Tcpdump is a really great tool for network security analyst; you can dump packets that flow within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.<\/p>\n
Lets start with capturing packets based on network interface, ports and protocols. Let assume I wanna capture tcp packets that flow over eth1, port 6881. The dump file with be save as test.pcap.<\/p>\n
tcpdump -w test.pcap -i eth1 tcp port 6881 tcpdump -w test.pcap -i eth1 tcp port 6881 or udp \\( 33210 or 33220 \\)<\/em><\/strong><\/p>\n \u2018\\\u2019 is an escape symbol for \u2018(\u2019 and \u2018)\u2019. Logic OR implies PLUS (+). In plain text is I want to capture tcp packets flows over port 6881 plus udp ports 33210 and 33220. Careful with \u2018and\u2019 in tcpdump filter expression, it means intersection. Thats why I put \u2018or\u2019 instead of and within udp port 33210 and 33220. The usage of \u2018and\u2019 in tcpdump will be illustrate later.<\/p>\n Ok, how about reading pcap that I saved previously?<\/p>\n tcpdump -nnr test.pcap<\/em><\/strong><\/p>\n The -nn is to tell tcpdump not to resolve DNS on IP and Ports, where r is read.<\/p>\n Adding -tttt to makes the timestamp appears more readable format.<\/p>\n tcpdump -ttttnnr test.pcap how should i write?<\/p>\n tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22<\/em><\/strong><\/p>\n So the \u2018and\u2019 makes the intersection of destination IP and port.<\/p>\n By default the sniff size of packets is 96 bytes, you somehow can overload that size by specified with -s.<\/p>\n tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22 tcpdump tcp portrange 20-24 Tcpdump is a really great tool for network security analyst; you can dump packets that flow within your networks into file for further analysis. With some filters you can capture only the interested packets, which it reduce the size of saved dump and further reduce loading and processing time of packets analysis.<\/p>\n Lets start with […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/644"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=644"}],"version-history":[{"count":4,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions"}],"predecessor-version":[{"id":671,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/644\/revisions\/671"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n<\/em><\/strong>
\nSimple right? What if at the same time I am interested on getting packets on udp port 33210 and 33220?<\/p>\n
\n<\/em><\/strong>
\nHow about capture based on IP ?You need to tell tcpdump which IP you are interested in? Destination IP? or Source IP ? Let say I wanna sniff on destination IP 10.168.28.22 tcp port 22,<\/p>\n
\n<\/em><\/strong>
\nSome version of tcpdump allows you to define port range. You can as bellow for capturing packets based on a range of tcp port.<\/p>\n
\n<\/em><\/strong>
\nBare in mind, the line above I didn\u2019t specified -w which it won\u2019t write to a file but i will just print the captured packets on the screen.<\/p>\n","protected":false},"excerpt":{"rendered":"