Quick and simple usage of tcpdump (packet sniffer)

Tcpdump is a popular computer network debugging and security tool which allows the user to intercept and display TCP/IP packets being transmitted or received over a network to which the computer is attached. Tcpdump allows us to precisely see all the traffic and enables us to create statistical monitoring scripts.

At an ethernet segment, tcpdump operates by putting the network card into promiscuous mode in order to capture all the packets going through the wire. Using tcpdump we have a view on any TCP/UDP connection establishment and termination and we can measure the response time and the packet loss percentagesTo print

Some simple usage:

all packets arriving at or departing from 192.168.0.2
# tcpdump -n host 192.168.0.2

To print traffic between 192.168.0.2 and either 10.0.0.4 or 10.0.0.5:
# tcpdump -n host 192.168.0.2 and \( 10.0.0.4 or 10.0.0.5 \)

To print all IP packets between 192.168.0.2 and any host except 10.0.0.5:
# tcpdump ip -n host 192.168.0.2 and not 10.0.0.5

To print all traffic between local hosts and hosts at Berkeley:
# tcpdump net ucb-ether

To print all ftp traffic through internet gateway xx:
# tcpdump ‘gateway xx and (port ftp or ftp-data)’

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).
# tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.
# tcpdump ‘tcp[13] & 3 != 0 and not src and dst net localnet’

To print IP packets longer than 576 bytes sent through gateway xx:
# tcpdump ‘gateway xx and ip[2:2] > 576’

To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:
# tcpdump ‘ether[0] & 1 = 0 and ip[16] >= 224’

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
# tcpdump ‘icmp[0] != 8 and icmp[0] != 0″

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s