Tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files.
1 TCPDUMP works in network layer
2 A network packet header consists of sender,destination,state information and other flag informations.
3TCPDUMP only captures the first 96bytes of data from the packet by default.
Most of the linux distributions these days comes preloaded with tcpdump tool. But you need to be root or sudo permissions to run the tool
Packet sniffer tool called tcpdump.Here, we are going to show you how to install tcpdump and then we discuss and cover some useful commands with their practical examples.
Checking if TCPDUMP is already installed on the machine.
# rpm -qa | grep tcpdump
tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64
If not then install
# yum install tcpdump
Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.
1.Capture Packets from Specific Interface
The command screen will scroll up until you interrupt and when we execute tcpdump command it will captures from all the interfaces, however with -i switch only capture from desire interface.
# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:06:54.730711 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175180:45175360, ack 217829, win 41860, length 180
22:06:54.730753 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175360:45175620, ack 217829, win 41860, length 260
22:06:54.730799 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175620:45175912, ack 217829, win 41860, length 292
22:06:54.730843 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175912:45176220, ack 217829, win 41860, length 308
22:06:54.730885 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45174140, win 63440, length 0
22:06:54.730889 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45174692, win 62888, length 0
22:06:54.730891 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45176220:45176528, ack 217829, win 41860, length 308
22:06:54.730892 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45175180, win 64240, length 0
2. Capture Only N Number of Packets
When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 5 packets.
# tcpdump -c 5 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:10:37.385308 IP6 fe80::b947:a4a7:3540:fbd0.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
22:10:37.386857 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 775198156:775198352, ack 2552333147, win 41860, length 196
22:10:37.387109 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 196, win 64240, length 0
22:10:37.387482 IP oracle.microair.in.48204 > google-public-dns-a.google.com.domain: 20907+ PTR? 2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)
22:10:37.441122 IP 172.24.0.69.7765 > 255.255.255.255.7765: UDP, length 92
5 packets captured
51 packets received by filter
0 packets dropped by kernel
3. Print Captured Packets in ASCII
The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.
# tcpdump -A -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:12:28.783324 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [.], seq 3274416:3275876, ack 14717, win 41860, length 1460
E...[.@.@................f...!.OP...^"........\........S?}.....0..5 ... +..6wJ....\"....`d.C......{.H......n)...*/...A..x...(..U..f...t!..?l.'.V y...@.$.;`.~..!-...#..............Q.hA......vM.e*....U.`._..x....L."}".%.......!.C.yDm....9,.3.d.!....7.K.....{......Jk..xI...G..O.-uu...6&.`.....f.....j..]`..T7.....*..z.\...3T.bR..[\.
..A.....3...U.9R.U..?Q
...\s#.........9b......rp;{..K.l.$Q,...............(...z...zW...Q.fs.-.M.|a.|+
..@...M...Vc+O.<....=xi.0.y....z....N....]B..w...|.i....13..LE..I...k..^vCre..-zq..n...I..=7.i....4M...<l..8q9A>t.....N>.,{..~.........0u%...G..w.5._.|.a6&.1X...e.......b.W.m.!..[z.....\".....mg..1...x.j.........U#..J=.u@...j.b8m...;.....@.@G....>..+Y<..+..>-.i...yR....h.n..{x}.L....w...xH....:..A....V,*...p$aq |..G.......w.....nA5X.S{...M..$.P0.
length 31
GTTQUICKADMIN........}.{.................F...'...T..........
3818 packets captured
5343 packets received by filter
494 packets dropped by kernel
4. Display Available Interfaces
To list number of available interfaces on the system, run the following command with -D option.
# tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.usbmon4 (USB bus number 4)
6.usbmon5 (USB bus number 5)
7.usbmon6 (USB bus number 6)
8.usbmon7 (USB bus number 7)
9.usbmon8 (USB bus number 8)
10.any (Pseudo-device that captures on all interfaces)
11.lo
5. Display Captured Packets in HEX and ASCII
The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.
# tcpdump -XX -i eth0
22:16:50.395579 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 17683412, win 64240, length 0
0x0000: 78ac c0bf 1f28 001d 7d5d 6cc1 0800 4500 x....(..}]l...E.
0x0010: 0028 2930 4000 8006 794c ac18 0011 ac18 .()0@...yL......
0x0020: 0012 dfe9 0016 9822 fd4b 2f75 3468 5010 .......".K/u4hP.
0x0030: faf0 8344 0000 0000 0000 0000 ...D........
22:16:50.398976 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 17685192, win 64240, length 0
0x0000: 78ac c0bf 1f28 001d 7d5d 6cc1 0800 4500 x....(..}]l...E.^C
0x0010: 0028 2932 4000 8006 794a ac18 0011 ac18 .()2@...yJ......
