Golovna  /  Don't get in  /  tcpdump the file. Filter the air! Conducting an audit of the traffic for the help of tcpdump

tcpdump the file. Filter the air! Conducting an audit of the traffic for the help of tcpdump

Don't get in
01.04.2023

The tcpdump command is also called a packet sniffer.

The tcpdump command is practical on many different UNIX operating systems. tcpdump allows you to save dumped packets, so we can harvest the dumped packet for further analysis. The savings file can be viewed with the same command tcpdump. We can also hack security software with output code like Wireshark to read tcpdump PCAP files.

For whatever reason, it's practical to use the tcpdump command.

1. Dumping packets to a specific local merge interface from tcpdump -i

When running the tcpdump command without any option, it will dump all packets that pass through all interfaces. Option -i The tcpdump command allows you to filter behind the original Ethernet interface.

$ tcpdump -i eth1 12:59:41.967250 ARP, Request who-has free.msk.ispsystem.net tell gw.msk.ispsystem.net, length 46 12:59:41.967257 ARP, Request who-has reserve tell gw.msk .ispsystem.net, length 46 12:59:41..44141 > wdc-ns1.ispsystem.net.domain: 14799+ PTR? 184.48.146.82.in-addr.arpa. (44) ...

In this application, tcpdump dumped all packets to the stream in the eth1 interface and displayed the standard display.

Note:

The Editcap utility is designed to select or remove the same packages from the dump file and translate them into the specified format.

2. Buried only N number of packets for help tcpdump -c

When the tcpdump command is over, give packets, do not tell the tcpdump command. Vicorist option -c you can specify the number of bags for storage.

$ tcpdump -c 2 -i eth0 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 13:01:35.165898 ARP, Request who-has 213.159.211.80 tell gw :01:35..35123 > wdc- ns1.ispsystem.net.domain: 7254+ PTR? 80.211.159.213.in-addr.arpa. (45) 2 packets captured 7 packets received by filter 0 packets dropped by kernel

tcpdump command zahopili less than 2 packets to the eth0 interface.

Note:

Mergecap and TShark: Mergecap is a package collection tool that will combine multiple packages into a single dump file. Tshark is a hard tool for burying merging packages, which can be used to analyze merging traffic. The vin is supplied with the Wireshark subdivision analyzer.

3. View of the display of ASCII overflow packets, with tcpdump -a

The next tcpdump syntax is another ASCII package.

$ tcpdump -A -i eth0 13:03:06.516709 IP 213.132.93.178..vlsi-lm: Flags [.], ack 3120779210, win 254, length 0 E..( [email protected]]......b...%.=...O.P....... 13:03:06..35313 > wdc-ns1.ispsystem.net.domain: 13562+ PTR? 178.93.132.213.in-addr.arpa. (45) [email protected]@........x.....5.5', de proto – Im'ya protocol equal, I have some part of the package8. It is significant that the increase in the frame of the hoarding was brought to the additional timchas
costs for processing bags and changing the number of bags, which are buffered, which can be brought up to waste part of the bags. Win the minimum value of snaplen, let's allow
do without wasting information about the protocol to tease you. Setting snaplen = 0 will cause new packets to be hijacked.

-T<тип> determines the interpretation of packages, selected for an additional filter, like packages assigned by the type parameter. At this time, types aodv9, cnfp10, rpc11, rtp12, rtcp13,
snmp14, tftp15, vat16 and wb17.

-t including visualization of thymic markers in the skin row of the dump.

-tt set a visnovok at the skin row of a dump of unformatted timchasovye marks.

-ttt set the display of hourly intervals (in microseconds) between the occupancy of the front and given packets near the skin row of the dump.

-tttt assigns the visualization of thymic markers in the format of the skin row of the dump adopted for promotion.

-u determines the appearance of NFS handles without decoding.

-U set the mode "buffering on equal packets" for files, so they are saved for the additional option -w. In this skin mode, the package is written to the output file, as only a few wines will be captured
(Not checking the output buffer). Flag -U do not support because tcpdump was compiled with the old libpcap option, as it does not support the function
pcap_dump_flush().

