Difference between revisions of "Tcpdump"

From Linuxintro
imported>ThorstenStaerk
imported>ThorstenStaerk
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
tcpdump is a [[command]] that allows you to monitor your network traffic. For example you can watch out for dhcp communication on your network using:
+
tcpdump is a [[command]] that allows you to monitor your network traffic by ports and devices.
 +
 
 +
= QuickStart =
 +
Let's [[set up a web server]] that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:
 +
# tcpdump <abbr title="capture all traffic">-A</abbr><abbr title="local interface">i lo</abbr> <abbr title="web server port">port 80</abbr>
 +
Once we start requesting an html page, tcpdump gets active:
 +
<source>
 +
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
 +
21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0
 +
`....(.@...................................Po..E.........0.........
 +
............
 +
21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0
 +
`....(.@.................................P...
 +
.go..F.....0.........
 +
............
 +
21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0
 +
`.... .@...................................Po..F.
 +
.h...V.(.....
 +
........
 +
21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116
 +
`......@...................................Po..F.
 +
.h...V.......
 +
........GET /index.htm HTTP/1.1
 +
User-Agent: Wget/1.16 (linux-gnu)
 +
Accept: */*
 +
Host: localhost
 +
Connection: Keep-Alive
 +
 
 +
 
 +
21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0
 +
`.... .@.................................P...
 +
.ho......V.(.....
 +
........
 +
21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272
 +
`....0.@.................................P...
 +
.ho......V.8.....
 +
........HTTP/1.1 200 OK
 +
Date: Wed, 18 Nov 2015 20:46:20 GMT
 +
Server: Apache
 +
Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT
 +
ETag: "6-50dd8c82254d0"
 +
Accept-Ranges: bytes
 +
Content-Length: 6
 +
Keep-Alive: timeout=15, max=100
 +
Connection: Keep-Alive
 +
Content-Type: text/html
 +
 
 +
hallo
 +
 
 +
21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0
 +
`.... .@...................................Po....
 +
.x...^.(.....
 +
........
 +
21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0
 +
`.... .@...................................Po....
 +
.x...^.(.....
 +
........
 +
21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0
 +
`.... .@.................................P...
 +
.xo......V.(.....
 +
........
 +
21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0
 +
`.... .@...................................Po....
 +
.y...^.(.....
 +
........
 +
^C
 +
10 packets captured
 +
20 packets received by filter
 +
0 packets dropped by kernel
 +
</source>
 +
 
 +
== Saving in a file for wireshark ==
 +
To save the output in a file for wireshark use
 +
tcpdump -s 0 -Ali lo port 80 -w ''filename''.txt
 +
 
 +
= Examples =
 +
 
 +
== dhcp ==
 +
You can watch out for dhcp communication on your network using:
 
  tcpdump -i eth1 port 67 and port 68
 
  tcpdump -i eth1 port 67 and port 68
 +
 +
== SNMP ==
 +
You can display incoming [[snmp]] traps using:
 +
tcpdump <abbr title="display all data">-A</abbr> <abbr title="SNMP trap port">port 162</abbr> <abbr title="print output with linefeeds and flushing to allow piping">-l</abbr> | [[hexdump]] -C
  
 
= See also =
 
= See also =
Line 6: Line 89:
 
* [[netstat]]
 
* [[netstat]]
 
* [[netcat]]
 
* [[netcat]]
* [http://man-wiki.net/index.php/1:tcpdump tcpdump man page]
+
* [http://www.tcpdump.org/manpages/tcpdump.1.html tcpdump man page]
  
 
[[Category:low-level]]
 
[[Category:low-level]]
 +
[[Category:networking]]
 +
[[Category:command]]

Latest revision as of 20:27, 31 March 2020

tcpdump is a command that allows you to monitor your network traffic by ports and devices.

QuickStart

Let's set up a web server that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:

# tcpdump -Ai lo port 80

Once we start requesting an html page, tcpdump gets active: <source> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 `....(.@...................................Po..E.........0......... ............ 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 `....(.@.................................P... .go..F.....0......... ............ 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@...................................Po..F. .h...V.(..... ........ 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 `......@...................................Po..F. .h...V....... ........GET /index.htm HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: localhost Connection: Keep-Alive


21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@.................................P... .ho......V.(..... ........ 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 `....0.@.................................P... .ho......V.8..... ........HTTP/1.1 200 OK Date: Wed, 18 Nov 2015 20:46:20 GMT Server: Apache Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT ETag: "6-50dd8c82254d0" Accept-Ranges: bytes Content-Length: 6 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html

hallo

21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@.................................P... .xo......V.(..... ........ 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@...................................Po.... .y...^.(..... ........ ^C 10 packets captured 20 packets received by filter 0 packets dropped by kernel </source>

Saving in a file for wireshark

To save the output in a file for wireshark use

tcpdump -s 0 -Ali lo port 80 -w filename.txt

Examples

dhcp

You can watch out for dhcp communication on your network using:

tcpdump -i eth1 port 67 and port 68

SNMP

You can display incoming snmp traps using:

tcpdump -A port 162 -l | hexdump -C

See also