Wise people learn when they can; fools learn when they must - Arthur Wellesley

Saturday, 8 September 2018

LINUX- 42 TCPDUMP -P2



                           LINUX- 42 TCPDUMP -P2
TCPDUMP Part1
TCPDUMP-P1

WHAT IS TCPDUMP AND Its SIGNIFICANCE,


In previous post we learned about various switches used with tcpdump and here we will learn about expressions with tcpdump.

Type / Direction / Protocol

TYPE: host, net & port
DIRECTION: src & dst
PROTOCOL: tcp, udp, icmp, arp ……and more

TYPE:


How to capture traffic based on host address via tcpdump,

host = it may be source or destination

[root@rhel7-server ~]# tcpdump -c 5 host 192.168.135.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:46:00.537689 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [P.], seq 2969783456:2969783508, ack 1704483171, win 255, length 52
16:46:00.543049 IP 192.168.135.142.ssh > 192.168.135.1.ambit-lm: Flags [P.], seq 1:53, ack 52, win 427, length 52
16:46:00.583400 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [.], ack 53, win 255, length 0
16:46:00.678208 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [P.], seq 52:104, ack 53, win 255, length 52
16:46:00.685108 IP 192.168.135.142.ssh > 192.168.135.1.ambit-lm: Flags [P.], seq 53:105, ack 104, win 427, length 52
5 packets captured
12 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump -c 5 -i lo host 127.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
16:45:15.886663 IP localhost.43228 > localhost.ssh: Flags [S], seq 2566676923, win 43690, options [mss 65495,sackOK,TS val 59804014 ecr 0,nop,wscale 7], length 0
16:45:15.886720 IP localhost.ssh > localhost.43228: Flags [S.], seq 644938091, ack 2566676924, win 43690, options [mss 65495,sackOK,TS val 59804014 ecr 59804014,nop,wscale 7], length 0
16:45:15.886762 IP localhost.43228 > localhost.ssh: Flags [.], ack 1, win 342, options [nop,nop,TS val 59804014 ecr 59804014], length 0
16:45:15.887231 IP localhost.43228 > localhost.ssh: Flags [P.], seq 1:22, ack 1, win 342, options [nop,nop,TS val 59804015 ecr 59804014], length 21
16:45:15.887240 IP localhost.ssh > localhost.43228: Flags [.], ack 22, win 342, options [nop,nop,TS val 59804015 ecr 59804015], length 0
5 packets captured
42 packets received by filter
0 packets dropped by kernel

net = capture traffic of entire/whole network

[root@rhel7-server ~]# tcpdump -c 5 net 192.168.135.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:49:09.089098 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895214457:3895214665, ack 2940836812, win 215, length 208
16:49:09.129592 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2052, length 0
16:49:10.090267 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:496, ack 1, win 215, length 288
16:49:10.130991 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 496, win 2051, length 0
16:49:11.091731 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 496:768, ack 1, win 215, length 272
5 packets captured
6 packets received by filter
0 packets dropped by kernel

port = capture traffic of specific port

[root@rhel7-server ~]# tcpdump -c 10 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:54:22.721914 IP 192.168.135.143.46797 > 192.168.135.133.http: Flags [S], seq 3571971863, win 14600, options [mss 1460,sackOK,TS val 35956030 ecr 0,nop,wscale 6], length 0
16:54:22.722014 IP 192.168.135.133.http > 192.168.135.143.46797: Flags [R.], seq 0, ack 3571971864, win 0, length 0
16:54:22.724346 IP 192.168.135.143.46798 > 192.168.135.133.http: Flags [S], seq 1413621237, win 14600, options [mss 1460,sackOK,TS val 35956032 ecr 0,nop,wscale 6], length 0
16:54:22.724662 IP 192.168.135.133.http > 192.168.135.143.46798: Flags [R.], seq 0, ack 1413621238, win 0, length 0
16:54:22.725041 IP 192.168.135.143.46799 > 192.168.135.133.http: Flags [S], seq 1123045188, win 14600, options [mss 1460,sackOK,TS val 35956033 ecr 0,nop,wscale 6], length 0
16:54:22.725073 IP 192.168.135.133.http > 192.168.135.143.46799: Flags [R.], seq 0, ack 1123045189, win 0, length 0
16:54:56.168666 IP 192.168.135.143.53461 > www.test.com.http: Flags [S], seq 3023516311, win 14600, options [mss 1460,sackOK,TS val 35989475 ecr 0,nop,wscale 6], length 0
16:54:56.168810 IP www.test.com.http > 192.168.135.143.53461: Flags [R.], seq 0, ack 3023516312, win 0, length 0
16:54:56.169296 IP 192.168.135.143.53462 > www.test.com.http: Flags [S], seq 2724677355, win 14600, options [mss 1460,sackOK,TS val 35989477 ecr 0,nop,wscale 6], length 0
16:54:56.169349 IP www.test.com.http > 192.168.135.143.53462: Flags [R.], seq 0, ack 2724677356, win 0, length 0
10 packets captured
12 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump -c 5 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:55:46.048171 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895228169:3895228377, ack 2940843116, win 215, length 208
16:55:46.088611 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2051, length 0
16:55:47.050865 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:496, ack 1, win 215, length 288
16:55:47.091664 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 496, win 2050, length 0
16:55:48.052947 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 496:768, ack 1, win 215, length 272
5 packets captured
6 packets received by filter
0 packets dropped by kernel

