Golovna  /  browsers  /  tcpdump udp packets. tcpdump utility, apply filter options

tcpdump udp packets. tcpdump utility, apply filter options

browsers
01.04.2023

Dosit often at the system administrator blame the situation, which is necessary to complete the report "picture" of those who are involved in the transfer of data from the merezhі. Packet analyzer utilities allow you to track traffic and detect problems in such situations. One of these (and the widest) is tcpdump, a standard packet analyzer for Linux systems.

tcpdump uses tools for analyzing tethered traffic, such as Wireshark and Tshark, as well as advanced versions of tcpdump, and the tcpdump utility is also standard and effective. With help, you can change, filter for the same criteria, and also bring packages. Note that for full access to packages, it is necessary to run tcpdump as the name of the superhost, and the packages themselves are the lowest system objects. Krіm tsgogo, іsnuyut sings um, fallow in іd fir oblast, yakі allow (or not allow) to hop all or only sing packages, or give only sing information about them. Merezhev own (merezheva map, router, etc.) allow/allow access to packets, so that the mother (or press) the mechanism for transferring data about packets to a higher program level and in this way tcpdump, as this and other analyzers of packets are shown most efficient. Before speech, hardware interfaces, as they work in promiscuous mode, that is, in the so-called fretless mode, they allow the system kernel to download all packets, so that they can call those that are addressed to other computers and attachments.

The principle of tcpdump

As intended, tcpdump is a standard utility for analyzing traffic on Linux distributions. The author of the utility is Van Jacobson. For the whole hour of svogo zastosuvannya tcpdump showed itself as an effective and reliable tool. Therefore, in this hour, there are a lot of analogues as the main file format for reading / writing results of tracing traffic using the tcpdump format - libcap.

When you run tcpdump, it will automatically create a lookup for cross-connected interfaces and for analysis of first-hand knowledge. That is why it is necessary to pay attention to the whiskers, to get up to speed, so that the required interface is analyzed. Otherwise, I can easily manually specify the required interface. The utility can be used in a mode that is more likely to fail if the DNS service is not practical or necessary, so if it is risky to spend packets, you can analyze tcpdump first.

tcpdump options

To set up a required mesh interface, select the i option. If you need to know the addresses of attachments (computers, devices), you need to specify the -n option. It is also more difficult for problems with DNS. The -r option allows you to read package information from the file. If you need reports about packages - additional option -v. Also use the -w option to fix file information. Specify that the different options -w in the file are written only information about packet headers. Option -s for values ​​1056 (if you want the value to be stored in the MTU-packet expansion) allows (together with -w) to write additional information to the file. The texts of these data can be even larger and more foldable for their structure (do not be surprised by those that have a text) and so far for their processing, it is recommended to use the most efficient high-performance utilities, for example.

The format of the tcpdump command is:

tcpdump[-options] [filters]

In the official documentation (man tcpdump command) you can find a number of applications and utilities for various types of applications to download various and folding filters.

It is also important to note that tcpdump (that and all packet analyzers) with its robot can generate a large array of information and greatly entice the robot to merge, right up to the robots. Therefore, when analyzing traffic, it is necessary to zastosovuvat rational pidkhid - depending on the situation and the minds of the manager (or problems), vikoristovuvavat filters, more, that is even more effective part of the functionality of tcpdump.

Most often tcpdump key hacks when running tcpdump hover in tables

key

description

I transform the merezhevі and wide-range addresses into domain names.

Displays channel level data (MAC address, protocol, packet length). Crim IP address is displayed as the MAC address of the computers.

Vykoristovuvaty filter, which is to avenge the file. If you select this parameter, the filter from the command line will be ignored.

I point out to those, what kind of mesh interface vicorists are available for burying packets. For locking - eth0, for choosing all interfaces - any. As if it were a local network, it is possible to speed up with the interface of the return link lo.

