Escolar Documentos
Profissional Documentos
Cultura Documentos
I TecMint :
12 Tcpdump
Commands A
Network Sniffer Tool
by Narad Shrestha | Published: August 20, 2012 |
Last Updated: September 13, 2012
Adsby Google
WIFISNIFFER
PACKETSNIFFER
Advertise Here
CAN logger
with SD card
How to Install
tcpdump in Linux
#yuminstalltcpdump
1. Capture Packets
from Specic
Interface
#tcpdumpieth0
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
11:33:31.976358IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3500
11:33:31.976603IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack196,
Ending In: 3 days
11:33:31.977243ARP,Requestwhohastecmint.comtell172.16.25.126,length28
11:33:31.977359ARP,Replytecmint.comisat00:14:5e:67:26:1d(ouiUnknown),length46
11:33:31.977367IP172.16.25.126.54807>tecmint.com:4240+PTR?125.25.16.172.inaddr.ar
CentOS & Red Hat Certied System
11:33:31.977599IPtecmint.com>172.16.25.126.54807:4240NXDomain0/1/0(121)
Administrator Course (90% off)
11:33:31.977742IP172.16.25.126.44519>tecmint.com:40988+PTR?126.25.16.172.inaddr.a
11:33:32.028747IP172.16.20.33.netbiosns>172.16.31.255.netbiosns:NBTUDPPACKET(137
11:33:32.112045IP172.16.21.153.netbiosns>172.16.31.255.netbiosns:NBTUDPPACKET(13
11:33:32.115606IP172.16.21.144.netbiosns>172.16.31.255.netbiosns:NBTUDPPACKET(13
11:33:32.156576ARP,Requestwhohas172.16.16.37telloldoraclehp1.midcorp.midday.com,
Ending In: 4 days
11:33:32.348738IPtecmint.com>172.16.25.126.44519:40988NXDomain0/1/0(121)
2. Capture Only N
Number of Packets
When you run tcpdump
command it will capture all
Date
#tcpdumpc5ieth0
Solution
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
User Mode Linux Understanding and
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
11:40:20.281355IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3500
Administration
11:40:20.281586IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack196,
11:40:20.282244ARP,Requestwhohastecmint.comtell172.16.25.126,length28
11:40:20.282360ARP,Replytecmint.comisat00:14:5e:67:26:1d(ouiUnknown),length46
11:40:20.282369IP172.16.25.126.53216>tecmint.com.domain:49504+PTR?125.25.16.172.in
11:40:20.332494IPtecmint.com.netbiosssn>172.16.26.17.nimaux:Flags[P.],seq3058424
6packetscaptured
Never Miss Any Linux Tutorials,
23packetsreceivedbyfilter
Guides, Tips and Free eBooks
0packetsdroppedbykernel
3. Print Captured
Packets in ASCII
The below tcpdump
command with option -A
displays the package in
ASCII format. It is a
character-encoding scheme
format.
YES! SIGN ME UP
#tcpdumpAieth0
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
09:31:31.347508IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq332937234
M.r0...vUP.E.X.......~.%..>N..oFk.........KQ..)Eq.d.,....r^l......m\.oyE........g~m..Xy.
09:31:31.347760IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[.],ack196,win6
M....vU.r1~P.._..........
^C09:31:31.349560IP192.168.0.2.46393>b.resolvers.Level3.net.domain:11148+PTR?1.0.1
E..F..@.@............9.5.2.f+............1.0.168.192.inaddr.arpa.....
3packetscaptured
11packetsreceivedbyfilter
0packetsdroppedbykernel
4. Display Available
Interfaces
To list number of available
interfaces on the system,
run the following command
with -D option.
#tcpdumpD
1.eth0
2.eth1
3.usbmon1(USBbusnumber1)
4.usbmon2(USBbusnumber2)
5.usbmon3(USBbusnumber3)
6.usbmon4(USBbusnumber4)
7.usbmon5(USBbusnumber5)
8.any(Pseudodevicethatcapturesonallinterfaces)
9.lo
5. Display Captured
Packets in HEX and
ASCII
The following command
with option -XX capture the
data of each packet,
#tcpdumpXXieth0
11:51:18.974360IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3509
0x0000:b8ac6f2e57b300016c99146808004510..o.W...l..h..E.
0x0010:00ec878340004006275dac10197eac10....@.@.']...~..
0x0020:197d00161129d12aaf51d9b6d5ee5018.}...).*.Q....P.
0x0030:49488bfa00000e12ea4d22d167c0f123IH.......M".g..#
0x0040:90138f68aa7029f32efcc51256604fe8...h.p).....V`O.
0x0050:590ad631f939dd06e36a69edcac295b6Y..1.9...ji.....
