336x280(권장), 300x250(권장), 250x250, 200x200 크기의 광고 코드만 넣을 수 있습니다.

Tcpdump usage examples
> tcpdump -ni eth0 src host 192.168.1.1 and dst host 172.16.1.1 and dst port 23 -s 1500 -w /tmp/tr.pcap

> tcpdump -i eth0 -c 10 -w [Filename]     // 송수신 되는 패킷들 파일에 저장 및 확인 (10개 카운트)

> tcpdump -r [Filename]                       // TCPDUMP에 저장된 패킷헤더 확인

> tcpdum -Xqnr [Filename].log               // 캡쳐한 tcpdump.log파일의 내용을 ASCII모드로 확인


* 스니핑모드(tcpdump 실행시) 발생되는 로그

  eth0: Setting promiscuous mode.
  device eth0 entered promiscuous mode
  device eth0 left promiscuous mode

목적지 주소가 1.2.3.x/24 와 1.2.4.x/25 이고 80번포트인 패킷 캡쳐
> tcpdump -q \( dst net 1.2.3.0/24 or 1.2.4.0/25 \) and dst port 80
 
A 호스트로/부터의 모든 도착/출발 패킷 출력
> tcpdump host A

A 호스트와 B 또는 C 사이의 모든 트래픽 출력
> tcpdump host A and \( B or C \)

A호스트와 B를 제외한 호스트 간의 모든 IP 패킷 출력
> tcpdump ip host A and not B

로컬호스트와 Berkeley의 호스트들 간의 모든 트래픽 출력
> tcpdump net ucb-ether

게이트웨이 A를 통한 모든 ftp 트래픽 출력
> tcpdump 'gateway A and (port ftp or ftp-data)'

로컬네트워크로/부터가 아닌 모든 트래픽 출력
> tcpdump ip and not net

로컬네트워크가 아닌 TCP 시작과 마지막 패킷 출력
> tcpdump 'tcp[13] & 3 != 0 and not src and dst net '

게이트웨이 A를 통해 보내지는 576 Bytes보다 긴 IP 패킷 출력
> tcpdump 'gateway A and ip[2:2] > 576'

이더넷이 아닌 IP 브로드 또는 멀티 캐스트 패킷 출력
> tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

echo 요청/응답이 아닌 모든 ICMP 패킷 출력 (ping 아닌 패킷) 
> tcpdump 'icmp[0] != 8 and icmp[0] != 0'

1.2.3 과 1.2.4 IP주소 (내부) 패킷을 제외한 모든 패킷 출력
> tcpdump src net 1.2.3 or 1.2.4 and not dst net 1.2.3 or 1.2.4

br1 인터페이스의 모든 패킷 출력
> tcpdump -i br1
See the list of interfaces on which tcpdump can listen:
tcpdump -D

Listen on interface eth0:
tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
tcpdump -i any

Be verbose while capturing packets:
tcpdump -v

Be more verbose while capturing packets:
tcpdump -vv

Be very verbose while capturing packets:
tcpdump -vvv

Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header:
tcpdump -v -X

Be verbose and print the data of each packet in both hex and ASCII, also including the link level header:
tcpdump -v -XX

Be less verbose (than the default) while capturing packets:
tcpdump -q

Limit the capture to 100 packets:
tcpdump -c 100

Record the packet capture to a file called capture.cap:
tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:
tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:
tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers):
tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:
tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
tcpdump -n "dst host 192.168.1.1 and dst port 23"

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture any ICMP packets:
tcpdump -v icmp

Capture any ARP packets:
tcpdump -v arp

Capture either ICMP or ARP packets:
tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:
tcpdump -n "broadcast or multicast"

Capture 500 bytes of data for each packet rather than the default of 68 bytes:
tcpdump -s 500

Capture all bytes of data within the packet:
tcpdump -s 0


'Analysis > Network' 카테고리의 다른 글

[VPN] 터널링  (0) 2016.08.09
HTTPS와 SSL 이해  (0) 2016.04.15
Next Squence Number  (0) 2016.03.24

+ Recent posts