tcpdump 예제

Useful Examples : https://hackertarget.com/tcpdump-examples/

사용법: tcpdump -h

tcpdump version 4.9.0libpcap version 1.1.1OpenSSL 1.0.1 14 Mar 2012Usage: tcpdump [-aAbdDefhHIKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]                [ -i interface ] [ -M secret ] [ --number ]                [ -Q in|out|inout ]                [ -r file ] [ -s snaplen ] [ -T type ] [ --version ] [ -V file ]                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]                [ -Z user ] [ expression ]

pcap화일 전송하기

> https://www.squidhacks.com/single-post/2017/08/08/How-to-Save-TCPDUMP-live-output-on-a-different-server

 

tcpdump -i eth0 port 2233 and less 284 and greater 282 -U -w - | nc 12.19.24.61 12345 &

Length : 캡춰시 표시되는 패킷 길이 기준

 

tcpdump -nni eth0 -s0 -w - | ssh user@192.168.0.10 "cat - > /tmp/name_of_capture.pcap"

 

저장하는 과정중에는 전송하지 않고, 종료한 후에 저장하는 것으로 보임.

-nni: "Don't resolve hostnames nor portnames, that way you see something like 192.168.50.10:23 instead of squidhacks.blog.stuff:telnet" eth0: "This is the interface where we are capturing the traffic"  -s0: "This tells tcpdump to capture the entire frame instead of the default which in some distros is 96 bytes"  -w: - "tells tcpdump to save the file in what follows next which is the ssh session

        Source: pcap-filter(7)

 

예 : All Interface

tcpdump -i any

tcpdump -ni any proto gre

예 : VLAN tag

CF> CONFIGURE 802.1Q VLAN TAGGING USING THE COMMAND LINE

tcpdump -nnei eth0 -vvv

 

예 : by host

tcpdump -i eth0 'host domain.name'
tcpdump -i eth0 'host xxx.xxx.xxx.xxx'

예 : by port

tcpdump -i eth0 'port xxxx'

예 : by host and[or] port , not

tcpdump -i eth0 'host xxx.xxx.xxx.xxx and[or] [not] port xxxx'

tcpdump host helios and \( hot or not ace \)

예 : ASCII Output

tcpdump -A -i eth0 

예 : Options

<limit counts> tcpdump -c 1234

<hex+ascii> tcpdump -XX

<write into a file> tcpdump -w capture.pcap

<read from a file> tcpdump -r captured.pcap -tttt

<timestamp> --t Don't print a timestamp on each dump line. -tt    Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line. -ttt   Print a delta (micro-second resolution) between current and previous line on each dump line. -tttt  Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line. -ttttt Print a delta (micro-second resolution) between current and first line on each dump line.

 

<filter by packet's length> tcpdump greater/less 1234

<filter by packet's length> tcpdump >= 1234

 

<filter by packet's protocol> tcpdump [not] arp/rarp/ip/ip6/tcp/udp  tcpdump proto gre

 

포트 범위 지정

tcpdump -i wan udp and portrange 44400-44500

 

포트 방향 지정

tcpdump -i wan udp and src/dst portrange 67-68

 

네트워크 지정

tcpdump -i wan udp and net 172.16.0.0/16

 

예 : Useful Examples

tcpdump -A -s 0 -q -t -i eth0 'port 80 and ( ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12:2]&0xf0)>>2)) != 0)'   <=== HTTP

tcpdump -nq -s 0 -A -vvv port 5060 and host 1.2.3.4     <=== SIP Traffic

 

CF> https://originalchoi.tistory.com/entry/TCPDUMP-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0

TCPDUMP 사용하기