portrange

[root@rhel7-server ~]# tcpdump -c 5 portrange 1-3000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:24:17.388540 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895256009:3895256217, ack 2940859420, win 215, length 208
17:24:17.428974 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2048, length 0
17:24:18.390257 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:496, ack 1, win 215, length 288
17:24:18.431747 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 496, win 2047, length 0
17:24:19.391578 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 496:768, ack 1, win 215, length 272
5 packets captured
6 packets received by filter
0 packets dropped by kernel

DIRECTION:

src = capture traffic from source

[root@rhel7-server ~]# tcpdump -c 5 src 192.168.135.133
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:58:07.473893 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895230569:3895230777, ack 2940844220, win 215, length 208
16:58:08.476590 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:400, ack 1, win 215, length 192
16:58:09.478611 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 400:576, ack 1, win 215, length 176
16:58:10.479953 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 576:752, ack 1, win 215, length 176
16:58:11.481859 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 752:928, ack 1, win 215, length 176
5 packets captured
5 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump src port 22 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:50:53.859066 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895287961:3895288169, ack 2940874316, win 238, length 208
17:50:54.860736 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:400, ack 1, win 238, length 192
2 packets captured
2 packets received by filter
0 packets dropped by kernel


dst = capture traffic from destination

[root@rhel7-server ~]# tcpdump -c 5 dst 192.168.135.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:58:38.938427 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [P.], seq 2969787900:2969787952, ack 1704507291, win 255, length 52
16:58:38.983581 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [.], ack 101, win 255, length 0
16:58:40.024157 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [P.], seq 52:104, ack 101, win 255, length 52
16:58:40.069116 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [.], ack 169, win 255, length 0
16:58:42.751226 IP 192.168.135.1.ambit-lm > 192.168.135.142.ssh: Flags [P.], seq 104:156, ack 169, win 255, length 52
5 packets captured
10 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump dst port 80 -c 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:54:16.264922 IP 192.168.135.133.57126 > 192.168.135.142.http: Flags [S], seq 1592319357, win 14600, options [mss 1460,sackOK,TS val 63944392 ecr 0,nop,wscale 7], length 0
17:54:16.265398 IP 192.168.135.133.57127 > 192.168.135.142.http: Flags [S], seq 3230742604, win 14600, options [mss 1460,sackOK,TS val 63944393 ecr 0,nop,wscale 7], length 0
2 packets captured
3 packets received by filter
0 packets dropped by kernel

PROTOCOL: capture/filter traffic based on used protocols

tcp

[root@rhel7-server ~]# tcpdump -c 5 -i any tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:16:24.459709 IP 192.168.135.143.58560 > 192.168.135.133.ssh: Flags [S], seq 909284957, win 14600, options [mss 1460,sackOK,TS val 37277767 ecr 0,nop,wscale 6], length 0
17:16:24.459775 IP 192.168.135.133.ssh > 192.168.135.143.58560: Flags [S.], seq 789430159, ack 909284958, win 14480, options [mss 1460,sackOK,TS val 61672587 ecr 37277767,nop,wscale 7], length 0
17:16:24.459959 IP 192.168.135.143.58560 > 192.168.135.133.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 37277767 ecr 61672587], length 0
17:16:24.469239 IP 192.168.135.133.ssh > 192.168.135.143.58560: Flags [P.], seq 1:22, ack 1, win 114, options [nop,nop,TS val 61672596 ecr 37277767], length 21
17:16:24.469518 IP 192.168.135.143.58560 > 192.168.135.133.ssh: Flags [.], ack 22, win 229, options [nop,nop,TS val 37277776 ecr 61672596], length 0
5 packets captured
27 packets received by filter
0 packets dropped by kernel