0x0060:f8bab42a344b8e56a5c4b3a2ed82c3a1...*4K.V........
0x0070:80c8798011ac9bd75b0118d581804536..y.....[.....E6
0x0080:30fd4f6d4190f66f2e24e877ed238eb00.OmA..o.$.w.#..
0x0090:5a1df3ec4be4e0fb85537c8517d9866fZ...K....S|....o
0x00a0:c2790d9c8f9d445b7b0181eb1b637f12.y....D[{....c..
JoinOver300K+LinuxUsers
0x00b0:71b3135752c7cf0095c6c9f663b1ca51q..WR.......c..Q
0x00c0:0ac6456e062038e610cb6139fb2aa756..En..8...a9.*.V
0x00d0:37d6c5f3f5f3d8e83316d14fd7abfd937.......3..O....
0x00e0:113761c16a5cb4d1ddda380af782d983.7a.j\....8.....
0x00f0:62ffa5a9bb394f80668ab....9O.f.
SHARE
11:51:18.974759IP172.16.25.126.60952>mddc01.midcorp.midday.com.domain:14620+PTR?
202,035
9,267
38,621
0x0000:00145e67261d00016c99146808004500..^g&...l..h..E.
0x0010:00485a83400040115e25ac10197eac10.HZ.@.@.^%...~..
+
Are you subscribed?
0x0020:105eee18003500348242391c01000001.^...5.4.B9.....
0x0030:00000000000003313235023235023136.......125.25.16
20 Command Line Tools to Monitor Linux Performance
0x0040:0331373207696e2d6164647204617270.172.inaddr.arp
0x0050:6100000c0001a.....
150
23
#tcpdumpw0001.pcapieth0
tcpdump:listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
4packetscaptured
4packetsreceivedbyfilter
0packetsdroppedbykernel
7. Read Captured
Packets File
To read and analyze
captured packet 0001.pcap
le use the command with -r
option, as shown below.
JoinOver300K+LinuxUsers
#tcpdumpr0001.pcap
readingfromfile0001.pcap,linktypeEN10MB(Ethernet)
09:59:34.839117IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq335304161
09:59:34.963022IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[.],ack132,win6
09:59:36.935309IP192.168.0.1.netbiosdgm>192.168.0.255.netbiosdgm:NBTUDPPACKET(13
202,035
9,267
38,621
09:59:37.528731IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[P.],seq1:53,ack
8. Capture IP
address Packets
To capture packets for a
specic interface, run the
following command with
option -n.
#tcpdumpnieth0
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
12:07:03.952358IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3509
12:07:03.952602IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack196,
12:07:03.953311IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq196:
12:07:03.954288IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq504:
12:07:03.954502IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack668,
12:07:03.955298IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq668:
12:07:03.955425IP172.16.23.16.netbiosns>172.16.31.255.netbiosns:NBTUDPPACKET(137
12:07:03.956299IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq944:
12:07:03.956535IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack1236,
#tcpdumpieth0tcp
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
JoinOver300K+LinuxUsers
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
12:10:36.216358IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq3509
12:10:36.216592IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack196,
12:10:36.219069IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq196:
12:10:36.220039IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq504:
202,035
9,267
38,621
12:10:36.220260IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack668,
12:10:36.222045IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq668:
Are you subscribed?
12:10:36.223036IP172.16.25.126.ssh>172.16.25.125.apwirxspooler:Flags[P.],seq944:
12:10:36.223252IP172.16.25.125.apwirxspooler>172.16.25.126.ssh:Flags[.],ack1108,
20 Command Line Tools to Monitor Linux Performance
^C12:10:36.223461IPmidpay.midcorp.midday.com.netbiosssn>172.16.22.183.recipe:Flag
#tcpdumpieth0port22
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
10:37:49.056927IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq336420469
10:37:49.196436IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq429496724
10:37:49.196615IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[.],ack196,win6
10:37:49.379298IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq196:616,
10:37:49.381080IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq616:780,
10:37:49.381322IP192.168.0.1.nokiaannch1>192.168.0.2.ssh:Flags[.],ack780,win6
11. Capture
Packets from
source IP
To capture packets from
source IP, say you want to
capture packets for
192.168.0.2, use the
command as follows.
JoinOver300K+LinuxUsers
#tcpdumpieth0src192.168.0.2
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
202,035
9,267
38,621
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
10:49:15.746474IP192.168.0.2.ssh>192.168.0.1.nokiaannch1:Flags[P.],seq336457884
Are you subscribed?
