Tuesday, February 12, 2019

TCPDUMP Basics



TCPDUMP Basics | TCPDUMP IP Header

TCPDUMP is a very powerful packet capturing tool. "Must love tcpdump and wireshark" the job ads often say, so working with networks requires mastering the fundamentals of this tool.

I have two Raspberry PI computers in my lab. They are perfect learning tools (hats off to the creators).

TYPICAL SYNTAX

A typical packet capture might look like this:

pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv src host 192.168.0.254 and dst port 22
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1600 bytes


What on earth do those flag stand for?
-i eth0      capture packets on eth0 interface
-s 1600    capture only 1600 bytes rather than max. allowed (varies by version)
-nn           don't resolve ip address or port numbers to names
-v             slightly more verbose output
-vv           even more verbose output
-vvv         even more verbose output (useful with -x or -X option)
src host   coming from IP address
and          logical and (both statement must be true to capture packets)
dst port    dst port 22 (ssh)

NETWORK FILTERING
tcpdump net 192.168.0
tcpdump src net  192.168.0
tcpdump dst net 192.168.0
etc.

PROTOCOL FILTERING
tcpdump ip
tcpdump tcp
tcpdump icmp
etc. 

Combining expressions may may involve keywords such as:

!        negation
not    negation

&       concatenation
and    concatenation

||        alternative (or)
or       alternative

Example:
pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv -c3 'tcp and src host 192.168.0.254'

I've thrown in -c3 (for capturing only 3 packets) and the combined expression in quotes (' ').

Another example:
pi@lucy: $ sudo tcpdump -i eth0 -s 1600 -nn -vvv -c3 'not tcp and src host 192.168.0.254'

Cisco Is Easy - Main

  Cisco Basics (CCNA level)  Lessons: Watch Video Tutorials on Youtube 01 - Connecting to Cisco Console Port with MINICOM 02 - Navigatin...