0x0020: 0012 dfe9 0016 9822 fd7f 2f75 3b5c 5010 ......."../u;\P.
0x0030: faf0 7c1c 0000 0000 0000 0000 ..|.........
6. Capture and Save Packets in a File
As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.
# tcpdump -w 0001.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
3242 packets captured
5443 packets received by filter
459 packets dropped by kernel
7. Read Captured Packets File
To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.
# tcpdump -r 0001.pcap
reading from file 0001.pcap, link-type EN10MB (Ethernet)
22:18:20.777219 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 796301044:796301176, ack 2552432619, win 41860, length 132
22:18:20.777768 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 132, win 63328, length 0
22:18:20.778891 ARP, Request who-has 172.24.0.237 tell 172.24.0.222, length 46
22:18:20.779235 ARP, Request who-has 172.24.0.222 tell 172.24.0.237, length 46
22:18:20.789737 IP6 fe80::838:18d9:7a9f:ada4 > ff02::1:ff3f:f871: ICMP6, neighbor solicitation, who has fe80::f6ce:46ff:fe3f:f871, length 32
22:18:20.804236 ARP, Request who-has 172.24.0.100 tell 172.24.0.225, length 46
22:18:20.851399 ARP, Request who-has 172.24.229.57 tell 172.24.1.56, length 46
22:18:20.884141 IP6 fe80::99e1:a71b:73e4:c08f.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
22:18:20.971320 IP6 fe80::838:18d9:7a9f:ada4 > ff02::1:ff3f:f871: ICMP6, neighbo
8. Capture IP address Packets
To capture packets for a specific interface, run the following command with option -n.
# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:22:36.418987 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491164:491328, ack 2237, win 41860, length 164
22:22:36.419018 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491328:491492, ack 2237, win 41860, length 164
22:22:36.419061 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491492:491736, ack 2237, win 41860, length 244
22:22:36.419103 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491736:491996, ack 2237, win 41860, length 260
22:22:36.419154 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491996:492288, ack
9. Capture only TCP Packets.
To capture packets based on TCP port, run the following command with option tcp.
# tcpdump -i eth0 tcp
22:24:26.130264 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 379764, win 64240, length
22:24:26.130272 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 380124, win 63880, length
22:24:26.130308 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381100:381280, ack 1769, win 41860, length 180
22:24:26.130359 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381280:381684, ack 1769, win 41860, length 404
22:24:26.130405 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381684:381960, ack 1769, win 41860, length 276
22:24:26.130453 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381960:382140, ack 1769, win 41860, length 180
22:24:26.130502 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq
10. Capture Packet from Specific Port
Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.
# tcpdump -i eth0 port 22
22:26:07.085560 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 252584:252860, ack 1145, win 41860, length 276
22:26:07.085599 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 252860:253008, ack 1145, win 41860, length 148
22:26:07.085629 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 253008:253172, ack 1145, win 41860, length 164
22:26:07.085713 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 251740, win 63164, length
22:26:07.085722 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 252292, win 62612, length
22:26:07.085727 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 252860, win 62044, length
11. Capture Packets from source IP
To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.
# tcpdump -i eth0 src 172.24.0.17
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:29:25.056030 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 815597688, win 63160,
22:29:25.340967 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 149, win 63012, length 0
22:29:25.540963 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 297, win 62864, length 0
22:29:25.603310 IP 172.24.0.17.54624 > 224.0.0.252.hostmon: UDP, length 27
22:29:25.672694 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 561, win 64240, length 0
22:29:25.703109 IP 172.24.0.17.54624 > 224.0.0.252.hostmon: UDP, length 27
22:29:25.703428 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 82
12. Capture Packets from destination IP
To capture packets from destination IP, say you want to capture packets for 173.194.36.21, use the command as follows.
# tcpdump -i eth0 dst 173.194.36.21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:55:01.798591 IP 192.168.0.2.59896 > 173.194.36.21.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0
10:55:05.527476 IP 192.168.0.2.59894 > 173.194.36.21.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0
10:55:05.626027 IP 192.168.0.2.59894 > 173.194.36.21.http: Flags [.], ack 2, win 245, o
13 Capture ARP traffic
# tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:39:04.490803 ARP, Request who-has 172.24.230.102 tell 172.24.1.56, length 46
22:39:04.725159 ARP, Request who-has 172.24.2.254 tell 172.24.3.128, length 46
22:39:04.838408 ARP, Request who-has 172.24.1.83 tell 172.24.0.239, length 46
C22:39:05.003475 ARP, Request who-has 172.24.3.106 tell 172.24.3.107, length 46
1 TCPDUMP works in network layer
2 A network packet header consists of sender,destination,state information and other flag informations.
3TCPDUMP only captures the first 96bytes of data from the packet by default.