Tick ​​the standard streaming tcpdump (stdout), for example, to write to a file:

shell# tcpdump -l | tee out.log //show the tcpdump robot and save the result in the out.log file

Do not add a domain extension to the names of the hosts. For example, tcpdump will display 'net' instead of 'net.library.org'

Show the IP address by changing the hostname.

Displays the port number for the protocol, which is the victor's name.

Do not change the interface mode for receiving all packets (promiscuous mode).

Display a minimum of information. Call tse im'ya protocol, zvіdki th kudi yshov package, spoiling such a quantity of transferred data.

This option allows tcpdump to read the traffic from the file, as well as save ahead of time with the -w option.

Allows not to use absolute sequence numbers (initial sequence number - ISN) for a video.

The number of bytes of the packet that will be processed by tcpdump. When installing a large number of bytes, which appear, the information may not fit on the screen and it will be important to remember. Depending on whether you follow the next, choose the next value of the parameter. For capturing tcpdump will store the first 68 bytes (minimum 96 bytes for SunOS), if you want to capture the whole packet, change the value to 1514 bytes (the maximum allowable frame size in an Ethernet network).

Do not display the sign of the hour in the skin line.

Interpretation of packages of the given type. Supported types are aodv, cnfp, rpc, rtp, rtcp, snmp, tftp, vat, wb.

Displays an unformatted hour mark near the skin row.

Show the hour together with the date.

Displaying reporting information (TTL; ID; header length, as well as its parameters; rechecking IP checksums and ICMP headers)

Visnovok still more new information, it is important to deal with NFS and SMB.

Visnovok maximum detailed information.

Save tcpdump data from double format. The advantages of using this method in parallel to the most significant redirections of the file are the high speed of recording and the ability to read similar data by other programs, for example snort, but the file cannot be read by people. It is possible to display double data on the console, for which it is necessary to record -w -

To rob the package distribution in the sixteenth system, it is necessary for a more detailed analysis of the package. Number of data to be displayed, deposited as -s parameter

-x, but also include the channel level header

Display package in ASCII and hex format. Korisno at the time of the analysis of the incident connected with evil, the shards allow you to look over, as the textual information was transmitted every hour of the day.

The same as the first parameter -X Also include the channel level header.

tcpdump terminate the robot after the number of packets is specified.

Selected packages are immediately stored in the file, and otherwise they accumulate in the memory of the dot, the docks will not end

tcpdump filters

Filters are subject to such classifications

host- addresses of the university

port- port, on which it is necessary to catch packets

portrange- range of ports

net- merezha

Tcpdump net 192.168.0.0/24

hoarding all traffic in a way that is dzherelo or possessing an ip address from the border 192.168.0.0/24

Tcpdump port 80

Capture all traffic on port 80.

Direct traffic to the object of monitoring

src– executive officer

dst- Oberzhuvach

for example command

src host 172.31.25.200

Burying traffic, which has an IP address 172.31.25.200

Protocol

ether– the underlying network Ethernet technology, as a rule, indicates those that have a hardware MAC address in the filter

ip– IPv4 protocol

ip6– IPv6 protocol

arp- ARP protocol

tcp- TCP protocol

udp- UDP protocol

If the protocol is not specified, then traffic for all protocols will be hoarded

Forcibly team

Udp port 5060

traffic jamming behind udp protocol port 5060

Warehouse filters

In order to do more gnuchko filter traffic, you can use logical operations

"І" - and (&&)

"ABO" - or (||)

"NOT" - not (!) - value inversion

With whom the priority of these operations will come:

the highest priority may be the inversion operation

potim logical "I"

the lowest priority is the ABO operation.

The priority of operations can be changed for the help of round temples.