10:49:15.748554IP192.168.0.2.56200>b.resolvers.Level3.net.domain:11289+PTR?1.0.168
10:49:15.912165IP192.168.0.2.56234>b.resolvers.Level3.net.domain:53106+PTR?2.0.168
20 Command Line Tools to Monitor Linux Performance
10:49:16.074720IP192.168.0.2.33961>b.resolvers.Level3.net.domain:38447+PTR?2.2.2.4
12. Capture
Packets from
destination IP
To capture packets from
destination IP, say you want
to capture packets for
50.116.66.139, use the
command as follows.
#tcpdumpieth0dst50.116.66.139
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth0,linktypeEN10MB(Ethernet),capturesize65535bytes
10:55:01.798591IP192.168.0.2.59896>50.116.66.139.http:Flags[.],ack2480401451,win
10:55:05.527476IP192.168.0.2.59894>50.116.66.139.http:Flags[F.],seq2521556029,ac
10:55:05.626027IP192.168.0.2.59894>50.116.66.139.http:Flags[.],ack2,win245,opt
JoinOver300K+LinuxUsers
202,035
9,267
38,621
If You Appreciate
20 Command Line Tools to Monitor Linux Performance
What We Do
Here On
TecMint, You Should
Consider:
1. Stay Connected to: Twitter |
Facebook | Google Plus
2. Subscribe to our email
updates: Sign Up Now
3. Use our Linode referral link
if you plan to buy VPS (it
starts at only $10/month).
Shrestha
PREVIOUS
NEXT STORY
STORY
Setup Samba
How to Open,
Server Using
Extract and
tdbsam
Create RAR
Backend on
Files in Linux
RHEL/CentOS
6.3/5.8 and
Fedora 17-12
JoinOver300K+LinuxUsers
How to
Reset
Forgotten
Root
Password
in
RHEL/Cent
OS and
Fedora
What is
Ext2, Ext3 & fswatch
202,035
9,267
38,621
Ext4 and
Monitors
Are you subscribed?
How to
Files and
Create and
20 Command
Line Tools to Monitor Linux Performance
Directory
Convert
Changes or
Linux File
Modicatio
Systems
ns in Linux
12 NOV, 2012
12 JUL, 2012
7 OCT, 2016
21 RESPONSES
Comments 10
Admin
Pingbacks 0
@Admin,
I think you should use these two
tools to nd out the network
bandwidth source..
http://www.tecmint.com/installiftop-bandwidth-monitoring-toolin-rhel-centos-fedora/
http://www.tecmint.com/installvnstat-and-vnstati-to-monitorlinux-network-trafc/
Reply
Gene
JoinOver300K+LinuxUsers
202,035
abhi
@Abhi,
Here is the following command
that will help you out.
# tcpdump -i eth0 port 22
38,621
9,267
Nilesh
hello!!
M in a deep troublei need to do this
tcp steganography in linux
environmentcan you please tell me
the required steps and commandsi
need it urgentplease help
Reply
Mohinder
Pankhuri,
Please let us know how the
steganography went. What
commands did you nd useful
and what was the end result.
Thank you and very good day to
you.
Reply
techie
202,035
Reply
Older Comments
Email *
9,267
38,621
Name *
JoinOver300K+LinuxUsers
Website
Notify me of followup comments via email. You can also subscribe without
commenting.
Post Comment
20 Useful Commands of
Sysstat Utilities (mpstat,
pidstat, iostat and sar) for
Linux Performance
Monitoring
10 Useful ls Command
Interview Questions Part 2
7 MAR, 2015
Are
you subscribed?
15 Interview Questions on
4 APR, 2013
Linux
Command
Part Performance
20 Command
Linels
Tools
to MonitorLinux
4 SEP, 2014
1
30 Big Companies and
30 SEP, 2014
How to Congure Zabbix
Devices Running on
Monitoring to Send Email
GNU/Linux
10 Useful Interview
25 FEB, 2014
Alerts to Gmail Account
Questions and Answers on
Part 2
Linux Commands
How to Create Your Own
18 AUG, 2015
21 JUL, 2014
Facebook Clone Networking
NetHogs Monitor Per
Site Using PHPFOX Script
16 AUG, 2013
Process Network Bandwidth Basic Linux Interview
Questions and Answers
Usage in Real Time
Part II
Install Scalpel (A Filesystem
11 MAR, 2013
23 NOV, 2013
Recovery Tool) to Recover
Psensor A Graphical
Deleted Files/Folders in
Hardware Temperature
Linux
7 JUN, 2013
Monitoring Tool for Linux
2 JUL, 2015
Tecmint: Linux Howtos, Tutorials & Guides 2017.
All Rights Reserved.
This work is licensed under a (cc) BY-NC
The material in this site cannot be republished
either online or ofine, without our permission.
JoinOver300K+LinuxUsers
202,035
9,267
38,621