How To Web Host

A basic How To guide designed for beginning web hosts

Menu

tcpdump

TCPDump

Captures network traffic. Must be ran as root.

Common Usage

Capture SNMP traffic from a host in zentrap

sudo tcpdump -i any -n udp and src host 10.10.10.10

Capture SNMP traffic from a host on the zentrap host

sudo tcpdump -i any -n udp and src host 10.10.10.10 and port 162

Configuration

Switch	Name	Descriptio
( )	Grouping Parenthisis	When using these with ‘and’ and ‘or’ statements, you must encapsulate the entire expression in single or double quotes. Otherwise, these characters will be misinterpreted as special bash characters.
and	Logical AND	Both conditions must be met. To see traffic From 1.2.3.4 AND only to port 162: tcpdump -i any -n src host 1.2.3.4 and dst port 162
arp	ARP	Capture only ARP traffic
-c	Count	-c 5 = Collect 5 packets and stop. Without setting a limit, you’ll need to ^C to stop.
-D	Display Interfaces	See which interfaces are available. Use one of these with -i Examples: eth0 any (psudo interface meaning ‘listen to them all’) lo (loopback)
dst	Destination	Use with host to filter on traffic sent to the defined Host. tcpdump -i any dst host 192.168.1.1
-e	Display Mac Address	Included the Mac Address in the output.
ether	Mac Address	tcpdump -i any -n ether host 28:16:2e:1f:25:49
-h	Help	Shows version info, plus short list of common switches
host	Host	Capture data only to or from the host specified tcpdump -i any host 192.168.1.1
-i	Interface	Select the interface to filter on. See -D to get the list of available interfaces.
icmp	Ping	Capture only Ping traffic
ip6	IPv6	Capture IPv6 traffic
-n	Numerical	Prevent conversion of IP Addresses to Host names and Port numbers to common Port names. IMHO, this should be the default setting. Note: Without this switch, TCPDump needs to reverse lookups on IP addresses to get the domains. This creates additional traffic!
net	Network	Prefix CIDR notation with keyword ‘net’. tcpdump -i any -n src net 10.0.0.0/24 and not dst net 192.168.0.1/24
not	Logical NOT	Use with ‘and’ and ‘or’ to exclude conditions. tcpdump -i any -n src net 10.0.0.0/24 and not dst net 192.168.0.1/24
or	Logical OR	One or the other conditions must be met. To filter traffic from 2 different IPs: tcpdump -i any -n “(src host 1.2.3.4 or src host 1.2.3.5) and dst port 161”
-q	Quiet	Display less data
-r	Read	Will display the contents of a .pcap file in normally displayed output format. tcpdump -n -r capture.pcap
-s	Size (Bytes)	Set how much data to capture per packet. Default size is displayed when you first call the program capture size 262144 bytes
src	Source	Use with host to filter on traffic sourced from the defined Host. tcpdump -i any src host 192.168.1.1
-t	Timestamp	Do Not display the timestamp
tcp	TCP	Capture only TCP traffic
udp	UDP	Capture only UDP traffic
-v, -vv, -vvv	Verbose	Display Verbose output. Good when writing to a file because will echo the packet count to the terminal.
-w	Write	Write output to a file. tcpdump -i any -w capture.pcap

Last posts

Sidebar