Upload
harinisanthosh
View
219
Download
0
Embed Size (px)
Citation preview
7/23/2019 Packet Analyzer
1/9
Packet Analyzer: 15 TCPDUMP Command Examples
tcpdump command is also called as packet analyzer.
tcpdump command ill ork on most !la"ors o! unix operatin# system. tcpdump
allos us to sa"e t$e packets t$at are captured% so t$at e can use it !or !uture
analysis. T$e sa"ed !ile can &e "ieed &y t$e same tcpdump command. 'e can also
use open source so!tare like ires$ark to read t$e tcpdump pcap !iles.
(n t$is tcpdump tutorial% let us discuss some practical examples on $o to use t$e
tcpdump command.
1. Capture packets !rom a particular et$ernet inter!ace usin#tcpdump )i
'$en you execute tcpdump command it$out any option% it ill capture all t$e
packets !loin# t$rou#$ all t$e inter!aces. )i option it$ tcpdump command% allos
you to !ilter on a particular et$ernet inter!ace.
$ tcpdump -i eth1
14:59:26.608728 IP xx.domain.netbcp.net.52497 > a!h4.!e!!.net.""h: . ac# 540 in
16554
14:59:26.610602 IP %e"o!e%.!e!!.net.domain > a!h4.!e!!.net.24151: 4278 1&0&0 '7()
14:59:26.611262 IP a!h4.!e!!.net.(8527 > %e"o!e%.!e!!.net.domain: 26(64* P+,
244.207.104.10.in-add%.a%pa. '45)
(n t$is example% tcpdump captured all t$e packets !los in t$e inter!ace et$1 and
displays in t$e standard output.
Note: Editcaputility is used to select or remo"e speci!ic packets !rom dump !ile andtranslate t$em into a #i"en !ormat.
http://www.thegeekstuff.com/2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively/http://www.thegeekstuff.com/2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively/7/23/2019 Packet Analyzer
2/9
*. Capture only + num&er o! packets usin# tcpdump )c
'$en you execute tcpdump command it #i"es packets until you cancel t$e tcpdump
command. Usin# )c option you can speci!y t$e num&er o! packets to capture.
$ tcpdump -c 2 -i eth0
!i"tenin on eth0/ !in#-tpe 103 'the%net)/ captu%e "ie 96 bte"
14:(8:(8.18491( IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P
1457255642:1457255758'116) ac# 156146(966 in 6(652
14:(8:(8.690919 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P 116:2(2'116)
ac# 1 in 6(652
2 pac#et" captu%ed
1( pac#et" %eceied b !te%
0 pac#et" d%opped b #e%ne!
T$e a&o"e tcpdump command captured only * packets !rom inter!ace et$,.
Note:Mer#ecap and T-$ark: Mer#ecap is a packet dump com&inin# tool% $ic$ ill
com&ine multiple dumps into a sin#le dump !ile. Ts$ark is a poer!ul tool to capture
netork packets% $ic$ can &e used to analyze t$e netork tra!!ic. (t comes it$
ires$ark netork analyzer distri&ution.
. Display Captured Packets in A-C(( usin# tcpdump )A
T$e !olloin# tcpdump syntax prints t$e packet in A-C((.
$ tcpdump - -i eth0
tcpdump: e%bo"e output "upp%e""ed/ u"e - o% - o% u!! p%otoco! decode
http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/http://www.thegeekstuff.com/2009/03/mergecap-and-tshark-merge-packet-dumps-and-analyze-network-traffic/7/23/2019 Packet Analyzer
3/9
!i"tenin on eth0/ !in#-tpe 103 'the%net)/ captu%e "ie 96 bte"
14:(4:50.91(995 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P
14572(9478:14572(9594'116) ac# 1561461262 in 6(652
..........i...9...;.=..?....
[email protected]*B.......C.
14:(4:51.42(640 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.11006: P 116:2(2'116)
ac# 1 in 6(652
........A..i...9...;.
7/23/2019 Packet Analyzer
4/9
0x00(0: 407 c976 0000 0000 0000 0000 ..........
18:52:54.87771( IP 10.0.0.0 > a!!-""tem".mca"t.net: imp Mue% ( Nmax %e"p time 1"
0x0000: 0050 569c (5a( 0000 0000 0000 0800 4600 .P
7/23/2019 Packet Analyzer
5/9
2. 3eadin# t$e packets !rom a sa"ed !ile usin# tcpdump )r
4ou can read t$e captured pcap !ile and "ie t$e packets !or analysis% as s$on
&elo.
$tcpdump -tttt -% data.pcap
2010-08-22 21:(5:26.57179( 00:50:56:9c:69:(8 'oui n#non) > %oadca"t/ ethe%tpe
n#non '0xcae)/ !enth 74:
0x0000: 0200 000a 0000 0c00 (c00 0000 ............Q...
0x0010: 0000 0000 0100 0080 (e9e 2900 0000 0000 ........>.).....
0x0020: 0000 0000 ad00 996b 0600 0050 ...........#...P
0x00(0: 569c 69(8 0000 0000 8e07 0000 .domain.innetbcp.net.50570: P
800464(96:800464448'52) ac# 20((16566 in 71
2010-08-22 21:(5:26.571800 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.50570: P
52:168'116) ac# 1 in 71
2010-08-22 21:(5:26.584865 IP a!h5.!e!!.net.""h > 11.154.12.255.netbio"-n": + RP
PSB+'1(7): T,UV ,TF+V ,GRS
. Capture packets it$ (P address usin# tcpdump )n
(n all t$e a&o"e examples% it prints packets it$ t$e D+- address% &ut not t$e ip
address. T$e !olloin# example captures t$e packets and it ill display t$e (P
address o! t$e mac$ines in"ol"ed.