Most of the linux distributions these days comes preloaded with tcpdump tool. But you need to be root or sudo permissions to run the tool
Packet sniffer tool called tcpdump.Here, we are going to show you how to install tcpdump and then we discuss and cover some useful commands with their practical examples.
Checking if TCPDUMP is already installed on the machine.
# rpm -qa | grep tcpdump
tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64
If not then install
# yum install tcpdump
Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.
1.Capture Packets from Specific Interface
The command screen will scroll up until you interrupt and when we execute tcpdump command it will captures from all the interfaces, however with -i switch only capture from desire interface.
# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:06:54.730711 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175180:45175360, ack 217829, win 41860, length 180
22:06:54.730753 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175360:45175620, ack 217829, win 41860, length 260
22:06:54.730799 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175620:45175912, ack 217829, win 41860, length 292
22:06:54.730843 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45175912:45176220, ack 217829, win 41860, length 308
22:06:54.730885 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45174140, win 63440, length 0
22:06:54.730889 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45174692, win 62888, length 0
22:06:54.730891 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 45176220:45176528, ack 217829, win 41860, length 308
22:06:54.730892 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 45175180, win 64240, length 0
2. Capture Only N Number of Packets
When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 5 packets.
# tcpdump -c 5 -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:10:37.385308 IP6 fe80::b947:a4a7:3540:fbd0.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
22:10:37.386857 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 775198156:775198352, ack 2552333147, win 41860, length 196
22:10:37.387109 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 196, win 64240, length 0
22:10:37.387482 IP oracle.microair.in.48204 > google-public-dns-a.google.com.domain: 20907+ PTR? 2.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa. (90)
22:10:37.441122 IP 172.24.0.69.7765 > 255.255.255.255.7765: UDP, length 92
5 packets captured
51 packets received by filter
0 packets dropped by kernel
3. Print Captured Packets in ASCII
The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.
# tcpdump -A -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:12:28.783324 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [.], seq 3274416:3275876, ack 14717, win 41860, length 1460
E...[.@.@................f...!.OP...^"........\........S?}.....0..5 ... +..6wJ....\"....`d.C......{.H......n)...*/...A..x...(..U..f...t!..?l.'.V y...@.$.;`.~..!-...#..............Q.hA......vM.e*....U.`._..x....L."}".%.......!.C.yDm....9,.3.d.!....7.K.....{......Jk..xI...G..O.-uu...6&.`.....f.....j..]`..T7.....*..z.\...3T.bR..[\.
..A.....3...U.9R.U..?Q
...\s#.........9b......rp;{..K.l.$Q,...............(...z...zW...Q.fs.-.M.|a.|+
..@...M...Vc+O.<....=xi.0.y....z....N....]B..w...|.i....13..LE..I...k..^vCre..-zq..n...I..=7.i....4M...<l..8q9A>t.....N>.,{..~.........0u%...G..w.5._.|.a6&.1X...e.......b.W.m.!..[z.....\".....mg..1...x.j.........U#..J=.u@...j.b8m...;.....@.@G....>..+Y<..+..>-.i...yR....h.n..{x}.L....w...xH....:..A....V,*...p$aq |..G.......w.....nA5X.S{...M..$.P0.
length 31
GTTQUICKADMIN........}.{.................F...'...T..........
3818 packets captured
5343 packets received by filter
494 packets dropped by kernel
4. Display Available Interfaces
To list number of available interfaces on the system, run the following command with -D option.
# tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.usbmon4 (USB bus number 4)
6.usbmon5 (USB bus number 5)
7.usbmon6 (USB bus number 6)
8.usbmon7 (USB bus number 7)
9.usbmon8 (USB bus number 8)
10.any (Pseudo-device that captures on all interfaces)
11.lo
5. Display Captured Packets in HEX and ASCII
The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.
# tcpdump -XX -i eth0
22:16:50.395579 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 17683412, win 64240, length 0
0x0000: 78ac c0bf 1f28 001d 7d5d 6cc1 0800 4500 x....(..}]l...E.
0x0010: 0028 2930 4000 8006 794c ac18 0011 ac18 .()0@...yL......
0x0020: 0012 dfe9 0016 9822 fd4b 2f75 3468 5010 .......".K/u4hP.
0x0030: faf0 8344 0000 0000 0000 0000 ...D........
22:16:50.398976 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 17685192, win 64240, length 0
0x0000: 78ac c0bf 1f28 001d 7d5d 6cc1 0800 4500 x....(..}]l...E.^C
0x0010: 0028 2932 4000 8006 794a ac18 0011 ac18 .()2@...yJ......
0x0020: 0012 dfe9 0016 9822 fd7f 2f75 3b5c 5010 ......."../u;\P.
0x0030: faf0 7c1c 0000 0000 0000 0000 ..|.........
