Difference between revisions of "Tcpdump"
imported>ThorstenStaerk |
imported>ThorstenStaerk |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | tcpdump is a [[command]] that allows you to monitor your network traffic. | + | tcpdump is a [[command]] that allows you to monitor your network traffic by ports and devices. |
+ | |||
+ | = QuickStart = | ||
+ | Let's [[set up a web server]] that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost: | ||
+ | # tcpdump <abbr title="capture all traffic">-A</abbr><abbr title="local interface">i lo</abbr> <abbr title="web server port">port 80</abbr> | ||
+ | Once we start requesting an html page, tcpdump gets active: | ||
+ | <source> | ||
+ | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | ||
+ | listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes | ||
+ | 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 | ||
+ | `....(.@...................................Po..E.........0......... | ||
+ | ............ | ||
+ | 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 | ||
+ | `....(.@.................................P... | ||
+ | .go..F.....0......... | ||
+ | ............ | ||
+ | 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 | ||
+ | `.... .@...................................Po..F. | ||
+ | .h...V.(..... | ||
+ | ........ | ||
+ | 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 | ||
+ | `......@...................................Po..F. | ||
+ | .h...V....... | ||
+ | ........GET /index.htm HTTP/1.1 | ||
+ | User-Agent: Wget/1.16 (linux-gnu) | ||
+ | Accept: */* | ||
+ | Host: localhost | ||
+ | Connection: Keep-Alive | ||
+ | |||
+ | |||
+ | 21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 | ||
+ | `.... .@.................................P... | ||
+ | .ho......V.(..... | ||
+ | ........ | ||
+ | 21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272 | ||
+ | `....0.@.................................P... | ||
+ | .ho......V.8..... | ||
+ | ........HTTP/1.1 200 OK | ||
+ | Date: Wed, 18 Nov 2015 20:46:20 GMT | ||
+ | Server: Apache | ||
+ | Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT | ||
+ | ETag: "6-50dd8c82254d0" | ||
+ | Accept-Ranges: bytes | ||
+ | Content-Length: 6 | ||
+ | Keep-Alive: timeout=15, max=100 | ||
+ | Connection: Keep-Alive | ||
+ | Content-Type: text/html | ||
+ | |||
+ | hallo | ||
+ | |||
+ | 21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 | ||
+ | `.... .@...................................Po.... | ||
+ | .x...^.(..... | ||
+ | ........ | ||
+ | 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 | ||
+ | `.... .@...................................Po.... | ||
+ | .x...^.(..... | ||
+ | ........ | ||
+ | 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 | ||
+ | `.... .@.................................P... | ||
+ | .xo......V.(..... | ||
+ | ........ | ||
+ | 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 | ||
+ | `.... .@...................................Po.... | ||
+ | .y...^.(..... | ||
+ | ........ | ||
+ | ^C | ||
+ | 10 packets captured | ||
+ | 20 packets received by filter | ||
+ | 0 packets dropped by kernel | ||
+ | </source> | ||
+ | |||
+ | == Saving in a file for wireshark == | ||
+ | To save the output in a file for wireshark use | ||
+ | tcpdump -s 0 -Ali lo port 80 -w ''filename''.txt | ||
+ | |||
+ | = Examples = | ||
+ | |||
+ | == dhcp == | ||
+ | You can watch out for dhcp communication on your network using: | ||
tcpdump -i eth1 port 67 and port 68 | tcpdump -i eth1 port 67 and port 68 | ||
+ | |||
+ | == SNMP == | ||
+ | You can display incoming [[snmp]] traps using: | ||
+ | tcpdump <abbr title="display all data">-A</abbr> <abbr title="SNMP trap port">port 162</abbr> <abbr title="print output with linefeeds and flushing to allow piping">-l</abbr> | [[hexdump]] -C | ||
= See also = | = See also = | ||
Line 6: | Line 89: | ||
* [[netstat]] | * [[netstat]] | ||
* [[netcat]] | * [[netcat]] | ||
− | * [http:// | + | * [http://www.tcpdump.org/manpages/tcpdump.1.html tcpdump man page] |
[[Category:low-level]] | [[Category:low-level]] | ||
+ | [[Category:networking]] | ||
+ | [[Category:command]] |
Latest revision as of 20:27, 31 March 2020
tcpdump is a command that allows you to monitor your network traffic by ports and devices.
QuickStart
Let's set up a web server that has nothing but an index.html file saying "hello". Here is how we monitor traffic on it for localhost:
# tcpdump -Ai lo port 80
Once we start requesting an html page, tcpdump gets active: <source> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes 21:46:20.363064 IP6 localhost.49816 > localhost.http: Flags [S], seq 1873285701, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 0,nop,wscale 7], length 0 `....(.@...................................Po..E.........0......... ............ 21:46:20.363089 IP6 localhost.http > localhost.49816: Flags [S.], seq 302679655, ack 1873285702, win 43690, options [mss 65476,sackOK,TS val 1957802 ecr 1957802,nop,wscale 7], length 0 `....(.@.................................P... .go..F.....0......... ............ 21:46:20.363109 IP6 localhost.49816 > localhost.http: Flags [.], ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0 `.... .@...................................Po..F. .h...V.(..... ........ 21:46:20.363153 IP6 localhost.49816 > localhost.http: Flags [P.], seq 1:117, ack 1, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 116 `......@...................................Po..F. .h...V....... ........GET /index.htm HTTP/1.1 User-Agent: Wget/1.16 (linux-gnu) Accept: */* Host: localhost Connection: Keep-Alive
21:46:20.363173 IP6 localhost.http > localhost.49816: Flags [.], ack 117, win 342, options [nop,nop,TS val 1957802 ecr 1957802], length 0
`.... .@.................................P...
.ho......V.(.....
........
21:46:20.363500 IP6 localhost.http > localhost.49816: Flags [P.], seq 1:273, ack 117, win 342, options [nop,nop,TS val 1957803 ecr 1957802], length 272
`....0.@.................................P...
.ho......V.8.....
........HTTP/1.1 200 OK
Date: Wed, 18 Nov 2015 20:46:20 GMT
Server: Apache
Last-Modified: Fri, 30 Jan 2015 06:33:25 GMT
ETag: "6-50dd8c82254d0"
Accept-Ranges: bytes
Content-Length: 6
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
hallo
21:46:20.363518 IP6 localhost.49816 > localhost.http: Flags [.], ack 273, win 350, options [nop,nop,TS val 1957803 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365359 IP6 localhost.49816 > localhost.http: Flags [F.], seq 117, ack 273, win 350, options [nop,nop,TS val 1957805 ecr 1957803], length 0 `.... .@...................................Po.... .x...^.(..... ........ 21:46:20.365417 IP6 localhost.http > localhost.49816: Flags [F.], seq 273, ack 118, win 342, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@.................................P... .xo......V.(..... ........ 21:46:20.365430 IP6 localhost.49816 > localhost.http: Flags [.], ack 274, win 350, options [nop,nop,TS val 1957805 ecr 1957805], length 0 `.... .@...................................Po.... .y...^.(..... ........ ^C 10 packets captured 20 packets received by filter 0 packets dropped by kernel </source>
Saving in a file for wireshark
To save the output in a file for wireshark use
tcpdump -s 0 -Ali lo port 80 -w filename.txt
Examples
dhcp
You can watch out for dhcp communication on your network using:
tcpdump -i eth1 port 67 and port 68
SNMP
You can display incoming snmp traps using:
tcpdump -A port 162 -l | hexdump -C