https://hackertarget.com/tcpdump-examples/
http://openmaniak.com/fr/tcpdump.php
Berkeley format on SSR: SSR packet capture pcap on Device interface and session capture
commands | ||
---|---|---|
List Interfaces: |
...
sudo tcpdump -D | ||
DHCP traffic: | sudo tcpdump -i |
...
eth1 -vvv port bootps | |
DNS traffic: |
...
sudo tcpdump -vvv -s 0 -l -n port 53 | ||
TFTP: | sudo tcpdump -i eth1 port 69 | |
FTP traffic | tcpdump -i eth0 "port ftp or port ftp-data" | |
icmp / ping | tcpdump -i eth1-n icmp | |
multicast |
| |
mpls or ipv6 | tcpdump -i eth1 -vvv mpls ( or ipv6 ) | |
vlan |
| |
Host traffic, source OR dest IP@: | sudo tcpdump -i ens33 port not 22 and host 192.168.0.16 | or hostname |
sudo tcpdump -i ens3 port 930 and host 172.20.8.20 | SSR IPC | |
src and dst IP@ | tcpdump 'src 192.168.0.211 or dst 192.168.0.211' | |
Exclude SSH session: | sudo tcpdump -i eth2 port not 22 | "and port not 53" |
BGP | sudo tcpdump -i eth2 port 179 | |
write / save to txt file | tcpdump -i virbr0 > virbr0_dhcp.txt | redirect the output |
save to wireshark file / binary | tcpdump -i virbr0 -w virbr0_dhcp.pcap | |
read a file | tcpdump -r traffic.pcap | |
tcpdump on SSR | ||
---|---|---|
Any SSH traffic on any interface | sudo tcpdump -n -i any -v 'ip[1] & 0xfc == 0x10' and port 22 | ip[1]??? |
Code Block | ||||
---|---|---|---|---|
| ||||
sudo dhclient -r eth1 && sudo dhclient eth1
vagrant@MiniUbuntu:~$ sudo tcpdump -i eth1 port bootps -vvv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:49:36.186186 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:e8:a0:54 (oui Unknown), length 300, xid 0xf b47c01a, Flags [none] (0x0000)
Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 11.0.1.102
Hostname Option 12, length 10: "MiniUbuntu"
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Default-Gateway
Domain-Name, Domain-Name-Server, Option 119, Hostname
Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
NTP
END Option 255, length 0
PAD Option 0, length 0, occurs 23
17:49:36.496645 IP (tos 0x0, ttl 64, id 24510, offset 0, flags [none], proto UDP (17), length 312)
11.0.1.221.bootps > 11.0.1.102.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 284, xid 0xfb47c01a, Flags [none] (0x0000)
Your-IP 11.0.1.102
Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Server-ID Option 54, length 4: 12.0.1.110
Default-Gateway Option 3, length 4: 11.0.1.221
Domain-Name Option 15, length 7: "jlknet1"
Domain-Name-Server Option 6, length 4: 11.0.1.221
END Option 255, length 0
PAD Option 0, length 0
17:49:36.497737 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:e8:a0:54 (oui Unknown), length 300, xid 0xf b47c01a, Flags [none] (0x0000)
Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 12.0.1.110
Requested-IP Option 50, length 4: 11.0.1.102
Hostname Option 12, length 10: "MiniUbuntu"
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Default-Gateway
Domain-Name, Domain-Name-Server, Option 119, Hostname
Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
NTP
END Option 255, length 0
PAD Option 0, length 0, occurs 17
17:49:36.902284 IP (tos 0x0, ttl 64, id 24534, offset 0, flags [none], proto UDP (17), length 312)
11.0.1.221.bootps > 11.0.1.102.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 284, xid 0xfb47c01a, Flags [none] (0x0000)
Your-IP 11.0.1.102
Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Server-ID Option 54, length 4: 12.0.1.110
Default-Gateway Option 3, length 4: 11.0.1.221
Domain-Name Option 15, length 7: "jlknet1"
Domain-Name-Server Option 6, length 4: 11.0.1.221
END Option 255, length 0
PAD Option 0, length 0
|