udp

[root@rhel7-server ~]# tcpdump -c 5 -i any udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:15:00.241127 IP localhost.38073 > localhost.domain: 30895+ PTR? 143.135.168.192.in-addr.arpa. (46)
17:15:00.241235 IP localhost.37466 > localhost.domain: 30895+ PTR? 143.135.168.192.in-addr.arpa. (46)
17:15:22.024901 IP localhost.53708 > localhost.domain: 40037+ PTR? 143.135.168.192.in-addr.arpa. (46)
17:15:22.025016 IP localhost.43240 > localhost.domain: 40037+ PTR? 143.135.168.192.in-addr.arpa. (46)
17:15:35.492645 IP localhost.53053 > localhost.domain: 14439+ PTR? 143.135.168.192.in-addr.arpa. (46)
5 packets captured
12 packets received by filter
0 packets dropped by kernel

icmp

[root@rhel7-server ~]# tcpdump -c 5 -i any icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:14:13.300409 IP 192.168.135.143 > 192.168.135.133: ICMP echo request, id 25902, seq 1, length 64
17:14:13.300519 IP 192.168.135.133 > 192.168.135.143: ICMP echo reply, id 25902, seq 1, length 64
17:14:14.215090 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 82
17:14:14.215171 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 82
17:14:14.215302 IP localhost > localhost: ICMP localhost udp port domain unreachable, length 82
5 packets captured
12 packets received by filter
0 packets dropped by kernel

COMBINATIONS:

and or &&
or or ||
not or !


and or && : To combine two conditions or more with tcpdump

To capture the network traffic between two IP address

# tcpdump -c 5 src 192.168.135.133 and dst 192.168.135.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:44:32.717376 ARP, Request who-has 192.168.135.142 tell 192.168.135.133, length 28
17:44:32.717626 IP 192.168.135.133.44795 > 192.168.135.142.ssh: Flags [S], seq 2846843953, win 14600, options [mss 1460,sackOK,TS val 63360845 ecr 0,nop,wscale 7], length 0
17:44:32.717946 IP 192.168.135.133.44795 > 192.168.135.142.ssh: Flags [.], ack 3196955003, win 115, options [nop,nop,TS val 63360845 ecr 38966023], length 0
17:44:32.718253 IP 192.168.135.133.44795 > 192.168.135.142.ssh: Flags [P.], seq 0:21, ack 1, win 115, options [nop,nop,TS val 63360845 ecr 38966023], length 21
17:44:32.725471 IP 192.168.135.133.44795 > 192.168.135.142.ssh: Flags [.], ack 22, win 115, options [nop,nop,TS val 63360853 ecr 38966031], length 0
5 packets captured
10 packets received by filter
0 packets dropped by kernel

Running two instances of tcpdump in one go,

# tcpdump -c 2 src 192.168.135.133 && tcpdump -c 2 dst 192.168.135.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:47:03.225002 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895284889:3895285097, ack 2940873692, win 238, length 208
17:47:04.227704 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:400, ack 1, win 238, length 192
2 packets captured
2 packets received by filter
0 packets dropped by kernel
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:47:26.568030 IP 192.168.135.133 > 192.168.135.142: ICMP echo request, id 16645, seq 1, length 64
17:47:27.568818 IP 192.168.135.133 > 192.168.135.142: ICMP echo request, id 16645, seq 2, length 64
2 packets captured
3 packets received by filter
0 packets dropped by kernel

# tcpdump -n -c 5 "dst host 192.168.135.142 and dst port 22"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:03:53.037120 IP 192.168.135.133.44807 > 192.168.135.142.ssh: Flags [P.], seq 2463816494:2463816542, ack 158855630, win 170, options [nop,nop,TS val 64521164 ecr 40091391], length 48
18:03:53.042783 IP 192.168.135.133.44807 > 192.168.135.142.ssh: Flags [.], ack 49, win 170, options [nop,nop,TS val 64521170 ecr 40126347], length 0
18:03:53.270371 IP 192.168.135.133.44807 > 192.168.135.142.ssh: Flags [P.], seq 48:96, ack 49, win 170, options [nop,nop,TS val 64521398 ecr 40126347], length 48
18:03:53.275093 IP 192.168.135.133.44807 > 192.168.135.142.ssh: Flags [.], ack 97, win 170, options [nop,nop,TS val 64521402 ecr 40126580], length 0
18:03:55.144204 IP 192.168.135.133.44807 > 192.168.135.142.ssh: Flags [P.], seq 96:144, ack 97, win 170, options [nop,nop,TS val 64523271 ecr 40126580], length 48
5 packets captured
6 packets received by filter
0 packets dropped by kernel

