Showing posts with label TCPDUMP. Show all posts
Showing posts with label TCPDUMP. Show all posts

How To Capture Packets with TCPDUMP?

See the list of interfaces on which tcpdump can listen
# /usr/sbin/tcpdump -D

Listen on any available interface
# /usr/sbin/tcpdump -i any

Verbose Mode
# /usr/sbin/tcpdump -v
# /usr/sbin/tcpdump -vv
# /usr/sbin/tcpdump -vvv
# /usr/sbin/tcpdump -q

Limit the capture to an number of  packets N
# /usr/sbin/tcpdump -c N

Display IP addresses and port numbers when capturing packets
# /usr/sbin/tcpdump -n

Capture any packets where the destination host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst host 192.168.0.1

Capture any packets where the source host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n src host 192.168.0.1

Capture any packets where the source or destination host is 192.168.0.1, display IP addresses and port numbers
# /usr/sbin/tcpdump -n host 192.168.0.1

Capture any packets where the destination network is 192.168.10.0/24, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst net 192.168.10.0/24

Capture any packets where the source network is 192.168.10.0/24, display IP addresses and port numbers
# /usr/sbin/tcpdump -n src net 192.168.10.0/24

Capture any packets where the source or destination network is 192.168.10.0/24,display IP addresses and port numbers
# /usr/sbin/tcpdump -n net 192.168.10.0/24

Capture any packets where the destination port is 23, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive, display IP addresses and port numbers
# /usr/sbin/tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive,display IP addresses and port numbers
# /usr/sbin/tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive, display IP addresses and port numbers
# /usr/sbin/tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.0.1 and destination port 23,display IP addresses and port numbers
# /usr/sbin/tcpdump -n "dst host 192.168.0.1 and dst port 23"

Capture any packets with destination IP 192.168.0.1 and destination port 80 or 443,display IP addresses and port numbers
# /usr/sbin/tcpdump -n "dst host 192.168.0.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets
# /usr/sbin/tcpdump -v icmp

Capture any ARP packets
# /usr/sbin/tcpdump -v arp

Capture either ICMP or ARP packets
# /usr/sbin/tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast
# /usr/sbin/tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes
# /usr/sbin/tcpdump -s 500

Capture all bytes of data within the packet
# /usr/sbin/tcpdump -s 0

Monitor all packets on eth1 interface
# /usr/sbin/tcpdump -i eth1

Monitor all traffic on port 80 ( HTTP )
# /usr/sbin/tcpdump -i eth0 'port 80'

Monitor all traffic on port 25 ( SMTP )
# /usr/sbin/tcpdump -vv -x -X -s 1500 -i eth0 'port 25'

Capture only N number of packets using tcpdump -c
# /usr/sbin/tcpdump -c 2 -i eth0

Display Captured Packets in ASCII using tcpdump -A
# /usr/sbin/tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII using tcpdump -XX
# /usr/sbin/tcpdump -XX -i eth0

Capture the packets and write into a file using tcpdump -w
# /usr/sbin/tcpdump -w data.pcap -i eth0
.pcap is extension

Reading the packets from a saved file using tcpdump -r
# /usr/sbin/tcpdump -tttt -r data.pcap

Capture packets with IP address using tcpdump -n
# /usr/sbin/tcpdump -n -i eth0

Capture packets with proper readable timestamp using tcpdump -tttt
# /usr/sbin/tcpdump -n -tttt -i eth0

Read packets longer than N bytes
# /usr/sbin/tcpdump -w data.pcap greater 1024

Read packets lesser than N bytes
# /usr/sbin/tcpdump -w data1024.pcap  less 1024

Receive only the packets of a specific protocol type
# /usr/sbin/tcpdump -i eth0 arp

Receive packets flows on a particular port using tcpdump port
# /usr/sbin/tcpdump -i eth0 port 22

Capture packets for particular destination IP and Port
# /usr/sbin/tcpdump -w data.pcap -i eth0 dst 10.181.140.216 and port 22

Capture TCP communication packets between two hosts
# /usr/sbin/tcpdump -w data.pcap -i eth0 dst 16.181.170.246 and port 22

Tcpdump Filter Packets – Capture all the packets other than arp and rarp
# /usr/sbin/tcpdump -i eth0 not arp and not rarp