tcpdump -nnvXSs 1514 -c2 tcp
* host // look for traffic based on IP address (also works with hostname if you're not using -n)
# tcpdump host 1.2.3.4
* src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
# tcpdump src 2.3.4.5
# tcpdump dst 3.4.5.6
* net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24
* proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdump icmp
* port // see only traffic to or from a certain port
# tcpdump port 3389
* src, dst port // filter based on the source or destination port
# tcpdump src port 1025
# tcpdump dst port 389
* src/dst, port, protocol // combine all three
# tcpdump src port 1025 and tcp
# tcpdump udp and src port 53
* Port Ranges // see traffic to any port in a range
tcpdump portrange 21-23
* Packet Size Filter // only see packets below or above a certain size (in bytes)
tcpdump less 32
tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
// filtering for size using symbols
tcpdump > 32
tcpdump <= 128
Capture all Port 80 Traffic to a File
# tcpdump -s 1514 port 80 -w capture_file
Much important * :
--------------
Then, at some point in the future, you can then read the traffic back in like so:
Read Captured Traffic back into tcpdump
# tcpdump -r capture_file
-------------
Logical expression :
1. AND
and or &&
2. OR
or or ||
3. EXCEPT
not or !
TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump -nnvvS tcp and src 10.5.2.3 and dst port 3389
Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump -nvX src net 192.168.0.0/16 and dst net
10.0.0.0/8 or 172.16.0.0/16
Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net
172.16.0.0/16 and not icmp
Traffic originating from Mars or Pluto that isn't to the SSH port: // requires name resolution
# tcpdump -vv src mars or pluto and not dst port 22
=========
PS: Made it more available in the internet.
Labels :
Sever Linux
Previous Article
Responses
0 Respones to "How to use tcpdump command to capture the network packet?"
Post a Comment
»Thank you for reading this article
If you have questions or comments, please leave a comment
»You can click on the Subscribe by email to subscribe comments of this post
»You can register directly link pictures, mp3, video on the comment form.
»You may use some HTML tags such
»Please post comments polite and typing accented Vietnamese if possible
»Thank the good faith comment