loading...

tcpdump cheat sheet

dannypsnl profile image 林子篆 Originally published at dannypsnl.github.io on ・2 min read

tcpdump?

A command line tool for analyzing network packets.

How to get packets?

Using -i option, tcpdump -i <device-name>, you would get the packet through NIC(network interface card) named .

How to get <device-name>?

using ip link could get some, e.g.

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:01:37:d1:9c:bd brd ff:ff:ff:ff:ff:ff
$ tcpdump -i eth0

Now I know how to get all packets through certain NIC, but I want to analysis specify connections, how can I get it?

Expression.

What Expression?

tcpdump expression.

What is tcpdump expression?

A set of combinable rules, for example src 10.0.0.10 means only the packets from 10.0.0.10 would show.Here is a list(incomplete) of tcpdump expression, the # leading comments:

host 10.0.0.10 # from or to 10.0.0.10
port 23 # contains port 23
dst 10.0.0.10 # as src, but for destination
# Protocols
arp # only ARP
icmp
tcp
udp
fddi
ether
# Protocol logic is simple, is not, for all

You say they are combinable, how they combined?

Good question, they can be combined with or, and or with leading !(not); or is or, not and, for example, src 10.0.0.10 or src 10.0.0.11 is for packets from 10.0.0.10 or 10.0.0.11, obviously.

I found packets not showing all informations I want, what could I do?

Simple, tcpdump has -v for verbose output, -vv for more verbose, -vvv for even more verbose. -vvvv for… no, I’m kidding.

Ha, that’s funny, and the timestamp is not readable for me, how to make it more friendly?

Use -t, and not kidding, use -ttttt for maximally timestamp, and you have -kt, k <- 1..=5 for different level output.

I found the IP be replaced by host name but I don’t want it, how to remove it?

-n would tell tcpdump stop convert address.

What if I want to save my hard working result?

-w <filename> is what you’re looking for, it would write the raw packets to file named <filename> rather than parsing & printing. And remember you can record packets into a file, and use Wireshark to analysis it! For complex flow analyzing, I would do that. Now, the most important path already covered, you can always get more & fresher information about it from manpage of tcpdump, good lucks.

references

Posted on by:

dannypsnl profile

林子篆

@dannypsnl

I am a programming language theory lover; good at system software like Networking, OS.

Discussion

markdown guide
 

The post is interesting and it explores the tcpdump cheat sheet. tcpdump is considered as a command line means for examining network packets. It says that Using -i option, tcpdump -i , you would acquire the packet through NIC (network interface card) named.

Thanks,
best essay writing help