-v set the display of additional information about the time of storage of files. Such information may include TTL (hour of life), identification, global roaming, and IP options.
The change of this ensign also marks the additional verification of the integrity of packets for additional checksums (for example, for IP and ICMP protocols).

-vv set additional information about how to display (for example, outside decoding of SMB packets, display of additional fields of NFS messages, etc.).

-vvv sets the maximum amount of information to be displayed (for example, the telnet SB ... SE options will be displayed again). When using the -X Telnet option at the same time, the same
sixteenth tribute.

-w<файл> set recording of raw packets. You can take a look at the package file for a year for the help flag -r or transfer it to other programs for analysis
(For example, Ethereal). If a character is specified in the file name, the entry is written to the standard display extension (stdout).

-x defines a 16-fold dump pattern (without a channel line header) for a skin buried package. Obsyag іnformatsії, scho vyvoditsya, vyznaєєєєєєєєєєєєєєєєєєєєєєєєєєєєєєі ії ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї ї
Packet expansion is the value of the snaplen parameter. It is significant that when new frames of the channel layer are captured, the dump can also include a byte of reloading, like a packet of the link layer
May minimal expansion.

-xx defines a 16-fold dump pattern for a skin pack with included channel level headers.

-X set to display the dump in hexadecimal and ASCII formats without channel level headers. This option may be more useful when analyzing new protocols.

-XX set the display of the dump in hexadecimal and ASCII formats with included channel level headers.

-y<тип> sets the type of channel level, which is to be beaten for the hour of burying packets. You can look over the values ​​for the help of the ensign -L.

apply.

  • We catch all weekend traffic

tcpdump -i re0 -n -nn -ttt dst host 192.168.1.2

  • We catch all the weekend traffic of our ssh session for a great stream of data to come out.

tcpdump -i re0 -n -nn -ttt 'dst host 192.168.1.110 and not (src host 192.168.1.2 and dst port 22)'

  • Revisiting dns query

tcpdump -i re0 -n -nn -ttt 'host 192.168.1.110 and port 53'

  • Looking at icmp packets

tcpdump -i re0 -n -nn -ttt 'ip proto \icmp'

  • Traffic to be transferred from the border 10.7.20 from recognition on the border 10.7.0. or 10.7.24.

tcpdump -nvX src net 10.7.20.0.0/16 and dst net 10.7.0.0/8 or 10.7.24.0/16

  • Traffic coming from 10.7.0.0 on recognition port 22 or 4589:

tcpdump 'src 10.7.0.0 and (dst port 22 or 4589)'

  • Look at the traffic on the interface:
  • see the traffic of one host:

tcpdump host 192.168.1.1

  • Look at the traffic on the port:

tcpdump src port 80

  • View IP traffic to the host:

tcpdump ip host 192.168.1.2

  • View ARP traffic to the host:

tcpdump arp host 192.168.1.2

  • Checking RARP traffic to the host:

tcpdump rarp host 192.168.1.2

  • We're looking at traffic, around the pav253 host

tcpdump not host pav253

  • We see traffic on pav253 and pav210

tcpdump host pav253 or host pav210

  • Divimosya vm_st packets on the re0 interface to the site

tcpdump -X -i re0 host site

  • icq traffic

tcpdump -X -i re0 port aol

  • We look at the number of packets on the tun0 interface to the host ya.ru, while reading from the skin packet of 1500 bytes and not converting the IP to the host name

tcpdump -X -s 1500 -n -i re0 host site

  • Top active diy

tcpdump -tn -c 10000 -i re0 tcp or udp | awk -F "." ‘(print $1″.”$2″.”$3″.”$4)’ | \ sort | uniq-c | sort-nr | awk ‘$1 > 100’

  • We looked at all TCP packets with the SYN ensign (session cob).

tcpdump -i eth0 -nn tcp == 2 and src net 192.168.1.0/24

  • Revision of syn and fin packets from the pose

tcpdump 'tcp & (tcp-syn|tcp-fin) != 0 and not src and dst net 192.168.1.0'

  • Looking through all ipv4 http packets on port 80, crim syn / fin / ack data

tcpdump 'tcp port 80 and (((ip - ((ip&0xf))<>2)) != 0)’

  • Look only syn packages

WHY TCPDUMP?

