network tcpdump - ghdrako/doc_snipets GitHub Wiki

sudo tcpdump -nnni 0.0:nnnp --f5 ssl -s0 host <ip> -vvv -w <name>.pcap

sudo tcpdump -vv host 10.231.62.240   # czy przychodzi ruch  hosta
sudo tcpdump -vvnn net 10.231.62.0/24 # czy przhychodzi ruch z sieci

Filter incoming (on interface) traffic (specific ip:port)

tcpdump -ne -i eth0 -Q in host 192.168.252.1 and port 443
  • -n - don't convert addresses (-nn will not resolve hostnames or ports)
  • -e - print the link-level headers
  • -i [iface|any] - set interface
  • -Q|-D [in|out|inout] - choose send/receive direction (-D - for old tcpdump versions)
  • host [ip|hostname] - set host, also [host not]
  • [and|or] - set logic
  • port [1-65535] - set port number, also [port not]

Filter incoming (on interface) traffic (specific ip:port) and write to a file

tcpdump -ne -i eth0 -Q in host 192.168.252.1 and port 443 -c 5 -w tcpdump.pcap
  • -c [num] - capture only num number of packets
  • -w [filename] - write packets to file, -r [filename] - reading from file

Capture all ICMP packets

tcpdump -nei eth0 icmp

Check protocol used (TCP or UDP) for service

tcpdump -nei eth0 tcp port 22 -vv -X | egrep "TCP|UDP"

Display ASCII text (to parse the output using grep or other)

tcpdump -i eth0 -A -s0 port 443

Grab everything between two keywords

tcpdump -i eth0 port 80 -X | sed -n -e '/username/,/=ldap/ p'

Grab user and pass ever plain http

tcpdump -i eth0  port http -l -A | egrep -i \
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' \
--color=auto --line-buffered -B20

Extract HTTP User Agent from HTTP request header

tcpdump -ei eth0 -nn -A -s1500 -l | grep "User-Agent:"

Capture only HTTP GET and POST packets

tcpdump -ei eth0 -s 0 -A -vv \
'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' or 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

or simply:

tcpdump -ei eth0 -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

Rotate capture files

tcpdump -ei eth0 -w /tmp/capture-%H.pcap -G 3600 -C 200
  • -G <num> - pcap will be created every <num> seconds
  • -C <size> - close the current pcap and open a new one if is larger than <size>

Top hosts by packets

tcpdump -ei enp0s25 -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20

Excludes any RFC 1918 private address

tcpdump -nei eth0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'

$ sudo tcpdump host ubuntu18 -n -c 5  # examine all packets sent to or from a particular host, Ubuntu18 in this example

Filtrowanie po interfejsach

# List interface
tcpdump -D  # tcpdump –list-interface
# sniff on all interface
tcpdump -i any
# sniff in single interface
tcpdump -i eth0

Filtrowanie po adresach

tcpdump -i [interface] host [host]
tcpdump -i [interface] net [subnet]
tcpdump -i [interface] src [host]
tcpdump -i [interface] dst [host]

# filter on specific ip addres
tcpdump -i eth0 host 192.168.1.10
# filter on specific subnet (CIDR)
tcpdump -i eth0 net 192.168.1.0/24
# filtrowanie nia podstawie kierunku  src albo dst uzywajac host albo net
tcpdump -i eth0 src host 192.168.1.10
tcpdump 'host ubunlog.com'

Filtrowanie po portach i protokołach

tcpdump -i [interface] port [port number]
tcpdump -i [interface] portrange [port range]

# Filtrowanie po protokołach np.: tcp, udp, icmp, arp itp.
tcpdump -i eth0 icmp
# Filtrowanie po portach (mozna uzyc kierunku src/dst)
tcpdump -i eth0 port 53
tcpdump -i eth0 dst port 443
tcpdump 'tcp portrange 3000-5000'

Isolate TCP Flags / Filter Packets with Tcp Flags

cpflags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or .’ (ACK), or none’ if no flags are set.

URG ACK PSH RST SYN FIN
32  16  8   4   2   1
tcpdump -i utun1 tcp[tcpflags] == ‘tcp-syn’

tcpdump -i utun1 tcp[13] == 2

The following TCP flag field values are also available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-act, tcp-urg.

# Isolate TCP RST flags
tcpdump 'tcp[13] & 4!=0'
tcpdump 'tcp[tcpflags] == tcp-rst'
# Isolate TCP SYN flags
tcpdump 'tcp[13] & 2!=0'
tcpdump 'tcp[tcpflags] == tcp-syn'
# Both SYN and RST Set
tcpdump 'tcp[13] = 6'

# Find HTTP User Agents
tcpdump -vvAls0 | grep 'User-Agent:'
# Cleartext GET Requests
tcpdump -vvAls0 | grep 'GET'
# Find HTTP Host Headers
tcpdump -vvAls0 | grep 'Host:'
# Find HTTP Cookies
tcpdump -vvAls0 | grep 'Set-Cookie|Host:|Cookie:'
# Find SSH Connections
tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
# Find DNS Traffic
tcpdump -vvAs0 port 53
# Find FTP Traffic
tcpdump -vvAs0 port ftp or ftp-data
# Find Cleartext Passwords
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

Łączenie wielu operatorów w jednym filtrze

and or &&
or or ||
not or !

tcpdump -i eth0 host 192.168.1.1 and host 192.168.1.10 # oba warunki spelnione jednoczesnie - komunikacja miedzy dwoma adresami ip
tcpdump -i eth0 host 192.168.1.10 and port 443         # filtrowanie przez ip i usluge(port)
tcpdump -i eth0 port 80 or port 443                    # operator or
tcpdump -i eth0 net 192.168.1.0/24 and not host 192.168.1.20 # oerator not
tcpdump -i eth0 port 53 and '(udp or tcp)’             # wymuszenie kolejnosci operatorow w filtrze
tcpdump 'tcp port 80 and host ubunlog.com'
tcpdump 'dst host 216.239.37.99 && port 80'

Limitowanie zbieranych danych

tcpdump -c [number of packets]
tcpdump -i eth0 -c 5  # tylko 5 pakietow
tcpdump -i eth0 greater 1024 # Przechwytywanie pakietów o określonej wielkości
tcpdump -i eth0 less 128
tcpdump less 32
tcpdump greater 64
tcpdump <= 128

Wyświetlanie danych

tcpdump -i eth0 -n      # -n (disable name resolution) wymusza wyswietlanie adresu ip zamiast nazwy dns -nn disable port resolution
tcpdump -i eth0 -ttttt  # -t(default) różnicę czasu pomiędzy kolejnymi pakietami -tt linux date -ttt liczyć czas od początku przechwytywania -ttttt obecny czas w formacie „dzień i godzina”
tcpdump -i eth0 -v # -vvv
tcpdump -i eth0 -A # wyświetlić treść komunikacji w formacie ASCII przydatne dla http icmp
tcpdump -i eth0 -x # w formacie HEX
tcpdump -i eth0 -X # w formacie HEX i ASCII

Zapisywanie danych

tcpdump -i [interface] -w [filename]
tcpdump -i eth0 -w /tmp/nagranie.pcap
tcpdump -i eth0 -s 64 -w /tmp/nagranie.pcap # możliwość jej późniejszej analizy np. w aplikacji [Wireshark](https://www.wireshark.org/)
tcpdump -i eth0 -s 64 -w /tmp/nagranie.pcap # Zapisywanie n pierwszych bajtów każdego z pakietów komunikacji do pliku
tcpdump -i eth0 -v -w /tmp/nagranie.pcap  # licznik w opcji verbose pozwala przerwac w odpowiednim momecie
tcpdump -i eth0 -c 5 -w /tmp/nagranie.pcap # okreslenie ile pakietow zapisac
tcpdump -r /tmp/nagranie.pcap # Wyświetlanie danych z pliku
tcpreplay -i eth0 /tmp/nagranie.pcap # dane są wysyłane przez wskazany interfejs sieciowy do sieci


kubectl -n istioinaction exec deploy/webapp -c istio-proxy \
-- sudo tcpdump -l --immediate-mode -vv -s 0 \
'(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
⚠️ **GitHub.com Fallback** ⚠️