Tuesday, February 24, 2015

tcpdump info

Tcpdump

# tcpdump –c 30 –I eth0
# tcpdump -w /tmp/tcpdump.pcap -n –tttt -i eth5 dst 1.2.3.4 and port 22

# tcpdump -w comm.pcap -i eth0 src xxx.xxx.xxx.xxx and port 22 and dst xxx.xxx.xxx.xxx and port 22
# tcpdump -i eth0 -n dst port 80
# tcpdump -w comm.pcap -s 1000 -i bond0 udp and \(host 172.20.68.176 and host 172.24.173.9\)
# tcpdump -i any -w /var/tmp/tcpdump00 -s0 not host he3lnxd120-priv and not host he3lnxd121-priv and not host he3lnxd122-priv and not tcp port 22
# tcpdump -r /var/tmp/tcpdump00 -vSxX > /var/tmp/mosdump
# tcpdump –A –I eth0
# tcpdump –tttt –r data.pcap
# tcpdump -nnvXSs 0 -c2 icmp
# tcpdump -D -> Displays available interfaces
# tcpdump portrange 9001-10002
# tcpdump -s0 -i eth0 -w file.pcap not tcp port 22
#tcpdump -r capture.pcap -w http.pcap tcp port 80 (reads a capture file and output it to another file)
# tcpdump -i any -w /var/tmp/`hostname`_tcpdump.pac -s0 host he2lnxp201 and not tcp port 22
# tcpdump -nnvXSs 0 -r he3lnxd120_tcpdump.pcap > /tmphe3lnxd120_tcpdump.txt

-i any : Listen on all interfaces just to see if you're seeing any traffic.
-n : Don't resolve hostnames.
-nn : Don't resolve hostnames or port names.
-X : Show the packet's contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
-v: slightly verbose
-vv: More verbose
-vvv: Total verbosity


No comments:

Post a Comment