Tuesday, 31 January 2012

Doing ftp in different ways

We can execute the following command in a browser

ftp://ftp.freenet.de/pub/filepilot/  ---- ftp to a free ftp site using domain name

ftp://193.43.36.131/Radio/MP3/  ------ ftp using ip address


ftp://195.216.160.175/

ftp://202.118.66.15/pub/books

ftp://clubmusic:clubmusic@217.172.16.3:8778/ ---- using username, password and a specific ftp port.

ftp://psy:psy@ftp.cybersky.ru

Create a login banner for ftp, Each user will see the message before they enter their username and password, even anonymous users.

Edit the vsftpd.conf and place 
ftpd_banner= any message

Another method of creating a Banner Message is to place a .message file in a directory. Create a file with the message and save it as .message in the directory. Be sure to make it read only.

and gives the option in config file

banner_file=/path/to/banner/file




How to release the Linux disk buffer/cache

Inorder to free the disk cache we get an interface /proc/sys/vm/drop_caches has been available to simplify this process.

First we run the sync command before dropping the cache. Doing this will ensure that all memory in the cache is updated and all dirty pages are synchronized before dropping the cache.

You can safely skip this step but if you have any dirty pages in your disk cache the system will refuse to release them.

# sync

next step is echoing “3″ to the /proc/sys/vm/drop_caches file which will signal the OS to release the pagecache, dentries and inodes.

# echo 3 > /proc/sys/vm/drop_caches

# sync

# echo 0 > /proc/sys/vm/drop_caches ----- default value/ after clear the cache make it as 0 by running this command.

# echo 1 > /proc/sys/vm/drop_caches ---- only page cache

# echo 2 > /proc/sys/vm/drop_caches ------ only inode 

# echo 3 > /proc/sys/vm/drop_caches --- inode/page cache/clear all cache

Cron tab Help

The basic usage of cron is to execute a job in a specific time. Please note that the time field uses 24 hours format.

Linux Crontab Format 

min    hr    dom   mon   dow   cmd

min        Minutefield        0 to 59
hr          Hourfield           0 to 23
dom      DayofMonth        1-31
mon       Monthfield         1-12
dow       DayOfWeek        0-6
cmd       Command Any command to be executed.

* Scheduling a Job For a Specific Time Every Day

 30 08 10 06 *  /home/full-backup

* 30 – 30th Minute
* 08 – 08 AM 
* 10 – 10th Day
* 06 – 6th Month (June)
* * – Every day of the week

* Schedule a Job For More Than once a day
take abackup twice a day every day

00 11,16 * * * /home/backup

* 00 – 0th Minute (Top of the hour)
* 11,16 – 11 AM and 4 PM
* * – Every day 
* * – Every month
* * – Every day of the week

* Schedule a Job for Specific Range of Time
If you wanted a job to be scheduled for every hour with in a specific range of time then use the following. Cron Job everyday during working hours.
  during the working hours 9 a.m – 6 p.m

00 09-18 * * * /home/bkp

* 00 – 0th Minute (Top of the hour) 
* 09-18 – 9 am, 10 am,11 am,12 am,1pm,2pm, 3 pm, 4 pm,5 pm,6 pm
* * – Every day 
* * – Every month
* * – Every day of the week

* schedule a job for every minute using cron

* * * * * CMD

The * means all the possible unit — i.e every minute of every hour through out the year. More than using this * directly, you will find it very useful in the following cases.

When you specify */5 in minute field means every 5 minutes

When you specify 0-10/2 in minute field mean every 2 minutes in the first 10 minute

Thus the above convention can be used for all the other 4 fields.

* scheduling a background cron job every 10 minutes

*/10 * * * * /home/cmd

It executes the specified command every 10 minutes through out the year

* Scheduling a cron job in every 6 hours
 0 */6 * * * /path/to/mycommand
It executes the specified command in every 6 Hr throughout the year

Instead of specifying values in the 5 fields, we can specify it using a single keyword. Instead of the above 5 fields you can use @ followed by a keyword — such as reboot, midnight, yearly, hourly.

Cron special keywords and its meaning :-

@yearly  0 0 1 1 *
@daily    0 0 * * *
@hourly  0 * * * *
@reboot Run at startup

* Schedule a Job For First Minute of Every Year using @yearly
If you want a job to be executed on the first minute of every year, then you can use the @yearly cron keyword as shown below. 

