How to use tcpdump
Tcpdump command
Tcpdump prints out a description of the contents of packets on a network interface and its output can be varied with various switches. We can use to analyze network packets from a single source or directed to a single service on the system. Think of a imagine when a user is unable to upload a file to your server and everything else seems to work fine. In those circumstances it is necessary to use tcpdump.
>> To capture packets on a specified interface, use the following command.
tcpdump -i eth1
The truncated output is as follows.
07:31:55.192765 localhost.com > 234.23.24.222.51819: P 3158249468:3158249532(64) ack 256109743 win 99
07:31:55.193622 234.23.24.222.51819 > localhost.com: . ack 64 win 10944
07:31:55.194242 localhost.com.34517 > 216.93.160.16.domain: 40093+ PTR? 34.4.5.5..in-addr.arpa. (43) (DF)
07:31:55.195888 216.93.160.16.domain >localhost.com.34517: 40093* 1/3/3 (186)
07:31:55.196275 localhost.com > 234.23.24.222.51819: P 64:272(208) ack 1 win 99
>> The above command dumps too much data. To see only first n lines, use the following command.
tcpdump -c 2 -i eth0
The above command will show only first teo dumps.
>> To check only particular ports, use the following command.
tcpdump -i eth1 tcp port 80
The above command will dump all the connections on port 80.
>> To capture packets which are destined to a particular IP address and a port number, we can create a command which is called filter as follows.
tcpdump -i eth0 dst 192.168.2.3 and port 22
The above command will show all the packets going to port 22 of IP address 192.168.2.3.
>> We can store the output of tcpdump is special files with extension .pcap which can be analyzed by any packet analyzer. To do so, use the -x switch as follows.
tcpdump -w xpackets.pcap -i eth0 dst 192.168.2.3 and port 22
No related posts.
Category: Linux, Software, Technology
