Monday, July 10, 2017

TCPDUMP COMMAND

TCPDUMP is a widely used tool/command that is used to capture the network packets in linux environment .

  • tcpdump -h --will give the version of tcpdump that is installed

CAPTURE HOST
**********************
tcpdump -i <interface-name> host <ip-address>

it will capture each and every packet matching the ip-address whether it is a source or destination

NOTE: i means interface

NO DOMAIN LOOKUP
***************************
tcpdump -i <interface-name> -n host <ip-address>

 it will capture each and every packet matching the ip-address whether it is a source or destination
 it will not resolve the ip-address


 NO DOMAIN AND PROTOCOL LOOKUP
******************************************
tcpdump -i <interface-name> -nn host <ip-address>

it will capture each and every packet matching the ip-address whether it is a source or destination
it will not resolve the ip-address
it will not resove the protocol

NOTE: n means name resolution

RESTRICT THE PACKETS BEING CAPTURED
**************************************************
tcpdump -i <interface-name> -nn host <ip-address>  -c <number of packets to be captured>

NOTE: c means count


CAPTURE HOST AND SERVICE OR PORT
**********************************************
tcpdump -i <interface-name> -nn host <ip-address> and port <port-number>-c <number of packets to be captured>

 SAVE AND CAPTURE TCPDUMP DATA
*******************************************
tcpdump -i <interface-name> -nn host <ip-address> and port <port-number>-c <number of packets to be captured>   >/tmp/PacketCapture.txt

tcpdump -i <interface-name> -nn host <ip-address> and port <port-number>-c <number of packets to be captured> -w >/tmp/PacketCapture.pcap

To collect dump .pcap file,which later can be used in wireshark

CAPTURE HOST AND PROTOCOL
**************************************
tcpdump -i <interface-name> -nn host <ip-address> and <protocol> -c <number of packets to be captured>

NOTE:protocol can be replaced by udp,tcp.icmp etc

NEGATE FILTER
**********************
tcpdump -i <interface-name> -nn host <ip-address> and not <protocol> -c <number of packets to be captured>


CAPTURING PACKETS ON PARTCIULAR SOURCE/DESTINATION  ADDRESS
******************************************************************************
tcpdump -i <interface-name> -nn dst <ip-address> and not <protocol> -c <number of packets to be captured>
tcpdump -i <interface-name> -nn src <ip-address> and not <protocol> -c <number of packets to be captured>

COMBINATION
********************
tcpdump -i <interface-name> -nn dst <ip-address1> or dst <ip-addres2> and  <portnumber>

CAPTURE MAC ADDRESS
******************************
tcpdump -i <interface-name> -nn -e host <ip-address> -c <number of packets to be captured>


VERBOSE MODE
**********************
tcpdump -i <interface-name> -nn -vv host <ip-address> -c <number of packets to be captured>

more detailed information along with header


CAPTURING DUMP FOR NETWORK
***************************************
tcpdump -i <interface-name> -nn net <subnet mask> -c  <number of packets to be captured>

For ex:
tcpdump -i eth3 -nn net 10.10.11.10/16 -c     5


CAPTURING DUMP MULITCAST AND BROADCAST
*****************************************************
tcpdump -i <interface-name> -nn "broadcast or multicast" -c <number of packets to be captured>

For ex:
tcpdump -i eth3 -nn "broadcast or multicast" -c 5

CAPTURING DUMP FOR PORT RANGE
*****************************************
tcpdump -i <interface-name> -nn dst <ip-address> and portrange <port-range details>

For ex:
tcpdump -i eth3 -nn  dst 10.20.30.40 and portrange 1-100



                      
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)