Professional Documents
Culture Documents
Tcpdump Examples PDF
Tcpdump Examples PDF
Tcpdump Examples PDF
(2009-09-10, SimonLeinen)
TWiki > PERTKB Web > PacketTraceTools > TcpDump > TcpdumpExamples
t c p d u m p( e x a m p l e s )
Here are some more
t c p d u m pexamples
for some more advanced use cases. For simple usage examples, see the main
t c p d u m ptopic.
8p a c k e t sc a p t u r e d 8p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l
Same command can be used with predefined header field offset (i c m p t y p e ) and ICMP type field values (i c m p e c h oand
:r o o t @ m y h o s t : ~ #t c p d u m pni c m pa n di c m p [ i c m p t y p e ]! =i c m p e c h oa n di c m p [ i c m p t y p e ]! =i c m p e c h o r e p l y
i c m p e c h o r e p l y ):
J o i n/P r u n e( 3 ) ,u p s t r e a m n e i g h b o r :r a r n e s 1 3 F 2 0 x 2 0 0 . a r n e s . s i 1g r o u p ( s ) ,h o l d t i m e :3 m 3 0 s g r o u p# 1 :S A P . M C A S T . N E T ,j o i n e ds o u r c e s :8 5 ,p r u n e ds o u r c e s :0 j o i n e ds o u r c e# 1 :h a y a k a w a . l a v a . n e t ( S ) j o i n e ds o u r c e# 2 :6 4 . 2 5 1 . 6 2 . 3 4 ( S ) j o i n e ds o u r c e# 3 :6 4 . 2 5 1 . 6 2 . 3 5 ( S ) j o i n e ds o u r c e# 4 :6 4 . 2 5 1 . 6 2 . 3 6 ( S ) j o i n e ds o u r c e# 5 :. . . )
4p a c k e t sc a p t u r e d 4p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l
In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured like this:
kb.pert.geant.net/PERTKB/TcpdumpExamples
1/3
02/12/12
:r o o t @ m y h o s t : ~ #t c p d u m pt c pa n dp o r t8 0a n d' t c p [ t c p f l a g s ]= =t c p s y n '
Same thing:
:r o o t @ m y h o s t : ~ #t c p d u m pnt c pa n d' t c p [ t c p f l a g s ]&t c p s y n= =t c p s y n 'a n d' t c p [ t c p f l a g s ]&t c p a c k= =t c p a c k '
Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:
:r o o t @ m y h o s t : ~ #t c p d u m pvni c m pa n d' ( i p [ 2 : 2 ] > 5 0 ) 'a n d' ( i p [ 2 : 2 ] < 6 0 ) ' t c p d u m p :l i s t e n i n go ne t h 0 ,l i n k t y p eE N 1 0 M B( E t h e r n e t ) ,c a p t u r es i z e9 6b y t e s [ n oo u t p u t ]
t c p d u m p swere
lis
will not produce expected results, because packets that we monitor are being encapsulated into a PPPoE frames. Of course, tcpdump can't locate IP protocol == ICMP at normal offset in an ethernet frame. We must therefore take into account the additional headers: 14 bytes for ethernet and 8 bytes for PPPoE. IP protocol is located at offset 9 in the IP header, which gives us offset 31 in the mirrored ethernet frame. Therefore, ICMP packets (protokol 1) are captured with
:r o o t @ m y h o s t : ~ #t c p d u m pvne t h e r [ 3 1 ]=1
kb.pert.geant.net/PERTKB/TcpdumpExamples
2/3
02/12/12
:l e i n e n @ b o n a d e a [ l e i n e n ] ;s u d ot c p d u m ps0it u n 0c1 0w-U|t e ef o o . p c a p|t c p d u m pnrt c p d u m p :W A R N I N G :a r p t y p e6 5 5 3 4n o ts u p p o r t e db yl i b p c a p-f a l l i n gb a c kt oc o o k e ds o c k e t t c p d u m p :l i s t e n i n go nt u n 0 ,l i n k t y p eL I N U X _ S L L( L i n u xc o o k e d ) ,c a p t u r es i z e6 5 5 3 5b y t e s r e a d i n gf r o mf i l e,l i n k t y p eL I N U X _ S L L( L i n u xc o o k e d ) 1 1 : 0 4 : 1 9 . 9 8 0 1 6 0I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 5 ,l e n g t h6 4 1 1 : 0 4 : 1 9 . 9 8 4 5 3 6I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 5 ,l e n g t h6 4 1 1 : 0 4 : 2 0 . 9 8 4 1 0 4I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 6 ,l e n g t h6 4 1 1 : 0 4 : 2 0 . 9 8 7 5 7 1I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 6 ,l e n g t h6 4 1 1 : 0 4 : 2 1 . 9 9 2 1 0 2I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 7 ,l e n g t h6 4 1 1 : 0 4 : 2 1 . 9 9 5 6 7 6I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 7 ,l e n g t h6 4 1 1 : 0 4 : 2 2 . 9 9 6 1 0 9I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 8 ,l e n g t h6 4 1 1 : 0 4 : 2 2 . 9 9 9 7 1 4I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 8 ,l e n g t h6 4 1 1 : 0 4 : 2 4 . 0 0 4 1 7 6I P1 3 0 . 5 9 . 2 8 . 1 8>1 3 0 . 5 9 . 1 0 . 3 6 :I C M Pe c h or e q u e s t ,i d3 2 8 7 2 ,s e q6 9 ,l e n g t h6 4 1 0p a c k e t sc a p t u r e d 1 0p a c k e t sr e c e i v e db yf i l t e r 0p a c k e t sd r o p p e db yk e r n e l 1 1 : 0 4 : 2 4 . 0 0 7 0 8 3I P1 3 0 . 5 9 . 1 0 . 3 6>1 3 0 . 5 9 . 2 8 . 1 8 :I C M Pe c h or e p l y ,i d3 2 8 7 2 ,s e q6 9 ,l e n g t h6 4 :l e i n e n @ b o n a d e a [ l e i n e n ] ;l slf o o . p c a p r w r r -1l e i n e nl e i n e n1 1 8 42 0 0 8 1 1 2 81 1 : 0 4f o o . p c a p
Explanation: The first t c p d u m pcall captures the packets, and dumps the (binary) data to standard output ( w). The U(unbuffered) flag causes each packet to be written out immediately, circumventing the normal output buffering. This preserves the real-time characteristics better. The binary packets are piped to the t e e command, which writes them to a file (f o o . p c a p ) and at the same time outputs them again on standard output. From there, they are decoded using -- MatjazStraus - 01 Oct 2007 -- SimonLeinen - 28 Nov 2008
t c p d u m pr.
kb.pert.geant.net/PERTKB/TcpdumpExamples
3/3