Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


https://hackertarget.com/tcpdump-examples/

http://openmaniak.com/fr/tcpdump.php


Berkeley format on SSR:   SSR packet capture pcap on Device interface and session capture



commands

List Interfaces:

...

sudo tcpdump -D


DHCP traffic:   

sudo tcpdump -i

...

eth1 -vvv port bootps


DNS traffic: 

...

sudo tcpdump -vvv -s 0 -l -n port 53


TFTP:

sudo tcpdump -i eth1 port 69


FTP traffic

tcpdump -i eth0 "port ftp or port ftp-data"


icmp / ping tcpdump -i eth1-n icmp
multicast
tcpdump -i eth1 -vv net 224.0.0.0/4

mpls or ipv6tcpdump -i eth1 -vvv mpls  ( or ipv6 ) 
vlan
tcpdump -i eth1 -nn -e  vlan




Host traffic, source OR dest IP@:

sudo   tcpdump -i ens33 port not 22 and host 192.168.0.16

or hostname


sudo tcpdump -i ens3 port 930 and host 172.20.8.20SSR IPC

src and dst IP@

tcpdump 'src 192.168.0.211 or dst 192.168.0.211'





Exclude SSH session:

...

sudo  tcpdump -i eth2 port not 22 

"and port not 53"

BGP

sudo  tcpdump -i eth2 port

...

179


write / save to txt file tcpdump -i virbr0  >  virbr0_dhcp.txtredirect the output
save to wireshark file / binarytcpdump -i virbr0 -w virbr0_dhcp.pcap
read a file
tcpdump -r traffic.pcap




tcpdump on SSR

Any SSH traffic on any interface
sudo tcpdump -n -i any -v 'ip[1] & 0xfc == 0x10' and port 22
ip[1]??? 




Code Block
titleDHCP traffic
collapsetrue
sudo dhclient -r eth1 && sudo dhclient eth1

vagrant@MiniUbuntu:~$ sudo tcpdump -i eth1 port bootps -vvv
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:49:36.186186 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:e8:a0:54 (oui Unknown), length 300, xid 0xf                                                           b47c01a, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Discover
            Requested-IP Option 50, length 4: 11.0.1.102
            Hostname Option 12, length 10: "MiniUbuntu"
            Parameter-Request Option 55, length 13:
              Subnet-Mask, BR, Time-Zone, Default-Gateway
              Domain-Name, Domain-Name-Server, Option 119, Hostname
              Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
              NTP
            END Option 255, length 0
            PAD Option 0, length 0, occurs 23

17:49:36.496645 IP (tos 0x0, ttl 64, id 24510, offset 0, flags [none], proto UDP (17), length 312)
    11.0.1.221.bootps > 11.0.1.102.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 284, xid 0xfb47c01a, Flags [none] (0x0000)
          Your-IP 11.0.1.102
          Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Offer
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Server-ID Option 54, length 4: 12.0.1.110
            Default-Gateway Option 3, length 4: 11.0.1.221
            Domain-Name Option 15, length 7: "jlknet1"
            Domain-Name-Server Option 6, length 4: 11.0.1.221
            END Option 255, length 0
            PAD Option 0, length 0

17:49:36.497737 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 08:00:27:e8:a0:54 (oui Unknown), length 300, xid 0xf                                                      b47c01a, Flags [none] (0x0000)
          Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: Request
            Server-ID Option 54, length 4: 12.0.1.110
            Requested-IP Option 50, length 4: 11.0.1.102
            Hostname Option 12, length 10: "MiniUbuntu"
            Parameter-Request Option 55, length 13:
              Subnet-Mask, BR, Time-Zone, Default-Gateway
              Domain-Name, Domain-Name-Server, Option 119, Hostname
              Netbios-Name-Server, Netbios-Scope, MTU, Classless-Static-Route
              NTP
            END Option 255, length 0
            PAD Option 0, length 0, occurs 17

17:49:36.902284 IP (tos 0x0, ttl 64, id 24534, offset 0, flags [none], proto UDP (17), length 312)
    11.0.1.221.bootps > 11.0.1.102.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 284, xid 0xfb47c01a, Flags [none] (0x0000)
          Your-IP 11.0.1.102
          Client-Ethernet-Address 08:00:27:e8:a0:54 (oui Unknown)
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Server-ID Option 54, length 4: 12.0.1.110
            Default-Gateway Option 3, length 4: 11.0.1.221
            Domain-Name Option 15, length 7: "jlknet1"
            Domain-Name-Server Option 6, length 4: 11.0.1.221
            END Option 255, length 0
            PAD Option 0, length 0