专栏首页howtouselinuxtcpdump如何使用

tcpdump如何使用

how-to-use-tcpdump

Tcpdump command is a famous network packet analyzing tool that is used to display TCP IP & other network packets being transmitted over the network attached to the system on which tcpdump has been installed. Tcpdump uses libpcap library to capture the network packets & is available on almost all Linux/Unix flavors.

Linux Tcpdump: Filter ipv6 ntp ping packets

Tcpdump: capture DHCP & DHCPv6 packets

20 Advanced Tcpdump Examples On Linux

10 Useful tcpdump command examples

TCPDUMP

README

Tcpdump is one of the best network analysis-tools ever for information security professionals.

Tcpdump is for everyone for hackers and people who have less of TCP/IP understanding.

OPTIONS

Below are some tcpdump options (with useful examples) that will help you working with the tool. They’re very easy to forget and/or confuse with other types of filters, i.e. ethereal, so hopefully this article can serve as a reference for you, as it does me:)

  • The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves.
  • The second is -X, which displays both hex and ascii content within the packet.
  • The final one is -S, which changes the display of sequence numbers to absolute rather than relative.

Show the packet’s contents in both hex and ascii.

tcpdump -X ....         

Same as -X, but also shows the ethernet header.

tcpdump -XX

Show the list of available interfaces

tcpdump -D

Line-readable output (for viewing as you save, or sending to other commands)

tcpdump -l

Be less verbose (more quiet) with your output.

tcpdump -q

Give human-readable timestamp output.

tcpdump -t :

Give maximally human-readable timestamp output.

tcpdump -tttt : 

Listen on the eth0 interface.

tcpdump -i eth0

Verbose output (more v’s gives more output).

tcpdump -vv 

Only get x number of packets and then stop.

tcpdump -c 

Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.

tcpdump -s 
tcpdump -S 

Get the ethernet header as well.

tcpdump -e 

Decrypt IPSEC traffic by providing an encryption key.

tcpdump -E

For more options, read manual:

BASIC USAGE

Display Available Interfaces

tcpdump -D
tcpdump --list-interfaces

Let’s start with a basic command that will get us HTTPS traffic:

tcpdump -nnSX port 443

Find Traffic by IP

Tcpdump: Filter UDP Packets

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Low Output:

tcpdump -nnvvS

Medium Output:

tcpdump -nnvvXS

Heavy Output:

tcpdump -nnvvXSs 1514

Getting Creative

  • Expressions are very nice, but the real magic of tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for.

There are three ways to do combination:

AND

and or &&

OR

or or ||

EXCEPT

not or !

Usage Example:

Traffic that’s from 192.168.1.1 AND destined for ports 3389 or 22

tcpdump 'src 192.168.1.1 and (dst port 3389 or 22)'

Exploring Tcpdump Filters with Examples

Advanced

Show me all URG packets:

tcpdump 'tcp[13] & 32 != 0'

Show me all ACK packets:

tcpdump 'tcp[13] & 16 != 0'

Show me all PSH packets:

tcpdump 'tcp[13] & 8 != 0'

Show me all RST packets:

tcpdump 'tcp[13] & 4 != 0'

Show me all SYN packets:

tcpdump 'tcp[13] & 2 != 0'

Show me all FIN packets:

tcpdump 'tcp[13] & 1 != 0'

Show me all SYN-ACK packets:

tcpdump 'tcp[13] = 18'

Show all traffic with both SYN and RST flags set: (that should never happen)

tcpdump 'tcp[13] = 6'

Show all traffic with the “evil bit” set:

tcpdump 'ip[6] & 128 != 0'

Display all IPv6 Traffic:

tcpdump ip6
tcpdump -A -i eth0

Display Captured Packets in HEX and ASCII

tcpdump -XX -i eth0

Capture and Save Packets in a File

tcpdump -w 0001.pcap -i eth0

Read Captured Packets File

tcpdump -r 0001.pcap

Capture IP address Packets

tcpdump -n -i eth0

Capture only TCP Packets.