@yearly /home/annual-maintenance 

This will execute the shell script at 00:00 on Jan 1st for every year.

 * Schedule a Cron Job Beginning of Every Month using @monthly
This will execute the shell script tape-backup at 00:00 on 1st of every month

@monthly /home/backup

* Schedule a Background Job Every Day using @daily
It will execute at 00:00 on every day

@daily /home/cleanuplogs "day started"

* Execute a Linux Command After Every Reboot using @reboot
Using the @reboot cron keyword, this will execute the specified command once after the machine got booted every time.

@reboot CMD

* Disable/Redirect the Crontab Mail Output using MAIL keyword
By default crontab sends the job output to the user who scheduled the job. If you want to redirect the output to a specific user, add or update the MAIL variable in the crontab as shown below. 

# crontab -l
MAIL="ctechz" 
@yearly /home/maintenance 
*/10 * * * * /home/diskspace

crontab of the current logged in user with MAIL variable. If you wanted the mail not to be sent to anywhere.

MAIL=""

* Execute a Linux Cron Jobs Every Second Using Crontab

We cannot schedule a every-second cronjob. Because in cron the minimum unit you can specify is minute.

* Putting PATH Variable in the Crontab 

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/home/ctechz

@yearly annual-maintenance
*/10 * * * * check-disk-space

* Installing Crontab From a Cron File
Instead of directly editing the crontab file, you can add all the entries to a file cron-file.txt, then you can upload or install them to the cron as shown below.
make sure you backed up  the entries in crontab first or else the new entries in cron-file.txt will replace the existing entries.

# crontab -l
no cron file defined

# cat cron-file.txt
@yearly /home/maintenance
*/10 * * * * /home/diskspace

# crontab cron-file.txt
execute the cron-file using ctrontab

Then check the crontab file
# crontab -l
@yearly /home/ramesh/annual-maintenance
*/10 * * * * /home/ramesh/check-disk-space 

CronJob for PHP Files

Command to run a PHP5 cron job:
php /home/username/public_html/cron.php

Optional flags are sometimes required for a PHP cron job:
php -q /home/username/public_html/cron.php

Command to use a specific php.ini file:
php -c /home/username/public_html/php.ini /home/username/public_html/myscript.php


Command to GET a remote file:
/usr/bin/GET http://www.example.com/file.php

CronJob for Perl Files

Command to run a CGI cron job:
perl /home/username/public_html/cgi-bin/file.pl

CronJob for Shell Script

Command to run a shell script cron job:
/bin/sh /home/username/public_html/file.sh

Monday, 30 January 2012

How to Wget

* Download Single File with wget
# wget http://www.openss7.org/repos/tarballs/strx25-0.9.2.1.tar.bz2

* Download and Store With a Different File name Using wget -O
# wget -O taglist.zip http://www.vim.org/scripts /download_script.php?src_id=7701

* Specify Download Speed / Download Rate Using wget –limit-rate
# wget --limit-rate=200k http://www.openss7.org/repos/tarballs /strx25-0.9.2.1.tar.bz2

* Continue the Incomplete Download Using wget -c
# wget -c http://www.openss7.org/repos/tarballs /strx25-0.9.2.1.tar.bz2

* Download in the Background Using wget -b
# wget -b http://www.openss7.org/repos/tarballs /strx25-0.9.2.1.tar.bz2

* Mask User Agent and Display wget like Browser Using wget –user-agent
# wget --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" URL-TO-DOWNLOAD

Some websites can disallow you to download its page by identifying that the user agent is not a browser. So you can mask the user agent by using –user-agent options and show wget like a browser as shown below.

* Test Download URL Using wget –spider
# wget --spider DOWNLOAD-URL

When you are going to do scheduled download, you should check whether download will happen fine or not at scheduled time. To do so, copy the line exactly from the schedule, and then add –spider option to check.

* Increase Total Number of Retry Attempts Using wget --tries 
# wget --tries=75 DOWNLOAD-URL

If the internet connection has problem, and if the download file is large there is a chance of failures in the download. By default wget retries 20 times to make the download successful. If needed, you can increase retry attempts using –tries option as shown below.

* Download Multiple Files / URLs Using Wget -i
First, store all the download files or URLs in a text file as:

# cat > download-file-list.txt 

Next, give the download-file-list.txt as argument to wget using -i option as shown below. 