Tcpdump is the leading metric analysis tool for information security facivists. For those who want to take a look at the latest information about TCP / IP, it is necessary for a mother to have enough knowledge of important programs. Too many people care for the best victorious tools of the greater equal, such as Wireshark, but I respect the pardon.

If a victorious tool, such as a kind of cross-border traffic in a natural way, the foldability of the analysis is called directly on a person, and not on an addendum. As a pioneer in developing understanding of the TCP / IP set, I strongly recommend that you use tcpdump instead of other tools, if possible.

15:31:34.079416 IP (tos 0x0, ttl 64, id 20244, offset 0, flags, proto: TCP(6), length: 60) source.35970 > dest.80: S, cksum 0x0ac2 (4ct) 2647022145(0 ) Win 5840 0x0000: 4500 003C 4006 7417 0AFB 0257 E .. 0x0010: 4815 222A 8C82 0050 9DC6 5A41 0000 0000 h. "*... ​​P..za ... ................ 0x0030: 14b4 1555 0000 0000 0103 0302

FOUNDATION

Below is a list of parameters, so you can tweak to set up tcpdump. It's easy to forget and/or confuse with other types of filters, for example Wireshark, so this side can be helpful material for you. The axis of the main ones, as I love to keep in memory, fallow in the fact that I marvel.

OPTIONS

  • -i any: eavesdrop on all interfaces, shob, chi bachite, and traffic.
  • -i eth0: Listen for eth0 interface.
  • -D: Show list of available interfaces
  • -n: Display IP addresses and change hostnames.
  • -nn: Display IP addresses and port numbers, change hostnames and protocol names.
  • -q: Display the minimum amount of information about the package.
  • -t: don't display the hour mark in the skin row.
  • -tttt: set the display of thymic markers in the format adopted for promotion for the skin row.
  • -X: Show instead of packet both in hexadecimal coding and in ASCII.
  • -XX: Same as -X, but also show ethernet header.
  • -v, -vv, -vvv: Increase the amount of information to turn about packages.
  • -c: only take x number of packets, and then add them.
  • -s: Specify the length of the snaplength (expired) stored in bytes. Vykorist -s0 to take everything off, so you don't overdo it less.
  • -S: Other absolute sequence numbers.
  • -e: Remove ethernet header.
  • -q: Show minimal information about the package.
  • -E: Decrypt IPSEC traffic by pressing the encryption key.
[Snaplength value, promoted for tcpdump 4.0, changed from 68 bytes to 96 bytes. I would like to give you more information about the package, but not all the information. Vickory -s1514 or -s0 to take it out of the way]

VIRASI

With tcpdump, virazi allows you to surf different types of traffic and know yourself what you are joking about. Mastered viraziv and vminnya united їх creatively - axis scho to rob in a right way by pushing tcpdump.

There are three main types of viruses: type, dir and proto.

Type of options: host, network and port.

The directories allow you to change src, dst and combinations of both.

The protocol allows you to assign: tcp, udp, icmp, ah and many others.

APPLY

Otzhe, now, if we have been swayed, we have options, look at the deeds of real applications, yakі mi, imovirno, bolachim in our everyday work.

BASIC INFORMATION

Just marvel at what you see, looking at all the interfaces.

# tcpdump -i any

SPECIFIC INTERFACE

The main manifestation is that which is being used on a specific interface.

# tcpdump -i eth0

REPRESENTATION OF THE ROUGH WINNOVKA

Detailed visnovok without permission of host names or port numbers, absolute serial numbers and handy for reading time marks.

# tcpdump -ttttnnvvS

DISCOVER TRAFFIC BY IP

One of the widest applications, it will show you the traffic from 1.2.3.4, what was the purpose of recognition.

# tcpdump host 1.2.3.4

LOOK AT MORE INFORMATION ABOUT WISNOVCOM PACKAGE FOR HEXADIMAL SYSTEM

Sixteen biscuits are brown, if you want to win among the bags that are being looked at, and it is often the best win, if you identify a sprat of candidates for a larger wedding.