tcpdump -i eth0 tcp

Capture Packet from Specific Port

tcpdump -i eth0 port 22

Capture Packets from source IP

tcpdump -i eth0 src 192.168.0.2

Capture Packets from destination IP

tcpdump -i eth0 dst 50.116.66.139

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet coming from or going to x.x.x.x

tcpdump -n host x.x.x.x

Capture any packet going to x.x.x.x

tcpdump -n dst host x.x.x.x

Capture any packed coming from x.x.x.x

tcpdump -n src host x.x.x.x

Capture any packet going to network x.x.x.0/24

tcpdump -n dst net x.x.x.0/24

Capture any packet coming from network x.x.x.0/24

tcpdump -n src net x.x.x.0/24

Capture any packet with destination port x

tcpdump -n dst port x

Capture any packet coming from port x

tcpdump -n src port x

Capture any packets from or to port range x to y

tcpdump -n dst(or src) portrange x-y

Capture any tcp or udp port range x to y

tcpdump -n tcp(or udp) dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and port y

tcpdump -n "dst host x.x.x.x and dst port y"

Capture any packets with dst ip x.x.x.x and dst ports x, z

tcpdump -n "dst host x.x.x.x and (dst port x or dst port z)"

Capture ICMP , ARP

tcpdump -v icmp(or arp)

Capture packets on interface eth0 and dump to cap.txt file

tcpdump -i eth0 -w cap.txt

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp
tcpdump port 3389 
tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Find Traffic by IP

tcpdump host 1.1.1.1

Filtering by Source and/or Destination

tcpdump src 1.1.1.1 
tcpdump dst 1.0.0.1

Finding Packets by Network

tcpdump net 1.2.3.0/24

Get Packet Contents with Hex Output

tcpdump -c 1 -X icmp
tcpdump port 3389 
tcpdump src port 1025

Show Traffic of One Protocol

tcpdump icmp

Show only IP6 Traffic

tcpdump ip6

Find Traffic Using Port Ranges

tcpdump portrange 21-23

Find Traffic Based on Packet Size

 tcpdump less 32 
 tcpdump greater 64 
 tcpdump <= 128
 tcpdump => 128

Reading / Writing Captures to a File (pcap)

tcpdump port 80 -w capture_file
tcpdump -r capture_file

Capture ICMP Packets With Tcpdump

It’s All About the Combinations

Raw Output View

tcpdump -ttnnvvS

Here are some examples of combined commands.

From specific IP and destined for a specific Port

tcpdump -nnvvS src 10.5.2.3 and dst port 3389

Linux Tcpdump: Filter ipv6 ntp ping packets

From One Network to Another

tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP

tcpdump dst 192.168.0.2 and src net and not icmp

Traffic From a Host That Isn’t on a Specific Port

tcpdump -vv src mars and not dst port 22

Isolate TCP RST flags.

tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'

Isolate TCP SYN flags.

tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'

Isolate packets that have both the SYN and ACK flags set.

tcpdump 'tcp[13]=18'

Isolate TCP URG flags.

tcpdump 'tcp[13] & 32!=0'
tcpdump 'tcp[tcpflags] == tcp-urg'

Isolate TCP ACK flags.

tcpdump 'tcp[13] & 16!=0'
tcpdump 'tcp[tcpflags] == tcp-ack'

Isolate TCP PSH flags.

tcpdump 'tcp[13] & 8!=0'
tcpdump 'tcp[tcpflags] == tcp-psh'

Isolate TCP FIN flags.

tcpdump 'tcp[13] & 1!=0'
tcpdump 'tcp[tcpflags] == tcp-fin'

Commands that I using almost daily

Both SYN and RST Set

tcpdump 'tcp[13] = 6'

Find HTTP User Agents

tcpdump -vvAls0 | grep 'User-Agent:'
tcpdump -nn -A -s1500 -l | grep "User-Agent:"

Filtering CDP LLDP packets with Tcpdump

By using egrep and multiple matches we can get the User Agent and the Host (or any other header) from the request.

tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'

Capture only HTTP GET and POST packets only packets that match GET.

tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

Extract HTTP Request URL's

tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture Cookies from Server and from Client

tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

Capture all ICMP packets

tcpdump -n icmp

Show ICMP Packets that are not ECHO/REPLY (standard ping)

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Troubleshooting NTP Query and Response

tcpdump dst port 123

Capture FTP Credentials and Commands

tcpdump -nn -v port ftp or ftp-data

Rotate Capture Files

tcpdump  -w /tmp/capture-%H.pcap -G 3600 -C 200

Capture IPv6 Traffic

tcpdump -nn ip6 proto 6

IPv6 with UDP and reading from a previously saved capture file.

