1. tcpdump -D #Available interface
2. tcpdump -w /tmp/tcpdumpfile -i eth0(OR interface number)
3. tcpdump -r /tmp/tcpdumpfile #Read packets from file
4. tcpdump -vv -r /tmp/tcpdumpfile #-vv more detail
5. tcpdump -vvnn -r /tmp/tcpdumpfile #-nn dont convert address to name
6. -XX #print each packet hearder and datalink header
7. -E include datalink header
8. tcpdump -vvnn arp -i eth0 #arp Capture all arp traffic
9. tcpdump -vv port 80 #Capture all http traffic
10. 10.tcpdump -vvnn ether host '00:00:00:11:22:33' #Capture all tracffic that have the mac address 00:00:00:11:22:33
11.tcpdump -nnxX -i eth0 -w tcpdumpfile -C 3
Capture all traffic path in eth0 then write it to file name tcpdumpfile and set the each file size tonbe around 3M without trying to resolve IP/Port name
12.Expressions
type: Possible types are host, net , port and portrange.
dir: Possible directions are src, dst, src or dst and src and dst.
proto: Possible protos are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp
host ip-address/hostname True if either the IPv4/v6 source or destination of the packet is ip-
address/hostname also can be used with dst host and src host
port number/port-name True if either the source or destination port of the packet is number/port-
name also can be used with dst port and src port
portrange numbe1-number2 True if either the source or destination port of the packet is between
number1 and number2 also can be used with dst portrange and src portrange
ether host MAC True if either the Ethernet source or destination address is MAC also can be used
ether src and ether dst
ether broadcast True if the packet is an Ethernet broadcast packet. and broadcast can be use
directly
gateway ip-address True if the packet used ip-address as a gateway
net network-address True if either the IPv4/v6 source or destination address of the packet has a
network number of network-address. also can be used with src net and dst net
ip broadcast True if the packet is an IPv4 broadcast packet.
vlan vlan_id True if the packet is an IEEE 802.1Q VLAN packet. If [vlan_id] is specified, only
true if the packet has the specified vlan_id
mpls label_num True if the packet is an MPLS packet. If [label_num] is specified, only true is the
packet has the specified label_num
vpi /vci number True if the packet is an ATM packet,with a virtual path/channel identifier of
number
less/greater length True if the packet has a length less/greater than or equal to length
13.tcpdump -nnvvv -i eth0 host 10.0.2.2
To print all packets arriving from or departing to 10.0.2.2
14.tcpdump -vvv -i lo dst port http
capture all traffic dst to http port and coming form my loop back interface
15.tcpdump -nnevvv -c 3 arp
capture all Address Resolution Protocol (ARP) packets
16.tcpdump -nn icmp host 10.0.2.2
Try to capture icmp traffic AND to or from the host 10.0.2.2
17.Expressions combination
• AND (and == && ) Give True ONLY AND ONLY IF both expression True else give False
• NOT (not == !) Reverse the resolution if it was Ture it will be False and if it was False it will
be True
• OR (or == ||) Give False ONLY AND ONLY IF both expression False else give True
18.tcpdump -c 10 ip host 10.0.2.15 and not 10.0.2.2
All IP packets between 10.0.2.15 and any host except 10.0.2.2
19.tcpdump -c 3 -i eth0 port smtp or http or ftp-data or ftp
Capture packets related with Mail , Web and FTP service
20.tcpdump -c 5 -nn -i eth0 ’src net not 192.168.0.0/16 and not 10.0.0.0/8′
Capture only traffic from Internet
21.tcpdump -nn -i eth0 src host 10.0.2.15 and ‘dst port 21 or 80′
Capture ftp and http
阅读(2428) | 评论(1) | 转发(0) |
