Difference between revisions of "Useful TCPDUMP commands"

From Brian Nelson Ramblings
Jump to: navigation, search
(Created page with "==Useful TCPDUMP commands for debugging== I have only found a few times that I needed to use tcpdump, most of them are for firewall issues. ===Basic TCPDUMP commands=== Che...")
 
 
Line 102: Line 102:
 
Check to see if a specific client is connecting to MySQL over port 3306
 
Check to see if a specific client is connecting to MySQL over port 3306
  
  tcpdump -i any -s 0 -l -w - dest port 3306 and src host 192.168.1.1
+
  tcpdump -i any -s 0 -l -w dest port 3306 and src host 192.168.1.1

Latest revision as of 12:36, 18 June 2014

Useful TCPDUMP commands for debugging

I have only found a few times that I needed to use tcpdump, most of them are for firewall issues.

Basic TCPDUMP commands

Checking to see what interfaces we can use with tcpdump

tcpdump -D

Listen to all traffic coming in over a specific interfacae

tcpdump -i eth0

*note the -i stands for interface

Listen to all traffic on all interfaces

tcpdump -i any

At this point you will notice there is alot of information going to and from your computer.

There are 4 settings when it comes to verbose information(verbose, more verbose, very verbose, less verbose)

Verbose

tcpdump -v

More Verbose

tcpdump -vv

Oddly enough Very verbose

tcpdump -vvv

Less verbose mean less then the default

tcpdump -q

Say you want to dispaly ipaddress and ports vers domains and service ports

tcpdump -n

More fun tcpdump combinations

Capture all bytes of data within the packet:

tcpdump -s 0

Capture 500 bytes of data for each packet rather than the default of 68 bytes:

tcpdump -s 500

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:

tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:

tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:

tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:

tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:

tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:

tcpdump -v icmp

Capture any ARP packets:

tcpdump -v arp

Capture either ICMP or ARP packets:

tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

tcpdump -n "broadcast or multicast"

Check to see if a specific client is connecting to MySQL over port 3306

tcpdump -i any -s 0 -l -w dest port 3306 and src host 192.168.1.1