# tcpdump -c 5 src 192.168.135.133 and dst 192.168.135.142 and port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:13:21.618131 IP 192.168.135.133.50724 > 192.168.135.142.ftp: Flags [S], seq 2745672391, win 14600, options [mss 1460,sackOK,TS val 65089745 ecr 0,nop,wscale 7], length 0
18:13:21.618554 IP 192.168.135.133.50724 > 192.168.135.142.ftp: Flags [.], ack 3815564125, win 115, options [nop,nop,TS val 65089746 ecr 40694923], length 0
18:13:21.621011 IP 192.168.135.133.50724 > 192.168.135.142.ftp: Flags [.], ack 21, win 115, options [nop,nop,TS val 65089748 ecr 40694925], length 0
18:13:25.940467 IP 192.168.135.133.50724 > 192.168.135.142.ftp: Flags [P.], seq 0:11, ack 21, win 115, options [nop,nop,TS val 65094068 ecr 40694925], length 11
18:13:26.942475 IP 192.168.135.133.50724 > 192.168.135.142.ftp: Flags [.], ack 45, win 115, options [nop,nop,TS val 65095070 ecr 40700247], length 0
5 packets captured
7 packets received by filter
0 packets dropped by kernel

or or || : condition matching with any of given

# tcpdump -n "dst host 192.168.135.142 and (dst port 80 or dst port 21)" -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:05:53.328137 IP 192.168.135.133.57137 > 192.168.135.142.http: Flags [S], seq 2925727411, win 14600, options [mss 1460,sackOK,TS val 64641455 ecr 0,nop,wscale 7], length 0
18:05:53.328622 IP 192.168.135.133.57138 > 192.168.135.142.http: Flags [S], seq 1841552675, win 14600, options [mss 1460,sackOK,TS val 64641456 ecr 0,nop,wscale 7], length 0
18:05:53.329051 IP 192.168.135.133.57139 > 192.168.135.142.http: Flags [S], seq 4123582575, win 14600, options [mss 1460,sackOK,TS val 64641456 ecr 0,nop,wscale 7], length 0
18:06:31.351150 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [S], seq 2005845506, win 14600, options [mss 1460,sackOK,TS val 64679478 ecr 0,nop,wscale 7], length 0
18:06:31.351490 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [.], ack 3162149925, win 115, options [nop,nop,TS val 64679479 ecr 40284656], length 0
18:06:31.465923 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [.], ack 21, win 115, options [nop,nop,TS val 64679593 ecr 40284770], length 0
18:06:43.912208 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [P.], seq 0:16, ack 21, win 115, options [nop,nop,TS val 64692040 ecr 40284770], length 16
18:06:43.912630 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [.], ack 55, win 115, options [nop,nop,TS val 64692040 ecr 40297217], length 0
18:06:48.916180 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [P.], seq 16:34, ack 55, win 115, options [nop,nop,TS val 64697043 ecr 40297217], length 18
18:06:48.917885 IP 192.168.135.133.50723 > 192.168.135.142.ftp: Flags [.], ack 78, win 115, options [nop,nop,TS val 64697045 ecr 40302222], length 0
10 packets captured
12 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump -c 10 "arp or icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:10:06.782697 ARP, Request who-has 192.168.135.133 tell 192.168.135.143, length 46
18:10:06.782719 ARP, Reply 192.168.135.133 is-at 00:0c:29:09:e3:b8 (oui Unknown), length 28
18:10:06.782983 IP 192.168.135.143 > 192.168.135.133: ICMP echo request, id 46640, seq 1, length 64
18:10:06.783033 IP 192.168.135.133 > 192.168.135.143: ICMP echo reply, id 46640, seq 1, length 64
18:10:07.784589 IP 192.168.135.143 > 192.168.135.133: ICMP echo request, id 46640, seq 2, length 64
18:10:07.784630 IP 192.168.135.133 > 192.168.135.143: ICMP echo reply, id 46640, seq 2, length 64
18:10:08.824600 ARP, Request who-has 192.168.135.142 (00:0c:29:16:08:65 (oui Unknown)) tell 192.168.135.1, length 46
18:10:08.824875 ARP, Reply 192.168.135.142 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
18:10:11.792238 ARP, Request who-has 192.168.135.143 tell 192.168.135.133, length 28
18:10:11.792599 ARP, Reply 192.168.135.143 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
10 packets captured
10 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump -n "broadcast or multicast" -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:11:18.323978 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:11:19.325096 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:11:20.633064 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:11:21.324537 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:11:22.324209 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
5 packets captured
5 packets received by filter
0 packets dropped by kernel

# tcpdump 'src 192.168.135.133 and (dst port 80 or 21)' -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:27:10.339613 IP 192.168.135.133.57142 > 192.168.135.142.http: Flags [S], seq 3268390863, win 14600, options [mss 1460,sackOK,TS val 65918467 ecr 0,nop,wscale 7], length 0
18:27:10.340227 IP 192.168.135.133.57143 > 192.168.135.142.http: Flags [S], seq 900761730, win 14600, options [mss 1460,sackOK,TS val 65918468 ecr 0,nop,wscale 7], length 0
18:27:10.340799 IP 192.168.135.133.57144 > 192.168.135.142.http: Flags [S], seq 101187288, win 14600, options [mss 1460,sackOK,TS val 65918468 ecr 0,nop,wscale 7], length 0
18:27:19.860720 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [S], seq 4124463600, win 14600, options [mss 1460,sackOK,TS val 65927988 ecr 0,nop,wscale 7], length 0
18:27:19.861040 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [.], ack 578872447, win 115, options [nop,nop,TS val 65927988 ecr 41533165], length 0
18:27:19.862616 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [.], ack 21, win 115, options [nop,nop,TS val 65927990 ecr 41533166], length 0
18:27:22.830880 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [P.], seq 0:11, ack 21, win 115, options [nop,nop,TS val 65930958 ecr 41533166], length 11
18:27:23.831758 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [.], ack 45, win 115, options [nop,nop,TS val 65931959 ecr 41537135], length 0
18:27:23.831900 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [P.], seq 11:17, ack 45, win 115, options [nop,nop,TS val 65931959 ecr 41537135], length 6
18:27:23.873358 IP 192.168.135.133.50728 > 192.168.135.142.ftp: Flags [.], ack 83, win 115, options [nop,nop,TS val 65932001 ecr 41537136], length 0
10 packets captured
10 packets received by filter
0 packets dropped by kernel

[root@rhel7-server ~]# tcpdump -vvAs0 port ftp or ftp-data
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:34:40.186676 IP (tos 0x0, ttl 64, id 9900, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.135.143.60431 > www.test.com.ftp: Flags [S], cksum 0x1941 (correct), seq 2941997150, win 14600, options [mss 1460,sackOK,TS val 41973490 ecr 0,nop,wscale 6], length 0
E..<&.@.@................[P^......9..A.........
..v.........
18:34:46.786768 IP (tos 0x0, ttl 64, id 27032, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.135.143.42277 > 192.168.135.133.ftp: Flags [S], cksum 0xbc4c (correct), seq 2427386146, win 14600, options [mss 1460,sackOK,TS val 41980090 ecr 0,nop,wscale 6], length 0
E..<i.@.@.@..........%....."......9..L.........
............
18:34:58.164832 IP (tos 0x0, ttl 64, id 59256, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.135.133.50735 > 192.168.135.142.ftp: Flags [S], cksum 0x9093 (incorrect -> 0xb34d), seq 3918339595, win 14600, options [mss 1460,sackOK,TS val 66386291 ecr 0,nop,wscale 7], length 0
E..<.x@.@............/............9............
...s........
18:34:58.165141 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.135.142.ftp > 192.168.135.133.50735: Flags [S.], cksum 0x3b18 (correct), seq 1540447519, ack 3918339596, win 14480, options [mss 1460,sackOK,TS val 41991468 ecr 66386291,nop,wscale 6], length 0
E..<..@.@..W.........../[.].......8.;..........
...,...s....

not or ! : expect/exclude, when we don’t want to fulfill a condition

following will monitor all traffic except port 80

[root@rhel7-server ~]# tcpdump -i eth0 src port not 80 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:16:10.238471 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 3895335113:3895335321, ack 2940905596, win 250, length 208
18:16:10.238676 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 208, win 2048, length 0
18:16:10.324575 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:16:11.180979 IP 192.168.135.1.53996 > 239.255.255.250.ssdp: UDP, length 174
18:16:11.240458 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 208:672, ack 1, win 250, length 464
18:16:11.281657 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 672, win 2053, length 0
18:16:11.791782 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:16:12.242460 IP 192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], seq 672:1024, ack 1, win 250, length 352
18:16:12.283645 IP 192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], ack 1024, win 2051, length 0
18:16:12.324088 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
10 packets captured
10 packets received by filter
0 packets dropped by kernel

# tcpdump -i eth0 not port 22 and not port 80 -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:21:20.324543 ARP, Request who-has 192.168.135.142 (00:0c:29:16:08:65 (oui Unknown)) tell 192.168.135.1, length 46
18:21:20.324747 ARP, Reply 192.168.135.142 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
18:21:20.474967 IP 192.168.135.143 > www.test.com: ICMP echo request, id 2865, seq 4, length 64
18:21:20.475008 IP www.test.com > 192.168.135.143: ICMP echo reply, id 2865, seq 4, length 64
18:21:20.824337 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:21:21.474602 IP 192.168.135.143 > www.test.com: ICMP echo request, id 2865, seq 5, length 64
18:21:21.474642 IP www.test.com > 192.168.135.143: ICMP echo reply, id 2865, seq 5, length 64
18:21:21.824251 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:21:22.474673 IP 192.168.135.143 > www.test.com: ICMP echo request, id 2865, seq 6, length 64
18:21:22.474714 IP www.test.com > 192.168.135.143: ICMP echo reply, id 2865, seq 6, length 64
10 packets captured
11 packets received by filter
0 packets dropped by kernel

# tcpdump -i eth0 not port 22 and not port 80 and not icmp -c 10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:22:37.824574 ARP, Request who-has 192.168.135.142 (00:0c:29:16:08:65 (oui Unknown)) tell 192.168.135.1, length 46
18:22:37.824746 ARP, Reply 192.168.135.142 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
18:22:43.324337 ARP, Request who-has 192.168.135.133 (00:0c:29:09:e3:b8 (oui Unknown)) tell 192.168.135.1, length 46
18:22:43.324357 ARP, Reply 192.168.135.133 is-at 00:0c:29:09:e3:b8 (oui Unknown), length 28
18:22:53.324563 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:22:54.337660 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:22:55.324450 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:22:56.324395 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:23:01.842443 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
18:23:02.824866 ARP, Request who-has 192.168.135.2 tell 192.168.135.1, length 46
10 packets captured
11 packets received by filter
0 packets dropped by kernel

How to use grep with tcpdump,

[root@rhel7-server ~]# tcpdump -vvAls0|grep 'ssh'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], cksum 0x9082 (incorrect -> 0xf52a), seq 3895388009:3895388153, ack 2940931676, win 250, length 144
    192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], cksum 0x6f66 (correct), seq 1, ack 144, win 2052, length 0
    192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], cksum 0x9162 (incorrect -> 0xe7ce), seq 144:512, ack 1, win 250, length 368
    192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], cksum 0x6df7 (correct), seq 1, ack 512, win 2051, length 0
    192.168.135.133.ssh > 192.168.135.1.6828: Flags [P.], cksum 0x9142 (incorrect -> 0x7d7d), seq 512:848, ack 1, win 250, length 336
    192.168.135.1.6828 > 192.168.135.133.ssh: Flags [.], cksum 0x6ca9 (correct), seq 1, ack 848, win 2049, length 0
^C8 packets captured
11 packets received by filter
0 packets dropped by kernel

How to find particular IP in tcpdump,

[root@rhel7-server ~]# tcpdump -vvAls0|grep '192.168.135.142'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    192.168.135.133.44824 > 192.168.135.142.ssh: Flags [S], cksum 0x9093 (incorrect -> 0x567d), seq 4210681023, win 14600, options [mss 1460,sackOK,TS val 66557238 ecr 0,nop,wscale 7], length 0
    192.168.135.142.ssh > 192.168.135.133.44824: Flags [S.], cksum 0x1d0c (correct), seq 3741581155, ack 4210681024, win 14480, options [mss 1460,sackOK,TS val 42162414 ecr 66557238,nop,wscale 6], length 0
    192.168.135.133.44824 > 192.168.135.142.ssh: Flags [.], cksum 0x908b (incorrect -> 0x83f3), seq 1, ack 1, win 115, options [nop,nop,TS val 66557239 ecr 42162414], length 0
    192.168.135.133.44824 > 192.168.135.142.ssh: Flags [P.], cksum 0x90a0 (incorrect -> 0xc12d), seq 1:22, ack 1, win 115, options [nop,nop,TS val 66557239 ecr 42162414], length 21
    192.168.135.142.ssh > 192.168.135.133.44824: Flags [.], cksum 0x836d (correct), seq 1, ack 22, win 227, options [nop,nop,TS val 42162415 ecr 66557239], length 0
    192.168.135.142.ssh > 192.168.135.133.44824: Flags [P.], cksum 0xc29e (correct), seq 1:22, ack 22, win 227, options [nop,nop,TS val 42162424 ecr 66557239], length 21
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    192.168.135.133.50737 > 192.168.135.142.ftp: Flags [S], cksum 0x9093 (incorrect -> 0x6bda), seq 2735438468, win 14600, options [mss 1460,sackOK,TS val 66595562 ecr 0,nop,wscale 7], length 0
    192.168.135.142.ftp > 192.168.135.133.50737: Flags [S.], cksum 0xf62a (correct), seq 1409298672, ack 2735438469, win 14480, options [mss 1460,sackOK,TS val 42200739 ecr 66595562,nop,wscale 6], length 0
    192.168.135.133.50737 > 192.168.135.142.ftp: Flags [.], cksum 0x908b (incorrect -> 0x5d12), seq 1, ack 1, win 115, options [nop,nop,TS val 66595563 ecr 42200739], length 0
    192.168.135.142.ftp > 192.168.135.133.50737: Flags [P.], cksum 0x0274 (correct), seq 1:21, ack 1, win 227, options [nop,nop,TS val 42200742 ecr 66595563], length 20
    192.168.135.133.50737 > 192.168.135.142.ftp: Flags [.], cksum 0x908b (incorrect -> 0x5cf7), seq 1, ack 21, win 115, options [nop,nop,TS val 66595567 ecr 42200742], length 0

How to find a keyword in tcpdump,

[root@rhel7-server ~]# tcpdump -nn -A -s0 -l | egrep -i 'ftp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
.......Q220 (vsFTPd 2.2.2)
^C99 packets captured
100 packets received by filter
0 packets dropped by kernel

How to capture SNMP traps towards specific target,

# tcpdump -i any -s0 host 192.168.135.142 -vva -T snmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:53:59.119306 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:53:59.120671 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.135.133 tell 192.168.135.142, length 46
18:53:59.120708 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.135.133 is-at 00:0c:29:09:e3:b8 (oui Unknown), length 28
18:53:59.120772 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.135.133 tell 192.168.135.142, length 46
18:53:59.120811 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.135.133 tell 192.168.135.142, length 46
18:53:59.120917 IP (tos 0xc0, ttl 64, id 57261, offset 0, flags [none], proto ICMP (1), length 103)
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
        IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:00.121089 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:00.121433 IP (tos 0xc0, ttl 64, id 57262, offset 0, flags [none], proto ICMP (1), length 103)
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
        IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:01.122372 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:01.122776 IP (tos 0xc0, ttl 64, id 57263, offset 0, flags [none], proto ICMP (1), length 103)
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
        IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:02.124212 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
18:54:02.124595 IP (tos 0xc0, ttl 64, id 57264, offset 0, flags [none], proto ICMP (1), length 103)
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
        IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 75)
    192.168.135.133.39715 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=536235152  system.sysDescr.0 } }
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

# tcpdump -i any -s0 -vva -T snmp |grep 192.168.135.142
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
    192.168.135.142 > 192.168.135.133: ICMP 192.168.135.142 udp port snmp unreachable, length 83
    192.168.135.133.60066 > 192.168.135.142.snmp:  { SNMPv1 C=my_servers { GetNextRequest(28) R=1396969041  system.sysDescr.0 } }
18:56:35.488999 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.135.142 tell 192.168.135.133, length 28
18:56:35.489288 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.135.142 is-at 00:0c:29:16:08:65 (oui Unknown), length 46
^C59 packets captured
76 packets received by filter
0 packets dropped by kernel



Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)