tcpdump -nr ipv6-test.pcap ip6 proto 17

Detect Port Scan in Network Traffic

tcpdump -nn

USAGE EXAMPLE

Example Filter Showing Nmap NSE Script Testing

  • On Target:
  nmap -p 80 --script=http-enum.nse targetip
  • On Server:
  tcpdump -nn port 80 | grep "GET /"
       GET /w3perl/ HTTP/1.1
       GET /w-agora/ HTTP/1.1
       GET /way-board/ HTTP/1.1
       GET /web800fo/ HTTP/1.1
       GET /webaccess/ HTTP/1.1
       GET /webadmin/ HTTP/1.1
       GET /webAdmin/ HTTP/1.1

Capture Start and End Packets of every non-local host

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Capture DNS Request and Response

Filtering DNS with Tcpdump

tcpdump -i wlp58s0 -s0 port 53

Capture HTTP data packets

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Top Hosts by Packets

tcpdump -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Capture all the plaintext passwords

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

DHCP Example

tcpdump -v -n port 67 or 68

Cleartext GET Requests

tcpdump -vvAls0 | grep 'GET'

Find HTTP Host Headers

tcpdump -vvAls0 | grep 'Host:'

Find HTTP Cookies

tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'

Find SSH Connections

tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'

Find DNS Traffic

tcpdump -vvAs0 port 53

Find FTP Traffic

tcpdump -vvAs0 port ftp or ftp-data

Find NTP Traffic

tcpdump -vvAs0 port 123

Capture SMTP / POP3 Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Line Buffered Mode

tcpdump -i eth0 -s0 -l port 80 | grep 'Server:'

Find traffic with evil bit

tcpdump 'ip[6] & 128 != 0'

Filter on protocol (ICMP) and protocol-specific fields (ICMP type)

Tcpdump: Filter Packets with Tcp Flags

tcpdump -n icmp and 'icmp0 != 8 and icmp0 != 0'

Same command can be used with predefined header field offset (icmptype) and ICMP type field values (icmp-echo and icmp-echoreply):

tcpdump -n icmp and icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply

Filter on TOS field

tcpdump -v -n ip and ip[1]!=0

Filter on TTL field

tcpdump -v ip and 'ip[8]<2'

Filter on TCP flags (SYN/ACK)

tcpdump -n tcp and port 80 and 'tcp[tcpflags] & tcp-syn == tcp-syn'

In the example above, all packets with TCP SYN flag set are captured. Other flags (ACK, for example) might be set also. Packets which have only TCP SYN flags set, can be captured

tcpdump tcp and port 80 and 'tcp[tcpflags] == tcp-syn'

Catch TCP SYN/ACK packets (typically, responses from servers):

tcpdump -n tcp and 'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)'
tcpdump -n tcp and 'tcp[tcpflags] & tcp-syn == tcp-syn' and 'tcp[tcpflags] & tcp-ack == tcp-ack'

Catch ARP packets

tcpdump -vv -e -nn ether proto 0x0806

Filter on IP packet length

tcpdump -l icmp and '(ip[2:2]>50)' -w - |tcpdump -r - -v ip and '(ip[2:2]<60)'

Remark: due to some bug in tcpdump, the following command doesn't catch packets as expected:

tcpdump -v -n icmp and '(ip[2:2]>50)' and '(ip[2:2]<60)'

Filter on encapsulated content (ICMP within PPPoE)

tcpdump -v -n icmp

filter

tcpdump -q -i eth0
tcpdump -t -i eth0
tcpdump -A -n -q -i eth0 'port 80'
tcpdump -A -n -q -t -i eth0 'port 80'
tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'

Dump SIP Traffic

tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4

Checking packet content

tcpdump -i any -c10 -nn -A port 80

Checking packet content

sudo tcpdump -i any -c10 -nn -A port 80

References & Awesome wikis

Capture ICMP Packets With Tcpdump

Debugging SSH Packets with Tcpdump

Using Tcpdump to Filter DNS Packets

Learn tcpdump Quick Guide

Filtering DNS with Tcpdump

Filtering CDP LLDP packets with Tcpdump

Tcpdump Cheat Sheet (Basic Advanced Examples)

END!

