Quantum
TCPdump: How to Capture, Filter and Inspect Packets

TCPdump is an extremely useful network packet tracing system. While not as feature-rich as programs such as Wireshark, its packet "dump" output can be used as input by other programs to analyze the dump. In a pinch and for network debugging, tcpdump works wonders.

 

For instance, if you were interested in viewing the incoming packets to port 80 in real-time, i.e., to see where packets were coming from or being sent to, you would use:

# tcpdump -i eth1 tcp port 80

This will monitor the interface eth1 for all traffic being sent to or from port 80. Suppose you suspect your system of high amounts of outbound traffic to other Web sites; you can tune this command further so that it only watches outbound traffic to port 80, ignoring all inbound traffic on port 80:

# tcpdump -i eth1 tcp dst port 80 and src host 192.168.0.10

TCPDUMP SYNTAX
-------------------------------------------------------------------------------------------------------------------------------------------------------------
|Syntax:        |    Protocol    |    Direction | Host(s)    |    Value    |    Logical Operations    |    Other expression            |
|Example:    |    tcp              |    dst |    10.1.1.1      |    80          |                and          |    tcp dst 10.2.2.2 3128     |
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used. 

Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the "src or dst" keywords are applied. 
For example, "host 10.2.2.2" is equivalent to "src or dst host 10.2.2.2".

Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the "host" keyword is used.
For example, "src 10.1.1.1" is equivalent to "src host 10.1.1.1". 

Logical Operations:
Values: not, and, or.
Negation ("not") has highest precedence. Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.

For example:
"not tcp port 3128 and tcp port 23" is equivalent to "(not tcp port 3128) and tcp port 23".
"not tcp port 3128 and tcp port 23" is NOT equivalent to "not (tcp port 3128 and tcp port 23)".


Useful Examples:

To display the Standard TCPdump output:
#tcpdump

To display the verbose output:
#tcpdump –v

To display Network interfaces available for the capture:
#tcpdump -D
1.bond0
2.eth0
3.eth1
4.eth2
5.eth3
6.bond9
7.any (Pseudo-device that captures on all interfaces)
8.lo

To display numerical addresses rather than symbolic (DNS) addresses:
#tcpdump -n

To display the quick output:
#tcpdump -q
  
To capture the traffic of a particular interface or bond:
#tcpdump -i eth0  
#tcpdump –I bond0

To capture the UDP traffic:
#tcpdump udp

To capture the TCP port 80 traffic:
#tcpdump port http

To capture the traffic from a filter stored in a file:
#tcpdump -F file_name

To create a file where the filter is configured (here the TCP 80 port)
#vi file_name
port 80
  
To stop the capture after 20 packets: 
#tcpdump -c 20

To send the capture output in a file instead of directly on the screen:
#tcpdump -w capture.log

To read a capture file:
#tcpdump -r capture.log

To display the packets having "www.openmaniak.com" as their source or destination address:
#tcpdump host www.openmaniak.com

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2: 
#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp


Final Thoughts
There are endless criteria for filtering out traffic with tcpdump.  This could be very useful in say isolating traffic on the network that is meant to be between a media server and DXi. The best resource for this tool is the man pages already found on the DXi or any Linux or Unix system.  There are also several great websites for using this tool found by searching 'tcpdump' in your web browser.

#man tcpdump

TCPDUMP(8)                                                          TCPDUMP(8)

NAME
       tcpdump - dump traffic on a network

SYNOPSIS
       tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
               [ -C file_size ] [ -F file ]
               [ -i interface ] [ -m module ] [ -M secret ]
               [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
               [ -W filecount ]
               [ -E spi@ipaddr algo:secret,...  ]
               [ -y datalinktype ] [ -Z user ]
               [ expression ]

Linux Help: Creating 'For' and 'While' loops

 


This page was generated by the BrainKeeper Enterprise Wiki, © 2018