# wget -i download-file-list.txt

* Download a Full Website Using wget –-mirror
Following is the command line which you want to execute when you want to download a full website and made available for local viewing.

# wget --mirror -p --convert-links -P ./LOCAL-DIR WEBSITE-URL

-–mirror : turn on options suitable for mirroring.
  -p  : download all files that are necessary to properly display a given 
         HTML page.
-–convert-links : after the download, convert the links in document for
                         local viewing.
-P ./LOCAL-DIR : save all the files and directories to the specified directory.

* Reject Certain File Types while Downloading Using wget -–reject 
# wget --reject=gif WEBSITE-TO-BE-DOWNLOADED

* Log messages to a log file instead of stderr Using wget -o
# wget -o download.log DOWNLOAD-URL

* Quit Downloading When it Exceeds Certain Size Using wget -Q 
When you want to stop download when it crosses 5 MB you can use the following wget command line.
# wget -Q5m -i FILE-WHICH-HAS-URLS

This quota will not get effect when you do a download a single URL. That is irrespective of the quota size everything will get downloaded when you specify a single file. This quota is applicable only for recursive downloads. 

* Download Only Certain File Types Using wget -r -A
# wget -r -A.pdf http://url-to-webpage-with-pdfs/

* FTP Download With wget
Anonymous FTP download using Wget
# wget ftp-url

FTP download using wget with username and password authentication.
# wget --ftp-user=USERNAME --ftp-password=PASSWORD DOWNLOAD-URL

HTTP Download using wget with username and password
# wget --user=username --password=password downloadURL .
These parameters can be overridden using the --ftp-user and --ftp-password options for FTP connections and the --http-user and --http-password options for HTTP connections.

How to Read Tcpdump output

Let us see how can we read the tcpdump output by checking what each term means.

Let us take a sample output of a tcpdump
20:08:41.313149 ctechz.blogspot.1086 > 192.168.0.22.80: S 1192278531:1192278531(0) win 1638

14:18:49.519284  ------------> This is the time stamp in the format of two digits for hours, two digits for minutes,  two digits for seconds, and six digits for fractional parts of a second.

ctechz.blogspot ---------------> This is the source host name. The default behavior is to resolve the hostname but you can turn it off with the tcpdump -n option.If you don't see a DNS name the IP will appear. something like IP computer name.

1086 ------> This is the source port number or port service.

> ----------> This is a marker to indicate direction flow going from source to destination.

192.168.0.22  ----------> This is the destination hostname or ip address.

80 ------------> This is the destination port number or maybe it will be translated ad HTTP.

S ---------> This is the tcp flag. The S represents a SYN Flag

1192278531:1192278531(0)  ------------> This is the beginning TCP sequence number: ending TCP sequence number(data bytes). Sequence numbers are used by TCP to order the data received. The initial sequence number(ISN)is selected as a unique number to mark the first byte of data.  The ending sequence number is the beginning sequence plus the number of bytes being sent with this TCP segment.In this case there were zero bytes sent, the beginning and the ending sequence number's are the same. It will also has an acknowledgment(ack) number.

win 1638 --------------> This is the receiving buffer size in bytes of rootwars.org for this connection.



TCP       Flag                 Flag Meaning
Flag     Representation   
        

  SYN                     S                          Session established request which
                                                      is the first part of any TCP
                                                     connection( 3 way handshake ). 

ACK                      ack                    Ack flag is generally used to
                                                   acknowledge the receipt of data 
                                                 from the sender. Might be in 
                                               conjunction with other flags.

FIN                         F                    Fin flag is generally used to
                                                    indicate the sender's intention 
                                                   to gracefully terminate the 
                                                   sending host's connection 
                                                    to the receiving host. 

RESET                    R                   Reset flag is generally used 
                                                    to indicate the sender's 
                                                  intention to immediately abort
                                                 the existing connection with the 
                                                  receiving host.

PUSH                     P                      Push flag is generally used to
                                                     immediately "push" data from the
                                                     sending host to the receiving host.
                                                    This is for application like 
                                                   telnet where response time 
                                                   is a primary concern. 

URGENT              urg                 urgent flag is generally used
                                                  to mean that there is "urgent" 
                                                data that takes precedence over
                                               other data.