(net 172.16.0.0/24 or host 172.31.0.5) and tcp port 80

blocking TCP traffic and victorious port 80 to lie between 172.16.0.0/24 or host 172.31.0.5

(net 172.16.0.0/24 || host 172.31.0.5) && no tcp port 80

hoarding of any traffic to the Crimean traffic to the TCP protocol and port 80, which should be 172.16.0.0/24 or the host 172.31.0.5

tcpdump linux apply

File View Recording

$ sudo tcpdump -w sshtrace.tcpdump tcp port 22

The sshtrace.tcpdump file will be a default creation for the streamer's home directory. To display information from the myrouter.tcpdump file, use the -r option:

$tcpdump -r sshtrace.tcpdump

Take all traffic from eth1 interface

$ tcpdump -i eth1

Take traffic from the range of ports on the eth1 interface

$ tcpdump -i eth1 portrange 100-200

all traffic that goes to 172.16.0.1 that is not ICMP.

tcpdump is an exhaustive command line analyzer and Libpcap, a portable library for dumping tethered traffic. Tcpdump Dump descriptions instead of packets on the network interface, which matches the logical view. You can also start with the -w switch, which calls it out to save packet data from the file for further analysis, and / or with -r ensign, which calls it out to read from the saved package file. For the help of this utility, you can recycle and analyze the network traffic that goes through the PC on which the program is running.

I would like to talk in this topic “Installing and using tcpdump” about installing tcpdump, as well as how to use it and why wine is needed.

For help with tcpdump, you can:

  • You can improve the merezhevі programs.
  • It is possible to improve the border or the border in general.

To install tcpdump on debian/ubuntu/linux mint, you need to use:

# sudo apt-get install tcpdump

To install tcpdump on RedHat/CentOS/Fedora, tag:

# sudo yum install tcpdump

To install tcpdump on MacOS, wikipedia.

# brew install tcpdump

Wikisource tcpdump.

To reconsider what we do with tcpdump, you can use the command:

# tcpdump -i eth0 port 80

It's good to get a lot of keys for finding the tcpdump utility itself, I'll list the most wide ones:

If it is necessary to identify 21 servers with such packages (for example, your_server_1 and your_server_2), then for which the command is used:

# tcpdump host your_server_1 and your_server_2

As it is necessary to remove only the outer packets from the host, vikoite:

# tcpdump src host your_server

It is also necessary to remove only the input packets from the host, vikoite:

# tcpdump dst host your_server

You can also sniff outside or incoming packets from the server and on the first port for which just add the port that you need to sniff (mostly 80, 8080).

list of interfaces that tcpdumt can hear about:

# tcpdump -D

Hear eth0 interface:

# tcpdump -i eth0

Listen on any available interface (Linux kernel version 2.2 or more is required):

# tcpdump -i any

Viewing everything on the screen (everything that is visible by the program):

# tcpdump -v

Visnovok a lot of something on the screen (everything that is displayed by the program):

# tcpdump -vv

Visnovok is too rich on the screen (everything that is displayed by the program):

# tcpdump -vvv

Provide a lot of information if there is a stash of packages (not like a standard one):

# tcpdump -q

Store up to 100 bags:

# tcpdump -c 100

Write all the data (repackets) to the file named capture.cap:

# tcpdump -w capture.cap

Write all the data (repackets) to the file from the name capture.cap and display it on the screen in real time mode:

# tcpdump -v -w capture.cap

Viewing packages from the capture.cap file:

# tcpdump -r capture.cap

Viewing packages from the capture.cap file with as much information as possible:

# tcpdump -vvv -r capture.cap

Viewing IP and porting the domain name in the way the packets are stored:

# tcpdump -n

Burying any packets, de host recognition - 192.138.1.1. Viewing IP and porting to the screen:

# tcpdump -n dst host 192.138.1.1

# tcpdump -n src host 192.138.1.1

Capture any packets from the host 192.138.1.1. Viewing IP and porting to the screen:

# tcpdump -n host 192.138.1.1

Buried packages de merging 192.138.1.0/24. Viewing IP and porting to the screen:

# tcpdump -n dst net 192.138.1.0/24

# tcpdump -n src net 192.138.1.0/24

Buried packages from the bag 192.138.1.0/24. Viewing IP and porting to the screen:

# tcpdump -n net 192.138.1.0/24

Storing packets from port 23. Viewing IP and porting on the screen:

# tcpdump -n dst port 23

Buried packets from ports 1 to 1023. View IP and port on the screen:

# tcpdump -n dst portrange 1-1023

Receive only TCP packets de destination on ports 1 to 1023. View IP and port it on the screen:

# tcpdump -n tcp dst portrange 1-1023

Receive only UDP packets de destination on ports 1 to 1023. View IP and port it on the screen:

# tcpdump -n udp dst portrange 1-1023

Packets received from destination de IP 192.138.1.1 and destination port such as 23. View on the screen:

# tcpdump -n "dst host 192.138.1.1 and dst port 23"

Storing packets from destination de IP 192.138.1.1 and destination on ports 80 or 443. Displayed on the screen:

# tcpdump -n "dst host 192.138.1.1 and (dst port 80 or dst port 443)"

Capturing any ICMP packets:

# tcpdump -v icmp

Burying any ARP packets:

# tcpdump -v arp

Capturing either ICMP or ARP packets:

# tcpdump -v "icmp or arp"

Capturing whether such packets are broadcast or multicast:

# tcpdump -n "broadcast or multicast"

Hopping great packets (500 bytes), not the standard 68b:

# tcpdump -s 500

Storage of all bytes of data in the package:

# tcpdump -s 0

Review of "important packages":

# tcpdump -nnvvXSs 1514

Capturing ICMP packets from ping and pong:

# tcpdump -nnvXSs 0 -c2 icmp

Visnovok without rich options:

# tcpdump -nS

The main communications (even a report mode) can be used to get good communication with traffic, with a lot of traffic:

# tcpdump -nnvvS

An in-depth look at traffic, adding -X for core advancing:

# tcpdump -nnvvXS

Revisiting an important package and increasing the snaplength, capturing the entire package:

# tcpdump -nnvvXSs 1514

You can also filter on the basis of the song parts of the package, as well as unite a sprat of minds in a group. It’s worth it when you ask for only SYNs or PCT, for example, and the rest of the extensions to isolate traffic.

Show me all packages URGENT (URG):

# tcpdump "tcp & 32!=0"

Show me all ACKNOWLEDGE (ACK) packages:

# tcpdump "tcp&16!=0"

Show me all PUSH (PSH) packages:

# tcpdump "tcp & 8!=0"

Show me all RESET (RST) packages:

# tcpdump "tcp & 4!=0"

Show me all SYNCHRONIZE (SYN) packages:

# tcpdump "tcp & 2!=0"

Show all FINISH (FIN) packages:

# tcpdump "tcp & 1!=0"

Show me all SYNCHRONIZE/ACKNOWLEDGE (SYNACK) packages:

# tcpdump "tcp=18"

Capture TCP Flags and tcpflags:

# tcpdump "tcp && tcp-syn!=0"

Packages with ensigns RST and SYN (re-verification):

# tcpdump "tcp=6"

Traffic from 'Evil Bit' (review):

# tcpdump "ip&128!=0"

On which I will complete my article "installing that tcpdump victor", I understand everything clearly and understandably.

This literature will be shown how to isolate traffic in different ways - via IP, to a port, to a protocol, to application-layer traffic - to be virulently, to vikonati, as a rule you need a yakomoga swidshe.

tcpdump is the tool everyone should learn as their base for the analysis package.

Install tcpdump with apt install tcpdump (Ubuntu), or yum install tcpdump (Redhat/Centos)

Let's start with a basic command that will get us HTTPS traffic:

tcpdump -nn S X port 443

04:45:40.573686 IP 78.149.209.110.27782 > 172.30.0.144 .443 : Flags [.], ack 278239097, win 28, options , length 0 0x0 4500 0034 0014 0000 2e06 c005 4e8e d16e E..4........N..n 0x0010: ac1e 0090 6c86 01bb 8e0a b73e 1095 9779 ....l......>...y 0x0020: 8010 001c d202 0000 0101 080a 3803 7b55 ............8.(U 0x0030: 4801 8100

You can select single packet with -c 1 , or n number with -c n .

