wireshark & tcpdump - alex-aleyan/linux_wiki GitHub Wiki

Wireshark:

  • To set the default path for the unnamed capture files:

    export TMP=/somepath/tmp;

    • In /etc/bashrc:

      cd ~; xauth merge $(pwd)/.Xauthority

    • Workaround:

      alias wire='sudo TMP=/somepath/tmp XAUTHORITY=$HOME/.Xauthority wireshark'

  • If problem with the fonts:

    yum install gtk2-engines --installroot=/somepath/chroots/rhel-node

TCP DUMP:

  • Options:

    * **-i any** : Listen on all interfaces just to see if you’re seeing any traffic.
* **-i eth0** : Listen on the eth0 interface.
* **-D** : Show the list of available interfaces
* **-n** : Don’t resolve hostnames.
* **-nn** : Don’t resolve hostnames or port names.
* **-q** : Be less verbose (more quiet) with your output.
* **-t** : Give human-readable timestamp output.
* **-tttt** : Give maximally human-readable timestamp output.
* **-X** : Show the packet’s contents in both hex and ASCII.
* **-XX** : Same as -X, but also shows the ethernet header.
* **-v, -vv, -vvv** : Increase the amount of packet information you get back.
* **-c** : Only get x number of packets and then stop.
* **-s** : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
* **-S** : Print absolute sequence numbers.
* **-e** : Get the ethernet header as well.
* **-q** : Show less protocol information.
* **-E** : Decrypt IPSEC traffic by providing an encryption key.

  • There are three main types of expression: type, dir, and proto.

    • Type options are: host , net <subnet/mask>, and port .
    • Direction lets you do src <ip|hostname>, dst <ip|hostname>, and combinations thereof.
    • Proto(col) lets you designate: tcp, udp, icmp, igmp, arp, broadcast, multicast and many more.

  • Combinations:

    • AND: and, &&
    • OR: or, ||
    • EXCEPT: not, !

  1. Code examples:

    tcpdump -i eth1 #Listend on eth1
tcpdump -i any  #Listend on eth1

tcpdump -i eth1 src host02-eth1 #Listend on "eth1" for traffic from "host02-eth1"
tcpdump -i eth1 src host02-eth1 #Listend on "eth1" for traffic to "host01-eth1"

tcpdump -i eth1 -vXs 0 -c 1 icmp  #Listend on "eth1", print verbose Hex, 1 packet, icmp
tcpdump -i eth1 -vXs 0 -c 3 icmp  #Listend on "eth1", print verbose Hex, 3 packet, icmp

tcpdump -i eth1 -vXs 0 src host02-eth1 #Listend on "eth1" print verbose Hex, continuesly, icmp

tcpdump net 192.168.10.0/24
tcpdump -i eth1 net 192.168.10.0/24 -Xvs 0 -c 1
tcpdump port 3389
tcpdump src port 3389
tcpdump portrange 21-23

tcpdump icmp
tcpdump ip6
tcpdump udp

tcpdump less 32
tcpdump greater 64
tcpdump <= 128
tcpdump >128

tcpdump -w capture_file01 #to write to a file
tcpdump -r capture_file01 #to read from a file
tcpdump -r cap01 net 192.168.10.0/24 -Xvs 0 -c 1
tcpdump -r cap01 -i eth1 -Xvs 0 -c 1
tcpdump -i eth1 -eXvs -r capture_file01

tcpdump -i eth1 net 192.168.10.0/24 -Xvs 0 -c 1



tcpdump -eXXvs 0 -c 1 -i eth1 && dst host01
tcpdump -eXXvs 0 -c 1 -i eth1 && dst net 192.168.10.0/24 || 192.168.12.0/24
tcpdump -eXXvs 0 -c 1 dst 192.168.10.151 && src net && ! icmp
tcpdump -i eth1 src 192.168.10.152 && (dst port 3389 || 22)
tcpdump -nnevvXXSs 0 -c 1 -i eth1 src 192.168.10.152 && (dst port 22)

tcpdump -i eth1 -w cap01_size55.pcap -s 65535udp
tcpdump -i eth1 -r cap01_size55.pcap udp -nnevvXXSs 0 -c 1

  2. From Source IP:

    tcpdump -i eth1 src 192.168.10.152 and udp
tcpdump -i eth1 src 192.168.10.152 -nnevvXXSs 0 -c 1 and udp

  3. To Destination IP:

    tcpdump -i eth1 dst 192.168.10.151 and udp
tcpdump -i eth1 dst 192.168.10.151 -nnevvXXSs 0 -c 1 and udp

  4. From subnet:

    tcpdump -i eth1 net 192.168.10.0/24 -nnevvXXSs 0 -c 1 and udp

  5. From Source IP to Destination IP:

    tcpdump -i any src 192.168.10.152 -nnevvXXSs0 -c 1 and dst 192.168.10.151 and udp

  6. All multicast traffic

    tcpdump -i any  -s0 -nnevvXXS net 224.0.0.0/4

  7. UDP packets from socket to destination IP

    tcpdump -i any -s0 -nnevvXXS -c 1 "(src host 192.168.10.152 port 5100) and dst host 192.168.10.151 and udp"
⚠️ **GitHub.com Fallback** ⚠️