Tcpdump usage examples
> tcpdump -ni eth0 src host 192.168.1.1 and dst host 172.16.1.1 and dst port 23 -s 1500 -w /tmp/tr.pcap
> tcpdump -i eth0 -c 10 -w [Filename] // 송수신 되는 패킷들 파일에 저장 및 확인 (10개 카운트)
> tcpdump -r [Filename] // TCPDUMP에 저장된 패킷헤더 확인
> tcpdum -Xqnr [Filename].log // 캡쳐한 tcpdump.log파일의 내용을 ASCII모드로 확인
* 스니핑모드(tcpdump 실행시) 발생되는 로그
eth0: Setting promiscuous mode.
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
목적지 주소가 1.2.3.x/24 와 1.2.4.x/25 이고 80번포트인 패킷 캡쳐 > tcpdump -q \( dst net 1.2.3.0/24 or 1.2.4.0/25 \) and dst port 80 A 호스트로/부터의 모든 도착/출발 패킷 출력 > tcpdump host A A 호스트와 B 또는 C 사이의 모든 트래픽 출력 > tcpdump host A and \( B or C \) A호스트와 B를 제외한 호스트 간의 모든 IP 패킷 출력 > tcpdump ip host A and not B 로컬호스트와 Berkeley의 호스트들 간의 모든 트래픽 출력 > tcpdump net ucb-ether 게이트웨이 A를 통한 모든 ftp 트래픽 출력 > tcpdump 'gateway A and (port ftp or ftp-data)' 로컬네트워크로/부터가 아닌 모든 트래픽 출력 > tcpdump ip and not net 로컬네트워크가 아닌 TCP 시작과 마지막 패킷 출력 > tcpdump 'tcp[13] & 3 != 0 and not src and dst net ' 게이트웨이 A를 통해 보내지는 576 Bytes보다 긴 IP 패킷 출력 > tcpdump 'gateway A and ip[2:2] > 576' 이더넷이 아닌 IP 브로드 또는 멀티 캐스트 패킷 출력 > tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' echo 요청/응답이 아닌 모든 ICMP 패킷 출력 (ping 아닌 패킷) > tcpdump 'icmp[0] != 8 and icmp[0] != 0' 1.2.3 과 1.2.4 IP주소 (내부) 패킷을 제외한 모든 패킷 출력 > tcpdump src net 1.2.3 or 1.2.4 and not dst net 1.2.3 or 1.2.4 br1 인터페이스의 모든 패킷 출력 > tcpdump -i br1
See the list of interfaces on which tcpdump can listen: tcpdump -D Listen on interface eth0: tcpdump -i eth0 Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater): tcpdump -i any Be verbose while capturing packets: tcpdump -v Be more verbose while capturing packets: tcpdump -vv Be very verbose while capturing packets: tcpdump -vvv Be verbose and print the data of each packet in both hex and ASCII, excluding the link level header: tcpdump -v -X Be verbose and print the data of each packet in both hex and ASCII, also including the link level header: tcpdump -v -XX Be less verbose (than the default) while capturing packets: tcpdump -q Limit the capture to 100 packets: tcpdump -c 100 Record the packet capture to a file called capture.cap: tcpdump -w capture.cap Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time: tcpdump -v -w capture.cap Display the packets of a file called capture.cap: tcpdump -r capture.cap Display the packets using maximum detail of a file called capture.cap: tcpdump -vvv -r capture.cap Display IP addresses and port numbers instead of domain and service names when capturing packets (note: on some systems you need to specify -nn to display port numbers): tcpdump -n Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n dst host 192.168.1.1 Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n src host 192.168.1.1 Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers: tcpdump -n host 192.168.1.1 Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n dst net 192.168.1.0/24 Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n src net 192.168.1.0/24 Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers: tcpdump -n net 192.168.1.0/24 Capture any packets where the destination port is 23. Display IP addresses and port numbers: tcpdump -n dst port 23 Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n dst portrange 1-1023 Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n tcp dst portrange 1-1023 Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers: tcpdump -n udp dst portrange 1-1023 Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers: tcpdump -n "dst host 192.168.1.1 and dst port 23" Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers: tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)" Capture any ICMP packets: tcpdump -v icmp Capture any ARP packets: tcpdump -v arp Capture either ICMP or ARP packets: tcpdump -v "icmp or arp" Capture any packets that are broadcast or multicast: tcpdump -n "broadcast or multicast" Capture 500 bytes of data for each packet rather than the default of 68 bytes: tcpdump -s 500 Capture all bytes of data within the packet: tcpdump -s 0
'Analysis > Network' 카테고리의 다른 글
[VPN] 터널링 (0) | 2016.08.09 |
---|---|
HTTPS와 SSL 이해 (0) | 2016.04.15 |
Next Squence Number (0) | 2016.03.24 |