# tcpdump -nnvXSs 0 -c1 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP (tos 0x20, ttl 48, id 34859, 43, 4). > 72.21.34.42: icmp 64: echo request seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+ 0200 000 "..50"..%.. D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213. ..........!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 4567 1 pack packets dropped by kernel

FILTERING FOR JERELS AND APPOINTMENTS

Seeing traffic based on dzherel chi recognition is even simpler, vikoristovuyuchi src and dst.

# tcpdump src 2.3.4.5 tcpdump dst 3.4.5.6

PACKAGES BY METER

To find out which packages to go to or from the network, use the net option. You can go with the src or dst options.

# tcpdump net 1.2.3.0/24

SHOW LINK TRAFFIC FROM A SPECIAL PORT

You can find out the first port of the traffic by using the port option, which port number follows.

# tcpdump port 3389 tcpdump src port 1025

SHOW TRAFFIC FOR ONE PROTOCOL

If you look for the same type of traffic, you can win over tcp, udp, icmp and many others.

# tcpdump icmp

SHOW TRAFFIC IP6

You can also know all IP6 traffic for additional protocol options.

DISCOVER TRAFFIC FOR VARIANT PORT BANDS

You can also select a range of ports to know the traffic.

# tcpdump portrange 21-23

DISCOVER TRAFFIC ON THE BASIS OF THE ROOM PACKAGE

If you are looking for packages of singing roses, you can tweak these parameters. You can win a small, great, or їх vіdpovіdnі symbols, yakі vychіkuєte mathematician.

# tcpdump less than 32 tcpdump greater than 64 tcpdump<= 128

LETTERS RECORDS AT FILE

Often carefully save the results of the packages from the file for analysis in the future. These files are like PCAP (PEE-cap) files, and they can be processed by hundreds of different programs, including array analyzers, intrusion detection systems, and, most notably, by tcpdump itself. Here we write the file іz іm'yam capture_file, using the key -w.

# tcpdump port 80 -w capture_file

READING PCAP FILES

You can read PCAP files with the help of the -r option. Remember that you can beat all regular commands in tcpdump for an hour of reading from a file; you are deprived of this fact, that you cannot acquire and acquire those that you do not have in the files.

# tcpdump -r capture_file

EXTENSIONS

Now, since we have been swayed, we can learn the basics for the help of some applications, let's take a look at some colloquial speeches.

TSE ALL ABOUT COMBINATIONS

Robiti tsі raznі speechі іndivіdualnymi - truzhna zdatnіst, but tcpdump's magic magic come out of the zdatnosti poddnuvati varianti creative ways, sob іsoluvati same those, scho you shukaєte. There are three ways to create combinations, and even if you started programming, you will already know.

AND
and or &&

OR
or or ||

EXCEPT
not or!

Axis of kіlka priklіv kombinovanih komandov.

SPECIFIC IP AND ALLOCATED TO A DESIGNATED PORT

We know all traffic from 10.5.2.3 to any host on port 3389.

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

VIEW ONE MEASURE TO THE INSIDE

Let's marvel at all the traffic that goes to 192.168.x.x and collapses to 10.x or 172.16.x.x, and we show a sixteen-digit number without a hostname and one level of additional detail.

Tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or172.16.0.0/16

NON-ICMP TRAFFIC GOING TO SPECIFIC IP

Tse show us all the traffic that goes to 192.168.0.2 which is not ICMP.

tcpdump dst 192.168.0.2 and src net and not icmp

TRAFFIC TO A HOST THAT IS NOT IN A PARTICULAR PORT

This will show us all the traffic from the host, which is not SSH traffic (so allow the port to be locked up).

Tcpdump -vv src mars and not dst port 22

So you can bachiti, you can create and ask, so that you know practically everything that you need. The key is to designate the very ones that you are spying on, and then develop the syntax to isolate the same type of traffic.

Foldable grouping and special symbols

Also, keep in mind that when folding folding drinks, you might be able to group your parameters, vicarious single legs. One by one, the legs are beaten in order to tell tcpdump that it is necessary to ignore some special characters - for some people, those in the "()" arms. This method can be victorious for grouping other viruses, such as host, port, merge, etc. Look at the command below.

# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (wrong) tcpdump src 10.0.2.4 and (dst port 3389 or 22)

If you tried the vikonati tsyu arcane team in a different turn, you take a pardon through the temples. You can correct it by using the bow (putting it in front of the skin) or putting the whole team in single legs:

# Traffic that's from 10.0.2.4 AND destined for ports 3389 or 22 (correct) # tcpdump "src 10.0.2.4 and (dst port 3389 or 22)"

Isolation of specific TCP ensigns

You can also collect traffic based on the sings (iv) of TCP.

[NOTE: Filter below to know the number of different packets, so tcp flags offset 13 in the TCP header, the number represents the space in bytes, huh! = 0 means that this ensign is set to 1, so. Vіn vvіkneniy. ]

Show all URGENT (URG) packages...

# tcpdump "tcp & 32!=0"

Show all packages ACKNOWLEDGE (ACK) …

# tcpdump "tcp&16!=0"

Show all PUSH packages (PSH) …

# tcpdump "tcp & 8!=0"

Show all RESET (RST) packets...

# tcpdump "tcp & 4!=0"

Show all SYNCHRONIZE packages (SYN) …

# tcpdump "tcp & 2!=0"

Show all FINISH (FIN) packages...

# tcpdump "tcp & 1!=0"

Show all SYNCHRONIZE / ACKNOWLEDGE packages (SYNACK) …

# tcpdump "tcp=18" [Note: only PSH, RST, SYN and FIN ensigns are shown next to the displayed tcpdump field. URG and ACK are displayed, but they are shown in a different place on the output, and not at the flags field. ]

However, as if you were using the most difficult tools, use impersonal ways to grow those that are necessary. The attacking butt of indications has another way of burying packages with specific sets of TCP ensigns.

# tcpdump "tcp == tcp-syn"

Get the RST ensign for help tcpflags ...

# tcpdump "tcp == tcp-rst"

Get the FIN ensign for help tcpflags ...

# tcpdump "tcp == tcp-fin" [Note: the same method can be reversed for other orders; the stinks were lowered to the cost of saving money. ]

Appointment to traffic that deserves respect

Nareshti, є kіlka svidnyh retseptіv, yaki you want to remember, schob to slander specific and special traffic, for example, incorrect/imovіrno-shkidlivі packets.

RST AND SYN PACKAGES

# tcpdump "tcp=6"

KNOW THE WARNING TEXT HTTP

# tcpdump "tcp=0x47455420"

KNOW SSH REST ON ANY PORT (THROUGH THE BANNER)

# tcpdump "tcp[(tcp>>2):4] = 0x5353482D"

PACKAGES WITH TTL LESS THAN 10 (AS A RULE SHOW THE PROBLEM OF ABO VICTORIST'S TRACEROUTE)

# tcpdump "ip< 10"

EVIL BIT PACKAGES

# tcpdump "ip&128!=0"

Visnovok

tcpdump is an invaluable tool for anyone who wants to get into the information security business.
An unparalleled way to interact with traffic with accuracy, as soon as we know the hour of rechecking packets, to work with the best tool for developing TCP / IP.
Protocol analyzers, like Wireshark, are weird, but if you want to effectively dump packets, you should dump tcpdump.
Zagalom, this assistant is guilty of helping you to become strong, but the side of the church may be handy for the most prosperous of those one-time scenarios of winning. I am broadly sympathetic to what was good for you, and I don’t hesitate to get up to me, as you have food.

  • I propose to change the program and the assistant of experts from Cisco Networking Academy and Linux Professional Institute, certified instructors and a special curator.
  • Let's help with pracevlashtuvannyam and zrobiti kar'єru. 100% of our graduates are trained.

    • How do you get started?

    • We are holding evening online lectures on our platform or learn on the basis of the Kiev office.
    • Ask you about zruchny for practice and pіdlashtuєmosya: Razumієmo, scho time to read is not enough.
    • If you want an individual schedule - we can discuss it.
    • Let's set a clear deadline for self-organization. A special curator will be in touch, asking for advice on food, consulting and motivating to reach the terms of the order of consumption.

    And we will help you: