Monday, 30 January 2012

tcpdump more options


Let's check some more interesting options using tcpdump.

Host 

# tcpdump host 192.168.1.22
look for traffic based on IP address (also works with hostname if you're not using -n), check the traffic of other machine using host option. 

src, dst 

# tcpdump src 192.168.1.22
# tcpdump dst 192.168.1.22
find traffic from only a source or destination (eliminates one side of a host conversation)
 

net 
# tcpdump net 192.186.0.0/24
capture an entire network using CIDR notation

proto 

# tcpdump icmp
works for tcp, udp, and icmp protocols. 
port  

# tcpdump port 3389
see only traffic to or from a certain port 

src/dst, port, protocol 

# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
combine all three options . You also have the option to filter by a range of ports instead of declaring them individually. 

Port Ranges 

# tcpdump portrange 21-23
see traffic to any port in a range. 

Packet Size Filter 

# tcpdump less 32
# tcpdump greater 128
only see packets below or above a certain size (in bytes)  


tcpdump > 32
tcpdump <= 12

we can use the symbol also instead of less / greater 

Grouping 

# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22


 
 

No comments:

Post a Comment