6. Capture and Save Packets in a File
As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.
# tcpdump -w 0001.pcap -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
3242 packets captured
5443 packets received by filter
459 packets dropped by kernel
7. Read Captured Packets File
To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.
# tcpdump -r 0001.pcap
reading from file 0001.pcap, link-type EN10MB (Ethernet)
22:18:20.777219 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 796301044:796301176, ack 2552432619, win 41860, length 132
22:18:20.777768 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 132, win 63328, length 0
22:18:20.778891 ARP, Request who-has 172.24.0.237 tell 172.24.0.222, length 46
22:18:20.779235 ARP, Request who-has 172.24.0.222 tell 172.24.0.237, length 46
22:18:20.789737 IP6 fe80::838:18d9:7a9f:ada4 > ff02::1:ff3f:f871: ICMP6, neighbor solicitation, who has fe80::f6ce:46ff:fe3f:f871, length 32
22:18:20.804236 ARP, Request who-has 172.24.0.100 tell 172.24.0.225, length 46
22:18:20.851399 ARP, Request who-has 172.24.229.57 tell 172.24.1.56, length 46
22:18:20.884141 IP6 fe80::99e1:a71b:73e4:c08f.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
22:18:20.971320 IP6 fe80::838:18d9:7a9f:ada4 > ff02::1:ff3f:f871: ICMP6, neighbo
8. Capture IP address Packets
To capture packets for a specific interface, run the following command with option -n.
# tcpdump -n -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:22:36.418987 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491164:491328, ack 2237, win 41860, length 164
22:22:36.419018 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491328:491492, ack 2237, win 41860, length 164
22:22:36.419061 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491492:491736, ack 2237, win 41860, length 244
22:22:36.419103 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491736:491996, ack 2237, win 41860, length 260
22:22:36.419154 IP 172.24.0.18.ssh > 172.24.0.17.57321: Flags [P.], seq 491996:492288, ack
9. Capture only TCP Packets.
To capture packets based on TCP port, run the following command with option tcp.
# tcpdump -i eth0 tcp
22:24:26.130264 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 379764, win 64240, length
22:24:26.130272 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 380124, win 63880, length
22:24:26.130308 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381100:381280, ack 1769, win 41860, length 180
22:24:26.130359 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381280:381684, ack 1769, win 41860, length 404
22:24:26.130405 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381684:381960, ack 1769, win 41860, length 276
22:24:26.130453 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 381960:382140, ack 1769, win 41860, length 180
22:24:26.130502 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq
10. Capture Packet from Specific Port
Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.
# tcpdump -i eth0 port 22
22:26:07.085560 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 252584:252860, ack 1145, win 41860, length 276
22:26:07.085599 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 252860:253008, ack 1145, win 41860, length 148
22:26:07.085629 IP oracle.microair.in.ssh > 172.24.0.17.57321: Flags [P.], seq 253008:253172, ack 1145, win 41860, length 164
22:26:07.085713 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 251740, win 63164, length
22:26:07.085722 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 252292, win 62612, length
22:26:07.085727 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 252860, win 62044, length
11. Capture Packets from source IP
To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.
# tcpdump -i eth0 src 172.24.0.17
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:29:25.056030 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 815597688, win 63160,
22:29:25.340967 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 149, win 63012, length 0
22:29:25.540963 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 297, win 62864, length 0
22:29:25.603310 IP 172.24.0.17.54624 > 224.0.0.252.hostmon: UDP, length 27
22:29:25.672694 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 561, win 64240, length 0
22:29:25.703109 IP 172.24.0.17.54624 > 224.0.0.252.hostmon: UDP, length 27
22:29:25.703428 IP 172.24.0.17.57321 > oracle.microair.in.ssh: Flags [.], ack 82
12. Capture Packets from destination IP
To capture packets from destination IP, say you want to capture packets for 173.194.36.21, use the command as follows.
# tcpdump -i eth0 dst 173.194.36.21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:55:01.798591 IP 192.168.0.2.59896 > 173.194.36.21.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0
10:55:05.527476 IP 192.168.0.2.59894 > 173.194.36.21.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0
10:55:05.626027 IP 192.168.0.2.59894 > 173.194.36.21.http: Flags [.], ack 2, win 245, o
13 Capture ARP traffic
# tcpdump -i eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:39:04.490803 ARP, Request who-has 172.24.230.102 tell 172.24.1.56, length 46
22:39:04.725159 ARP, Request who-has 172.24.2.254 tell 172.24.3.128, length 46
22:39:04.838408 ARP, Request who-has 172.24.1.83 tell 172.24.0.239, length 46
C22:39:05.003475 ARP, Request who-has 172.24.3.106 tell 172.24.3.107, length 46
No comments:
Post a Comment