Placeholder          .                      If the connection does not have a
                                                  SYN,FIN,RESET, or PUSH flag,set a 
                                                  placeholder ( a period:.) will be found 
                                                  after the destination port.

like the IP header, the TCP (Transmission Control Protocol) header stores information about the packet:


  • Source Port
  • Destination Port
  • Sequence Number
  • Acknowledgement Number
  • Data Offset
  • Flags
  • Window
  • Checksum
  • Urgent Pointer
  • Options
  • Padding
 A packet contains all these above informations.


tcpdump more options


Let's check some more interesting options using tcpdump.

Host 

# tcpdump host 192.168.1.22
look for traffic based on IP address (also works with hostname if you're not using -n), check the traffic of other machine using host option. 

src, dst 

# tcpdump src 192.168.1.22
# tcpdump dst 192.168.1.22
find traffic from only a source or destination (eliminates one side of a host conversation)
 

net 
# tcpdump net 192.186.0.0/24
capture an entire network using CIDR notation

proto 

# tcpdump icmp
works for tcp, udp, and icmp protocols. 
port  

# tcpdump port 3389
see only traffic to or from a certain port 

src/dst, port, protocol 

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
combine all three options . You also have the option to filter by a range of ports instead of declaring them individually. 

Port Ranges 

# tcpdump portrange 21-23
see traffic to any port in a range. 

Packet Size Filter 

# tcpdump less 32
# tcpdump greater 128
only see packets below or above a certain size (in bytes)  


tcpdump > 32
tcpdump <= 12

we can use the symbol also instead of less / greater 

Grouping 

# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22


 
 

tcpdump command help

Tcpdump a packet analyzer. It allows us analyze the packets that are moving through our network and also to save the packets that are captured. We can use tcpdump command to read the saved packets. 

In network data travels as packets each data packets contains the
information that it needs to travell across the network. This information is contained in a TCP Header. A TCP Header will contain the destination and source address, state information, and protocol identifiers. The rest of the packet contains the data that is being sent. Devices that are responsible for routing reads the informations in these packets and send them to there correct destinations.

Execute tcpdump command without any option, it will capture all the packets flowing through all the interfaces.Let's check some of the option in tcpdump to analyze the packets in a network. 

* Packets from a particular interface using tcpdump -i 

# tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:18:49.519284 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228763333:228763445(112) ack 419799025 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:59.535351 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 105976169 2745262019>
14:18:49.519359 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 112 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.519375 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 224 win 10 <nop,nop,timestamp 2745262160 105976169>
14:18:49.537559 IP cloudcc.ctechz.blogspot.com.47433 > 10.0.0.2.domain:  49926+ PTR? 22.1.168.192.in-addr.arpa. (43)
14:18:49.713921 802.1d unknown version

In this, tcpdump captured all the packets flows in the interface eth0 and displays in the standard output. 

* N number of packets using tcpdump -c 

# tcpdump -c 2 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:55:00.837666 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228769381:228769493(112) ack 419800865 win 95 <nop,nop,timestamp 108147932 2747433275>
14:55:10.836110 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 108147932 2747433275>

* Captured Packets in ASCII using tcpdump -A 

# tcpdump -A -i eth0

14:59:15.281604 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228771221:228771413(192) ack 419801777 win 95 <nop,nop,timestamp 108402428 2747687702>
.........._.............
.v....c.XAQ...?..vJ...o...1zx-........
14:59:15.281735 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 26 <nop,nop,timestamp 2747687721 108402428>
..U....o...........C........
..c).v..
14:59:15.282197 IP cloudcc.ctechz.blogspot.com.50913 > 10.0.0.2.domain:  9309+ PTR? 22.1.168.192.in-addr.arpa. (43)
E..G..@.@.W....C
......5.3.1$]...........22.1.168.192.in-addr.arpa.....
14:59:15.821332 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
......@. .....d2....[:[:.=.c..."....d2#......UDP.8....rac1pfx-cluster..PING.

* Captured Packets in HEX and ASCII using tcpdump -XX

# tcpdump -XX -i eth0

15:04:34.561281 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.50959: P 228773525:228773717(192) ack 419802737 win 95 <nop,nop,timestamp 108721773 2748006955>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510  ...P....HS....E.
        0x0010:  00f4 b0c4 4000 4006 0586 c0a8 0143 c0a8  ....@.@......C..
        0x0020:  0116 0016 c70f 0da2 ce95 1905 ae71 8018  .............q..
        0x0030:  005f 8490 0000 0101 080a 067a f66d a3cb  ._.........z.m..
        0x0040:  422b 7997 8997 cac1 2559 79ad c095 4dbd  B+y.....%Yy...M.
        0x0050:  ae1c 1481 e5e6 0010 7651 d691 21f9 d955  ........vQ..!..U
15:04:34.561424 IP 192.168.1.22.50959 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 33 <nop,nop,timestamp 2748006974 108721773>
        0x0000:  0080 4853 84c4 c89c dc50 abd3 0800 4510  ..HS.....P....E.
        0x0010:  0034 e425 4000 4006 d2e4 c0a8 0116 c0a8  .4.%@.@.........
        0x0020:  0143 c70f 0016 1905 ae71 0da2 cf55 8010  .C.......q...U..
        0x0030:  0021 a46c 0000 0101 080a a3cb 423e 067a  .!.l........B>.z
        0x0040:  f66d                                     .m
15:04:34.561880 IP cloudcc.ctechz.blogspot.com.53544 > 10.0.0.2.domain:  15625+ PTR? 22.1.168.192.in-addr.arpa. (43)
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0047 f66e 4000 4011 784a c0a8 0143 0a00  .G.n@.@.xJ...C..
        0x0020:  0002 d128 0035 0033 cc31 3d09 0100 0001  ...(.5.3.1=.....
        0x0030:  0000 0000 0000 0232 3201 3103 3136 3803  .......22.1.168.
        0x0040:  3139 3207 696e 2d61 6464 7204 6172 7061  192.in-addr.arpa
        0x0050:  0000 0c00 01                             .....

* Capture the packets and write into a file using tcpdump -w

-w option writes the packets into a given file. The file extension should be .pcap, which can be read by any network protocol analyzer.

# tcpdump -w dump.pcap -i eth0  
you can get a file called dump.pcap which stores the packet details... 

* Read the packets from a saved file using tcpdump -r 

# tcpdump -r dump.pcap 
You can read the captured .pcap file and view the packets for analysis.  

* Getting packets with IP address using tcpdump -n 

# tcpdump -n -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:20:10.725855 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047509964:4047510156(192) ack 1239501135 win 95 <nop,nop,timestamp 109658129 2748943040>
15:20:10.725959 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 19 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726021 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:384(192) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726076 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 384:544(160) ack 1 win 95 <nop,nop,timestamp 109658129 2748943062>
15:20:10.726133 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 544:720(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726152 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 384 win 21 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726161 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 544 win 23 <nop,nop,timestamp 2748943062 109658129>
15:20:10.726215 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 720:896(176) ack 1 win 95 <nop,nop,timestamp 109658130 2748943062>
15:20:10.726262 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 720 win 24 <nop,nop,timestamp 2748943062 109658130> 

* Capture packets with readable timestamp using tcpdump -tttt 

# tcpdump -n -tttt -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
2012-01-29 15:24:47.784713 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 4047514140:4047514332(192) ack 1239503055 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784854 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 109935245 2749220078>
2012-01-29 15:24:47.784872 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 192 win 33 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.784944 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 400:704(304) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785001 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 400 win 34 <nop,nop,timestamp 2749220098 109935245>
2012-01-29 15:24:47.785043 IP 192.168.1.67.ssh > 192.168.1.22.46596: P 704:880(176) ack 1 win 95 <nop,nop,timestamp 109935245 2749220098>
2012-01-29 15:24:47.785071 IP 192.168.1.22.46596 > 192.168.1.67.ssh: . ack 704 win 36 <nop,nop,timestamp 2749220098 109935245>

* Reading packets longer than N bytes
You can receive only the packets greater than n number of bytes using a filter ‘greater’ through tcpdump command.

$ tcpdump greater 1024 -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:32:23.030169 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 3533551345:3533552790(1445) ack 1677096811 win 3839 <nop,nop,timestamp 2749675305 110389966>
15:32:25.028568 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 1445:2890(1445) ack 866 win 3839 <nop,nop,timestamp 2749677304 110391966>
15:32:27.042511 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 2890:4335(1445) ack 1731 win 3839 <nop,nop,timestamp 2749679318 110393966>
15:32:29.035028 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.43819: P 189138042:189139487(1445) ack 3060416647 win 3839 <nop,nop,timestamp 2749681310 110395968>
15:32:31.009490 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 4866:6311(1445) ack 3515 win 3839 <nop,nop,timestamp 2749683284 110397968>
15:32:33.003763 IP 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: P 6311:7756(1445) ack 4380 win 3839 <nop,nop,timestamp 2749685278 110399967> 

* Capturing the packets of a specific protocol type
You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. 

# tcpdump -i eth0 arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:38:34.274572 arp who-has 192.168.0.54 tell 192.168.0.22
15:38:36.252219 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:39.313602 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:40.455837 arp who-has 192.168.0.109 tell 192.168.0.45
15:38:43.032395 arp who-has 192.168.1.201 tell 192.168.1.200
15:38:46.924282 arp who-has 192.168.0.109 tell 192.168.0.45 

* Reading packets lesser than N bytes
You can receive only the packets lesser than n number of bytes using a filter ‘less’ through tcpdump command 

# tcpdump less 1024 -i eth0
# tcpdump -w l_1024.pcap  less 1024 

* Capturing packets flows on a particular port using tcpdump port
all the packets received by a particular port on a machine. 

# tcpdump -i eth0 port 22

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:43:14.428293 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 4050640844:4050641036(192) ack 1239514031 win 95 <nop,nop,timestamp 111042115 2750326627>
15:43:14.428486 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 3811 <nop,nop,timestamp 2750326650 111042115>
15:43:24.427008 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 192:400(208) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427064 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 400:576(176) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427123 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.46596: P 576:768(192) ack 1 win 95 <nop,nop,timestamp 111052116 2750326650>
15:43:24.427144 IP 192.168.1.22.46596 > cloudcc.ctechz.blogspot.com.ssh: . ack 400 win 3811 <nop,nop,timestamp 2750336648 111052116> 

* Capturing packets for particular destination IP and Port
 The packets will have source and destination IP and port numbers. Using tcpdump we can apply filters on source or destination IP and port number.
The following command captures packets flows in eth0, with a particular destination ip and port number 22.
 

# tcpdump -w xpackets.pcap -i eth0 dst 192.168.1.183 and port 22
# tcpdump -i eth0 dst 192.168.1.175 and port 22

15:56:09.554572 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643264:2643456(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554611 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643456:2643648(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554663 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643648:2643840(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554710 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2643840:2644032(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554749 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644032:2644224(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>
15:56:09.554787 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.183.46596: P 2644224:2644416(192) ack 1345 win 95 <nop,nop,timestamp 111817400 2751101713>


 * TCP communication packets between two hosts  
If two different process from two different machines are communicating through tcp protocol, we can capture those packets using tcpdump as shown below. 

# tcpdump -w comm.pcap -i eth0 dst 192.168.1.183 and port 22 

You can open the file comm.pcap using any network protocol analyzer tool to debug any potential issues. 

* Filtering Packets using tcpdump – Capture all the packets other than arp and rarp
In tcpdump command, you can give “and”, “or” and “not” condition to filter the packets accordingly. 

# tcpdump -i eth0 not arp and not rarp
# tcpdump -i eth0 not tcp and not arp


16:02:53.965566 CDPv2, ttl: 180s, Device-ID 'CochinGate'[|cdp]
16:02:54.380054 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.380746 IP cloudcc.ctechz.blogspot.com.32894 > 10.0.0.2.domain:  47635+ PTR? 31.191.134.234.in-addr.arpa. (45)
16:02:54.402986 IP 192.168.100.51.23354 > 234.134.191.31.23354: UDP, length 151
16:02:54.649980 802.1d unknown version
16:02:54.954942 IP cloudcc.ctechz.blogspot.com.50001 > 10.0.0.2.domain:  21429+ A? centos.vr-zone.com. (36)
16:02:55.246120 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53
16:02:56.665126 802.1d unknown version
16:02:56.748222 IP 192.168.100.50.23354 > 234.134.191.31.23354: UDP, length 53 

* Make stdout line buffered. Useful if you want to see the data while capturing, use -l 

# tcpdump -l > dat & tail -f dat 

* Don't print domain name qualification of host names 

# tcpdump -N -i eth0

if you give this flag then tcpdump will print "ctechz'' instead of "ctechz.blogspot.com''

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:16:17.053108 IP cloudcc.ssh > 192.168.1.22.39495: P 2722677379:2722677491(112) ack 967375163 win 95 <nop,nop,timestamp 120226620 2759508498>
18:16:27.051222 IP cloudcc.ssh > 192.168.1.22.39495: P 112:224(112) ack 1 win 95 <nop,nop,timestamp 120226621 2759508498>
18:16:17.053136 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 112 win 23 <nop,nop,timestamp 2759508521 120226620>
18:16:17.053221 IP 192.168.1.22.39495 > cloudcc.ssh: . ack 224 win 23 <nop,nop,timestamp 2759508521 120226621>
18:16:17.053752 IP cloudcc.46957 > 10.0.0.2.domain:  25029+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:16:17.097848 IP cloudcc.52899 > 10.0.0.2.domain:  56675+ A? centos.communilink.net. (40) 

* When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII.

# tcpdump -XX -i eth0
# tcpdump -X -i eth0

18:21:56.413767 IP cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1681546479:1681547345(866) ack 3540467048 win 501 <nop,nop,timestamp 120566051 2759847333>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4500  ...P....HS....E.
        0x0010:  0396 985f 4000 4006 1b59 c0a8 0143 c0a8  ..._@.@..Y...C..
        0x0020:  0116 dbe6 0c38 643a 5cef d307 3d68 8018  .....8d:\...=h..
        0x0030:  01f5 8732 0000 0101 080a 072f b123 a47f  ...2......./.#..
        0x0040:  eda5 504f 5354 2068 7474 703a 2f2f 7065  ..POST.http://pe
        0x0050:  7472 6f73 6f63 6961 6c2e 6e65 742f 6477  trosocial.net/dw


 * When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex. 

# tcpdump -xx -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:27:26.350615 IP cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.39495: P 2722709875:2722709987(112) ack 967381147 win 95 <nop,nop,timestamp 120896055 2760177744>
        0x0000:  c89c dc50 abd3 0080 4853 84c4 0800 4510
        0x0010:  00a4 e3a3 4000 4006 d2f6 c0a8 0143 c0a8
        0x0020:  0116 0016 9a47 a249 4173 39a9 109b 8018
        0x0030:  005f 8440 0000 0101 080a 0734 ba37 a484
        0x0040:  f850 c004 7673 c572 acb5 3f36 4aa9 5ab2
        0x0050:  dc3a 34b1 5abc 22d7 afde 5f51 d785 f394 

* Display the link-level header for each packet. 

# tcpdump -e -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:40:20.378413 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 258: cloudcc.ctechz.blogspot.com.ssh > 192.168.1.22.44043: P 4211844806:4211844998(192) ack 1868284851 win 95 <nop,nop,timestamp 121670241 2760951707>
18:40:20.378560 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.44043 > cloudcc.ctechz.blogspot.com.ssh: . ack 192 win 13 <nop,nop,timestamp 2760951727 121670241>
18:40:20.379052 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 85: cloudcc.ctechz.blogspot.com.54043 > 10.0.0.2.domain:  7182+ PTR? 22.1.168.192.in-addr.arpa. (43)
18:40:20.413456 00:80:48:53:84:c4 (oui Unknown) > c8:9c:dc:50:ab:d3 (oui Unknown), ethertype IPv4 (0x0800), length 932: cloudcc.ctechz.blogspot.com.56294 > 192.168.1.22.squid: P 1682031477:1682032343(866) ack 3541247187 win 501 <nop,nop,timestamp 121670277 2760950219>
18:40:20.413715 c8:9c:dc:50:ab:d3 (oui Unknown) > 00:80:48:53:84:c4 (oui Unknown), ethertype IPv4 (0x0800), length 66: 192.168.1.22.squid > cloudcc.ctechz.blogspot.com.56294: . ack 866 win 3839 <nop,nop,timestamp 2760951763 121670277>


It's also important to note that tcpdump only takes the first 96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. using 0 (zero) for a snaplength, which gets everything.


Useful list of the options in tcpdump

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names. 
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop. 
-s : Define the size of the capture (use -s0 unless you are intentionally capturing less.)
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-s : Set the snaplength, i.e. the amount of data that is being captured in bytes
-c : Only capture x number of packets, e.g. 'tcpdump -c 3'