0%

tcpdump 常用命令汇总

Posted on Edited on In ,
Symbols count in article: 3.2k Reading time ≈ 3 mins.

tcpdump 基本用法汇总

A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic

参数

Here are some additional ways to tweak how you call tcpdump.

  • -X: Show the packet’s contents in both hex and ascii.
  • -XX: Same as -X, but also shows the ethernet header.
  • -D: Show the list of available interfaces
  • -l: Line-readable output (for viewing as you save, or sending to other commands)
  • -q: Be less verbose (more quiet) with your output.
  • -t: Give human-readable timestamp output.
  • -tttt: Give maximally human-readable timestamp output.
  • -i eth0: Listen on the eth0 interface.
  • -vv: Verbose output (more v’s gives more output).
  • -c: Only get x number of packets and then stop.
  • -s: Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
  • -S: Print absolute sequence numbers.
  • -e: Get the ethernet header as well.
  • -q: Show less protocol information.
  • -E: Decrypt IPSEC traffic by providing an encryption key.

everything on an interface

$ tcpdump -i eth0
$ tcpdump -i any # get all interfaces

find traffic by ip

using host, you can see traffic that’s going to or from 1.1.1.1.

$ tcpdump host 1.1.1.1
  • Expression Types: host net port
  • Directions: src dst
  • Types: host net port
  • Protocols: tcp udp icmp

filtering by source and/or destination

If you only want to see traffic in one direction or the other, you can use src and dst.

$ tcpdump src 1.1.1.1
$ tcpdump dst 1.0.0.1

finding packets by network

To find packets going to or from a particular network or subnet, use the net option.

$ tcpdump net 1.2.3.0/24

get packet contents with hex output

$ tcpdump -c 1 -X icmp
$ tcpdump port 3389
$ tcpdump src port 1025

Common Options:

  • -nn: Don’t resolve hostnames or port names.
  • -S: Get the entire packet.
  • -X: Get hex output.

show traffic of one protocol

$ tcpdump icmp

show only ip6 traffic

$ tcpdump ip6

find traffic using port ranges

$ tcpdump portrange 21-23

find traffic based on packet size

$ tcpdump less 32
$ tcpdump greater 64
$ tcpdump <= 128

reading / writing captures to a file

$ tcpdump port 80 -w capture_file
$ tcpdump -r capture_file

Combinations

  • AND and or &&
  • OR or or ||
  • EXCEPT not or !

raw output view

$ tcpdump -ttnnvvS

from specific ip and destined for a specific port

Let’s find all traffic from 10.5.2.3 going to any host on port 3389.

$ tcpdump -nnvvS src 10.5.2.3 and dst port 3389

from one network to another

Let’s look for all traffic coming from 192.168.x.x and going to the 10.x or 172.16.x.x networks, and we’re showing hex output with no hostname resolution and one level of extra verbosity.

$ tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

non icmp traffic going to a specific ip

This will show us all traffic going to 192.168.0.2 that is not ICMP.

$ tcpdump dst 192.168.0.2 and src net and not icmp

traffic from a host that isn’t on a specific port

This will show us all traffic from a host that isn’t SSH traffic (assuming default port usage).

$ tcpdump -vv src mars and not dst port 22

isolate tcp flags

  • Isolate TCP RST flags.
    $ tcpdump 'tcp[13] & 4!=0'
$ tcpdump 'tcp[tcpflags] == tcp-rst'
  • Isolate TCP SYN flags.
    $ tcpdump 'tcp[13] & 2!=0'
$ tcpdump 'tcp[tcpflags] == tcp-syn'
  • Isolate packets that have both the SYN and ACK flags set.
    $ tcpdump 'tcp[13]=18'
  • Isolate TCP URG flags.
    $ tcpdump 'tcp[13] & 32!=0'
$ tcpdump 'tcp[tcpflags] == tcp-urg'
  • Isolate TCP ACK flags.
    $ tcpdump 'tcp[13] & 16!=0'
$ tcpdump 'tcp[tcpflags] == tcp-ack'
  • Isolate TCP PSH flags.
    $ tcpdump 'tcp[13] & 8!=0'
$ tcpdump 'tcp[tcpflags] == tcp-push'
  • Isolate TCP FIN flags.
    $ tcpdump 'tcp[13] & 1!=0'
$ tcpdump 'tcp[tcpflags] == tcp-fin'

recipe examples