linux poison RSS
linux poison Email

Quick and simple usage of tcpdump (packet sniffer)

Tcpdump is a popular computer network debugging and security tool which allows the user to intercept and display TCP/IP packets being transmitted or received over a network to which the computer is attached. Tcpdump allows us to precisely see all the traffic and enables us to create statistical monitoring scripts.

At an ethernet segment, tcpdump operates by putting the network card into promiscuous mode in order to capture all the packets going through the wire. Using tcpdump we have a view on any TCP/UDP connection establishment and termination and we can measure the response time and the packet loss percentagesTo print

Some simple usage:

all packets arriving at or departing from
# tcpdump -n host

To print traffic between and either or
# tcpdump -n host and \( or \)

To print all IP packets between and any host except
# tcpdump ip -n host and not

To print all traffic between local hosts and hosts at Berkeley:
# tcpdump net ucb-ether

To print all ftp traffic through internet gateway xx:
# tcpdump 'gateway xx and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
# tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
# tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'

To print IP packets longer than 576 bytes sent through gateway xx:
# tcpdump 'gateway xx and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
# tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
# tcpdump 'icmp[0] != 8 and icmp[0] != 0"


Post a Comment

Related Posts with Thumbnails