原文链接:https://www.howtouselinux.com/post/tcpdump-filters

相关文章

  • TcpDump使用手册

    0x01 Tcpdump简介 ---- tcpdump 是一个运行在命令行下的嗅探工具。它允许用户拦截和显示发送或收到过网络连接到该计算机的TCP/IP和其他...

    小小科
  • tcpdump使用小记

    版权声明:本文为耕耘实录原创文章,各大自媒体平台同步更新。欢迎转载,转载请注明出处,谢谢

    耕耘实录
  • 使用tcpdump抓包

    上面是常用的选项, 更多的选项请参考tcpdump官方文档, 下面将对使用过滤条件抓包进行基本的介绍

    用户8851537
  • Linux tcpdump 使用介绍

    tcpdump 是 Linux 系统提供一个非常强大的抓包工具,熟练使用它,对我们排查网络问题非常有用。如果你的机器上还没有安装,可以使用如下命令安装:

    范蠡
  • tcpdump使用技巧(转载)

    很早就用过Wireshark进行抓包分析,但当时写过滤表达式很是一知半解,多半是从网上抄来的,根本没理解过滤表达式的含义。今天有幸看到一篇tcpdump入门使用...

    jeremyxu
  • 【CentOS_7】使用tcpdump抓明文包

    tcpdump功能强大,更多参数可以参考 https://www.cnblogs.com/bhlsheji/p/5032912.html

    BH8ANK
  • Linux基础学习之利用tcpdump抓包实例代码

    很多时候我们的系统部署在Linux系统上面,在一些情况下定位问题就需要查看各个系统之间发送数据报文是否正常,下面我就简单讲解一下如何使用tcpdump抓包

    砸漏
  • 抓包工具 | tcpdump 简明教程[译]

    tcpdump 毫无无疑是非常重要的网络分析工具,对于任何想深入理解TCP/IP的人来说,掌握该工具的使用是非常必要的。

    咸鱼学Python
  • Tcpdump的详细用法

         TcpDump可以将网络中传送的数据包的“头”完全截获下来提供分析。它支持针对网络层、协议、主机、网络或端口的过滤,并提供and、or、not等逻辑语...

    孙杰
  • 在Linux中使用tcpdump命令捕获与分析数据包详解

    tcpdump 是一个有名的命令行数据包分析工具。我们可以使用 tcpdump 命令捕获实时 TCP/IP 数据包,这些数据包也可以保存到文件中。之后这些捕获的...

    砸漏
  • Linux命令行使用tcpdump介绍

    Tcpdump 包含在多个 Linux 发行版中,因此您可能已经安装了它。使用以下命令检查您的系统上是否安装了 tcpdump:

    施主-借个火
  • Tcpdump 的用法

    更新时间:2005-12-26 11:55 阅读提示:第一种是关于类型的关键字,主要包括host,net,port, 例如 host 210.27.48.2,指...

    一见
  • 作为DBA,你有必要了解一下tcpdump

    tcpdump 是一款强大的网络抓包工具,dump the traffice on anetwork,对网络上的数据包进行截获的包分析工具。熟练掌握tcpdum...

    用户1278550
  • UNIX系统上的抓包工具tcpdump常用命令说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上。 不带任何选项的tcpdump,默认会抓取第一个网络接口,且只有将tcp...

    用户6641876
  • 记一次丢包分析

    最近笔者在做视频通话相关业务,在分析一些花屏、卡顿等视频异常现象时,首先想到的就是抓包,于是笔者使用了tcpdump进行了抓包,命令如下:

    Seven Du
  • 抓包工具 tcpdump 用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上。

    233333
  • 史上最简明的 Tcpdump 入门指南,看这一篇就够了

    网络数据包截获分析工具。支持针对网络层、协议、主机、网络或端口的过滤。并提供and、or、not等逻辑语句帮助去除无用的信息。

    杰哥的IT之旅
  • 抓包工具tcpdump用法说明

    tcpdump采用命令行方式对接口的数据包进行筛选抓取,其丰富特性表现在灵活的表达式上。

    用户5807183
  • Linux基础急速入门:用 TCPDUMP 抓包

    简介 网络数据包截获分析工具。支持针对网络层、协议、主机、网络或端口的过滤。并提供and、or、not等逻辑语句帮助去除无用的信息。 tcpdump - dum...

    小小科

扫码关注云+社区

领取腾讯云代金券