This shows actual HTTPS traffic, with hex display visible on the right portion of the output (alas, it's encrypted). Just remember—when in doubt, run the command above with the port you're interested in, and you should be on your way.

Examples

PacketWizard™ isn't really trademarked, but it should be.

a practitioner preparing to run tcpdump

Now that you can understand basic traffic, let's step through the numerical applications that you need to keep your job safe, safe, or some PacketWizard™ type.

Everything on an interface

Just see what's going on, by looking at what's hitting your interface.

Or get all interfaces with -i any.

tcpdump -i eth0

Find Traffic by IP

One of the biggest problems, vikoristovuyuchi host , you can say how to go to either 1.1.1.1.

expression types:

host, net, and port.

src and dst .

host, net, and port.

tcp , udp , icmp , and more more.

tcpdump host 1.1.1.1

06:20:25.593207 IP 172.30.0.144.39270 > one.one.one.one .domain : 12790+ A? google.com. (28) 06:20:25.594510 IP one.one.one.one .domain > 172.30.0.144.39270: 12790 1/0/0 A 172.217.15.78 (44)

If you just want to reverse it in one direction or another, you can twist src and dst .

tcpdump src 1.1.1.1
tcpdump dst 1.0.0.1

Finding Packets by Network

To complete the packages, go to either specific dimensions or subnet, select the option dimension.

You can try the src and dst options as well.

tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

Hex output is useful when you want to content of the packets in question, and it's often best used when you're isolating a few candidates for closer scrutiny.

tcpdump -c 1 -X icmp

Summary

There are such ways.

  1. tcpdump is a valuable tool for anyone looking to get into networking or .
  2. Raw way it interfaces with traffic, combined with precision it offers inspecting packets make it the best possible tool for learning TCP/IP.
  3. Protocol Analyzers like Wireshark are great, but if you pick up the master packet-fu correctly, you're probably one of the first tcpdumps.

Velmy, the first one is guilty of otrimati, scho is strong, but the human side is guilty, but more often for a wider space for a larger wide and one of the most diverse scenarios. I truly hope this has been useful to you, and feel free to if you have any questions.

notes

  1. I'm currently (sort of) writing on book on tcpdump for No Starch Press.
  2. Leading image is from SecurityWizardry.com .
  3. Decal of insulation filters borrowed from

The tcpdump utility is a very sophisticated and popular tool for sifting and analyzing mesh packets. Vaughn allows you to look at all the inputs and outputs from the packet’s sing interface and work at the command line. Of course, you could use Wirshark for analysis of merging packages, a graphical utility, but in some situations, if you need to work only in the terminal.

Tcpdump is nothing better than Wireshark, and may have all the necessary capabilities to analyze packets, until then you can save all packets from the file, so that we can analyze them later for the help of Wireshark itself. In this article, we can see how tcpdump is used to recycle lace packages.

Some distributions come with the tcpdump command behind a lock, but if your distribution doesn't have it, you can just install it from the official repositories. For example, in Ubuntu/Debian:

sudo apt install tcpdum p

For Fedora/Red Hat/CentOS:

sudo yum install tcpdump

If the installation is completed, you can go to work.

tcpdump command

Before moving on to the utility application, let's take a look at the syntax and the main options. The command may have the following syntax:

$ tcpdump options -i interface filter

When calling a language, it is necessary to pass an interface that you can use. If the interface is not specified, then it will be the first in the list. The options allow you to change the basic functionality of the utility, and the filters allow you to add non-essential packages. And now let's look at the main options:

  • -A- Display all packages in ASCII format;
  • -c- Close the program after the n-th quantity of packets has been redeemed;
  • -C- when writing packets to a file, recheck the size of the file, and if it is larger for tasks - create a new file;
  • -D- Enter a list of available mesh interfaces;
  • -e- enter information about the date for the skin pack, or you can correct it, for example, for displaying the MAC address;
  • -f- enter domain name for IP address;
  • -F- read packets from the file, not the interface;
  • -G- Create a new log file through the appointment of an hour;
  • -H- Display 802.11s headers;
  • -i- Im'ya іnterfeysu for hopping packets. You can download packets from the required interfaces, for which you can specify any;
  • -I- switch the interface to the monitor mode to capture all packets that need to be passed;
  • -j- Insert the Timestamp format for recording packets;
  • -J- Look at the available Timestamp;
  • -K- do not check the control bags of the packages;
  • -l- add a twist to the twist;
  • -L- enter connection protocols that are supported for the interface;
  • -n- do not display domain names;
  • -r- Read packets from the file created for help -w;
  • -v, -vv, -vvv- Reporting visnovok;
  • -q- Provide a minimum of information;
  • -w- Record vysnovok at the file;
  • -Z- Koristuvach, in the name of which the files will be created.

Not all options, but you will have enough to complete the big day. Most of the time we will stop the filters. For additional filters, you can add only those types of packages, as if you need bachiti. You can filter by ip address, protocol, network, interface and other parameters. Ale, the tcpdump filter can be seen already on the butts.

Yak koristuvatsya tcpdump

Before you go to the tcpdump wiki, you need to look at the interface and you can chirp. To run the command with the -D option:

Let's take a closer look at tcpdump from flooding traffic on the eth0 interface, I can see the main interface that connects to the Internet. For the work of the program, the rights of the supercorristor are required, do not forget to give sudo to it:

sudo tcpdump -i eth0

To start the robot command, press Ctrl+C. At the vivodі vіdrazu vіdrazu vіdіvі vі sі hoplenі packages. The format for the entry for the skin pack would look like this:

13:03:41.795599 IP udp032919uds.hawaiantel.net.6881> 192.168.1.2.52055 : Flags [.], seq 640160396:640161844, ack 436677393, win 2050, options , length 1448

This format is typical for data packets, and the black text will be reviewed according to the protocol of visions. On the back, go to the time stamp, then the protocol, give green values ​​to the ip address of the manager, and blue to the address of the addressee, at the same time, of our computer. Dalі go dodatkovі parameters tcp and in kіntsі rozmіr package in bytes. Details of the displayed information can be controlled with additional -v options, for example:

sudo tcpdump -v -i eth0

Here is the information about the IP protocol:

IP (tos 0x0, ttl 64 , id 50309, offset 0, flags , proto TCP (6) , length 64)

We can recognize information about the hour of life of the ttl packet, the version of the TCP protocol, and the length of the header field. The -vv option will cause the checksums of the package to be rechecked in addition to certain values.

After the options, you can specify filters for packages. The axis of the main parameters, for which you can select packages:

  • host- Name of the host;
  • ip- IP addresses;
  • proto- Protocol;
  • net- the address of the merezhі chi pіdmerezhi;
  • port- port addresses;
  • src- Parameter, what is the cost of the manager;
  • dst- Parameter, what is the cost of the owner;
  • The following protocols are available: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcpі udp.

You can do everything together with yourself, so that you can take care of the result. Let's take a closer look at the butts. We can only see packets addressed to our computer:

sudo tcpdump -i eth0 ip dst 192.168.1.2

We can also choose packages that are attached to the song vuzol:

sudo tcpdump -i eth0 dst host google-public-dns-a.google.com

How to save, tse DNS packets and then change the rights of TCP to clear the corisna information, ask for the ip address of the host. You can also choose packages from a different host:

sudo tcpdump -i eth0 src host google-public-dns-a.google.com

There is not much more in place of the package, if you want to remove it, you need to select the option -v or -vv:

sudo tcpdump -vv -i eth0 host dst google-public-dns-a.google.com

For the help of the and operator, you can combine a bunch of filters into one:

sudo tcpdump -i eth0 dst host google-public-dns-a.google.com and src host google-public-dns-a.google.com