$ tcpdump -n -i eth0
7/23/2019 Packet Analyzer
6/9
15:01:(5.17076( IP 10.0.19.121.52497 > 11.154.12.121.""h: P 105:157'52) ac# 18060
in 16549
15:01:(5.170776 IP 11.154.12.121.""h > 10.0.19.121.52497: P 2(988:241(6'148) ac#
157 in 11(
15:01:(5.170894 IP 11.154.12.121.""h > 10.0.19.121.52497: P 241(6:24(80'244) ac#
157 in 11(
6. Capture packets it$ proper reada&le timestamp usin#
tcpdump )tttt
$ tcpdump -n -tttt -i eth0
2010-08-22 15:10:(9.1628(0 IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 49800
in 16(90
2010-08-22 15:10:(9.1628(( IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 50288
in 16660
2010-08-22 15:10:(9.162867 IP 10.0.19.121.52497 > 11.154.12.121.""h: . ac# 50584
in 16586
7. 3ead packets lon#er t$an + &ytes
4ou can recei"e only t$e packets #reater t$an n num&er o! &ytes usin# a !ilter
8#reater9 t$rou#$ tcpdump command
$ tcpdump - W1024.pcap %eate% 1024
7/23/2019 Packet Analyzer
7/9
1,. 3ecei"e only t$e packets o! a speci!ic protocol type
4ou can recei"e t$e packets &ased on t$e protocol type. 4ou can speci!y one o! t$ese
protocols !ddi% tr% lan% ip% ip2% arp% rarp% decnet% tcp and udp. T$e !olloin#
example captures only arp packets !loin# t$rou#$ t$e et$, inter!ace.
$ tcpdump -i eth0 a%p
tcpdump: e%bo"e output "upp%e""ed/ u"e - o% - o% u!! p%otoco! decode
!i"tenin on eth0/ !in#-tpe 103 'the%net)/ captu%e "ie 96 bte"
19:41:52.809642 a%p ho-ha" a!h5.!e!!.net te!! a!h9.!e!!.net
19:41:52.86(689 a%p ho-ha" 11.154.12.1 te!! a!h6.!e!!.net
19:41:5(.024769 a%p ho-ha" 11.154.12.1 te!! a!h7.!e!!.net
11. 3ead packets lesser t$an + &ytes
4ou can recei"e only t$e packets lesser t$an n num&er o! &ytes usin# a !ilter 8less9
t$rou#$ tcpdump command
$ tcpdump - !W1024.pcap !e"" 1024
1*. 3ecei"e packets !los on a particular port usin# tcpdump port
(! you ant to kno all t$e packets recei"ed &y a particular port on a mac$ine% you
can use tcpdump command as s$on &elo.
$ tcpdump -i eth0 po%t 22
19:44:44.9(4459 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P
189(2:19096'164) ac# 105 in 71
7/23/2019 Packet Analyzer
8/9
19:44:44.9(45(( IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P
19096:19260'164) ac# 105 in 71
19:44:44.9(4612 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P
19260:19424'164) ac# 105 in 71
1. Capture packets !or particular destination (P and Port
T$e packets ill $a"e source and destination (P and port num&ers. Usin# tcpdump
e can apply !ilters on source or destination (P and port num&er. T$e !olloin#
command captures packets !los in et$,% it$ a particular destination ip and portnum&er **.
$ tcpdump - xpac#et".pcap -i eth0 d"t 10.181.140.216 and po%t 22
1/. Capture TCP communication packets &eteen to $osts
(! to di!!erent process !rom to di!!erent mac$ines are communicatin# t$rou#$ tcpprotocol% e can capture t$ose packets usin# tcpdump as s$on &elo.
$tcpdump - comm.pcap -i eth0 d"t 16.181.170.246 and po%t 22
4ou can open t$e !ile comm.pcap usin# any netork protocol analyzer tool to de&u#
any potential issues.
15. tcpdump ;ilter Packets < Capture all t$e packets ot$er t$anarp and rarp
(n tcpdump command% you can #i"e =and>% =or> and =not> condition to !ilter t$e
packets accordin#ly.
$ tcpdump -i eth0 not a%p and not %a%p
7/23/2019 Packet Analyzer
9/9
20:((:15.479278 IP %e"o!e%.!e!!.net.domain > a!h4.!e!!.net.646(9: 26929 1&0&0 '7()
20:((:15.479890 IP a!h4.!e!!.net.1605( > %e"o!e%.!e!!.net.domain: 56556* P+,
255.107.154.15.in-add%.a%pa. '45)
20:((:15.480197 IP a!h4.!e!!.net.""h > .domain.innetbcp.net.6(897: P 540:1504'964)
ac# 1 in 96
20:((:15.487118 IP .domain.innetbcp.net.6(897 > a!h4.!e!!.net.""h: . ac# 540 in
16486
20:((:15.668599 IP 10.0.0.0 > a!!-""tem".mca"t.net: imp Mue% ( Nmax %e"p time 1"