2011

Tcpdump

Tcpdump is a packet analyzer for linux. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.


The usage of tcpdump is tcpdump followed by any of the commands below

    -i any : Listen on all interfaces just to see if you're seeing any traffic.
    -n : Don't resolve hostnames.
    -nn : Don't resolve hostnames or port names.
    -X : Show the packet's contents in both hex and ASCII.
    -XX : Same as -X, but also shows the ethernet header.
    -v, -vv, -vvv : Increase the amount of packet information you get back.
    -c : Only get x number of packets and then stop.
    -S : Print absolute sequence numbers.
    -e : Get the ethernet header as well.
    -q : Show less protocol information.
    -E : Decrypt IPSEC traffic by providing an encryption key.
    -s : Set the snaplength, i.e. the amount of data that is being captured in bytes
    -c : Only capture x number of packets, e.g. 'tcpdump -c 3'

 It's also important to note that tcpdump only takes the first  96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture.

You will see something like this


If you are looking for something specific, you can use the following options as well,
tcpdump host 1.2.1.2
tcpdump src 10.12.32.13 (scans all packets from the given source)
tcpdump dst 23.43.23.23 (scans packets from to the given destination)

Suppose you want to scan only specific packets, say only ICMP packets,
tcpdump icmp

tcpdump portrange 23-34

You can use 'and' for giving multiple options,
tcpdump src port 23 and tcp

Some other useful options,

tcpdump less 32 (packets below 32 Bytes)
tcpdumpgreater 128 (packet size >128)

You can also save the info that tcpdump collected to a file using

-w option, (write to file)

-r   (read from a file)


If you want to analyze only IPv6 traffic, use

tcpdump ipv6

No comments:

Post a Comment