Three operations combined are available and and or, it is also possible to lock the shackles for prioritization. It is not necessary for you to specify the host, in case of rich vipads to do src or dst, the utility itself understands what was on the way. This very design can be victorious for ports. For example, we can enable all queries or send them to DNS (on port 53):

sudo tcpdump -vv -i eth0 port 53

You can do the same for http (port 80):

sudo tcpdump -vv -i eth0 port 80

Obviously, here you can tweak dst and src for more specific results. You can filter not just one port, but a whole range of ports:

sudo tcpdump portrange 21-23

If you select one of the protocols, you will filter out the packets of that protocol, for example tcp, udp or arp:

sudo tcpdump -vv arp

So you can select all udp packets yourself:

sudo tcpdump -vv udp

There is also an available filter for the dimensions:

sudo tcpdump net 129.168.1.1/24

In addition, you can filter packets for their size, for example, less than 32 bytes:

sudo tcpdump less 32

Abo more than 128:

tcpdump greater than 128

sudo tcpdump -i eth0 -w file.pcap

This file can be opened for help, be it a program for reading such files, for example Wireshark. To save the package file, change the -r option:

sudo tcpdump -r file.pcap

Having lost one more moment, for some kind of varto turn respect. This format is used in combination with packages. You can enter the ASCII package with the -A option:

sudo tcpdump -A -i eth0

You can also display in HEX and ASCII formats for which one -XX:

sudo tcpdump -XX -i eth0

Visnovki

In these articles, we looked at how tcpdump is currying. This is a tighter mesh analyzer, which works only through the command line. I am sure that this information was useful for you, and now tcpdump will be much simpler, since you are out of food, ask in the comments!

At the end of the video with a lecture about tcpdump:

The tcpdump command is also called a packet sniffer.

The tcpdump command is practical on many different UNIX operating systems. tcpdump allows you to save dumped packets, so we can harvest the dumped packet for further analysis. The savings file can be viewed with the same command tcpdump. We can also hack security software with output code like Wireshark to read tcpdump PCAP files.

For whatever reason, it's practical to use the tcpdump command.

1. Dumping packets to a specific local merge interface from tcpdump -i

When running the tcpdump command without any option, it will dump all packets that pass through all interfaces. Option -i The tcpdump command allows you to filter behind the original Ethernet interface.

$ tcpdump -i eth1 12:59:41.967250 ARP, Request who-has free.msk.ispsystem.net tell gw.msk.ispsystem.net, length 46 12:59:41.967257 ARP, Request who-has reserve tell gw.msk .ispsystem.net, length 46 12:59:41..44141 > wdc-ns1.ispsystem.net.domain: 14799+ PTR? 184.48.146.82.in-addr.arpa. (44) ...

In this application, tcpdump dumped all packets to the stream in the eth1 interface and displayed the standard display.

Note:

The Editcap utility is designed to select or remove the same packages from the dump file and translate them into the specified format.

2. Buried only N number of packets for help tcpdump -c

When the tcpdump command is over, give packets, do not tell the tcpdump command. Vicorist option -c you can specify the number of bags for storage.

$ tcpdump -c 2 -i eth0 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:01:35.165898 ARP, Request who-has 213.159.211.80 tell gw :01:35..35123 > wdc- ns1.ispsystem.net.domain: 7254+ PTR? 80.211.159.213.in-addr.arpa. (45) 2 packets captured 7 packets received by filter 0 packets dropped by kernel

tcpdump command zahopili less than 2 packets to the eth0 interface.

Note:

Mergecap and TShark: Mergecap is a package collection tool that will combine multiple packages into a single dump file. Tshark is a hard tool for burying merging packages, which can be used to analyze merging traffic. The vin is supplied with the Wireshark subdivision analyzer.

3. View of the display of ASCII overflow packets, with tcpdump -a

The next tcpdump syntax is another ASCII package.

$ tcpdump -A -i eth0 13:03:06.516709 IP 213.132.93.178..vlsi-lm: Flags [.], ack 3120779210, win 254, length 0 E..( [email protected]]......b...%.=...O.P....... 13:03:06..35313 > wdc-ns1.ispsystem.net.domain: 13562+ PTR? 178.93.132.213.in-addr.arpa. (45) [email protected]@........x.....5.5)