Packet capturing with tcpdump

tcpdump – A utility that allows you to intercept and analyze network traffic.

You must run it with root rights, in Ubuntu, you can use “sudo” before each command, or you can immediately switch to root user:

sudo -i

Below are examples of running tcpdump.
Running with the indication of the network interface:

tcpdump -i eth0
/usr/sbin/tcpdump -i eth0

Display statistics only for specified addresses or exclude addresses:

tcpdump host ADDRESS
tcpdump host ADDRESS and ADDRESS
tcpdump host ADDRESS or ADDRESS
tcpdump not host ADDRESS
tcpdump ether host e0:cb:4e:c3:7c:44

Specifying the port:

tcpdump port 80

With the type arp/rarp/ip/tcp/udp/icmp/wlan/multicast/broadcast, eg:

tcpdump arp
tcpdump arp and broadcast
tcpdump -i eth0 icmp

ARP requests:

tcpdump -n -i eth0 -e arp

Write the result to a file (then in the file you can change the sender’s address with the “tcprewrite” utility and play the file through “tcpreplay”):

tcpdump -w "/home/user/tcpdump/"`date "+%Y-%m-%d-%H-%M"`-http.pcap

Specifying the VLAN:

tcpdump vlan 100

DHCP:

tcpdump -n -i ens2f1 port 67 and port 68 -vvvv
tcpdump -n -e -i ens2f1 port 67 and port 68 and ether host 14:da:e9:33:c4:c9 -vvvv
tcpdump port 67 or port 68 -e -n
tcpdump -i eth0 '((port 67 or port 68) and (udp[8:1] = 0x1))' -vvv -s 1500 | grep 00:00:12:00:12:45

FreeRadius:

tcpdump -i eth0 port 1812 or port 1813 or port 3799
tcpdump -i eth0 port 1812 or port 1813 or port 3799 | grep 'Access-Request (1)'

Other examples:

tcpdump -s 1500 -c 30000 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

I’ll describe the possible startup options:
-a Convert network and broadcast addresses to domain names.
-i The interface that will obey.
-c Shutdown after the specified number of packets.
-v, -vv, -vvv Output of more detailed information.
-q Quiet mode, a summary is displayed.
-t Does not display a timestamp in each line.
-tttt Time display with date.
-n Do not allow domain names of hosts.
-nn Displays the port number instead of the protocol it uses.
-N Allow domain names of hosts.
-e Display link-layer data (MAC address, protocol, packet length).
-w Record information in binary format to a file. The file can then be opened through analysis programs, for example Wireshark.
-r The parameter allows you to read traffic from a file.
-s The number of bytes of the packet that tcpdump will handle.
-x Displays packets in a hexadecimal system.

Leave a comment

Leave a Reply

Discover more from IT Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading