This attempt was done on a Cent OS machine. The tcp dump was not present on that machine, so this was installed like this below
yum install tcpdump
Now to capture packets on that interface, the common command is
tcpdump -i eth0
If the interface is not available, it shows like this
tcpdump -i eth0
tcpdump: eth0: No such device exists
(SIOCGIFHWADDR: No such device)
Now to display all the interfaces available on this machine.
tcpdump -D
This gives output something like this below
1.eth0
2.eth1
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.usbmon3 (USB bus number 3)
6.usbmon4 (USB bus number 4)
7.usbmon5 (USB bus number 5)
8.any (Pseudo-device that captures on all interfaces)
9.lo
Now some more commands are:
tcpdump -w 0001.pcap -i eth0 => Save captured packets on to a file
tcpdump -i eth0 tcp => Capture only TCP packets
tcpdump -i eth0 port 22 => Capture packet from specified port
tcpdump -i eth0 src 192.168.0.2 => Capture packet from source IP
tcpdump -i eth0 dst 50.116.66.139 => capture packet from destination IP
tcpdump -XX -i eth0....@..HZ.@. => Display capture in Hex and ASCII
tcpdump -w two-host-tcp-comm.pcap -i enp0s3 tcp and \(host 169.144.0.1 or host 169.144.0.20\) => Capturing TCP packet communication between two Hosts
tcpdump -w ssh-comm-two-hosts.pcap -i enp0s3 src 169.144.0.1 and port 22 and dst 169.144.0.20 and port 22 => Capturing only SSH packet flow between two hosts using tcpdump command,
tcpdump -w two-host-comm.pcap -s 1000 -i enp0s3 udp and \(host 169.144.0.10 and host 169.144.0.20\) => Capturing the udp network packets (to & fro) between two hosts
tcpdump -r enp0s3-26082018.pcap => Reading packets from the saved file ( -r option)
tcpdump -w enp0s3-26082018-2.pcap greater 1024 => Capturing and Saving the packets whose size greater than N bytes
tcpdump -w enp0s3-26082018-3.pcap less 1024 => Capturing and Saving the packets whose size less than N bytes
References:
https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/
No comments:
Post a Comment