tcpdump is a useful command-line packet sniffer running on libpcap, usually present on *nix systems and on most network appliances, such as Juniper, F5 loadbalancer or CheckPoint firewall (both based on *nix). Also, with the support of WinPcap library, it could be installed on Windows systems in order to made troubleshooting easier.
On shell or CLI, to simply running tcpdump, you may type:
|
1 |
tcpdump |
tcpdump support a lots of options and filters, let’s see it assuming to use eth0 and VLAN 150 as a example.
TCPDUMP OPTIONS
To capture all eth0 traffic:
|
1 |
tcpdump -i eth0 |
To capture traffic of a specific vlan passing through eth0:
|
1 |
tcpdump -i eth0.150 |
Prepare full .pcap file for viewing on Wireshark
|
1 |
tcpdump -s0 -e -i eth0.150 -w namedfile.pcap |
#the option -s specify the length of data to be capture, -s0 means all packet data. Instead -s30 means to capture the first 30 byte of the packet.
View MAC address on a capture over eth0
|
1 |
tcpdump -e -i eth0 |
Do not resolve hostname / service on a capture over eth0
|
1 |
tcpdump -nni eth0 |
TCPDUMP FILTERS
There are four mainly filters:
– the host filter used to capture packets based on single ip (eg. 192.168.10.4)
– the net filter used to capture packets based on network address (eg. 10.0.0.0/16)
– the port filter used to capture packets based on port (eg. 22 – ssh services)
– the protocol filter like icmp , arp, tcp, udp to capture only certain of packets
Filters can be combined all together using the logical operator AND. Also, for the host, net and port filters you may specify the if it could be as source (src) or destination (dst)
To capture only packets containing ip 192.168.10.4 as source or destination on eth0
|
1 |
tcpdump -i eth0 host 192.168.10.4 |
To capture only packets containing network 10.0.0.0/16 as source or destination on eth0
|
1 |
tcpdump -i eth0 net 10.0.0.0/16 |
To capture only packets containing port 22 as source or destination on eth0
|
1 |
tcpdump -i eth0 port 22 |
To capture all ssh packets (port 22) to host 192.168.10.4 form network 10.0.0.0/16 on eth0
|
1 |
tcpdump -i eth0 dst host 192.168.10.4 and src net 10.0.0.0/16 and port 22 |
To capture all icmp packets to host 192.168.10.4 on eth0
|
1 |
tcpdump -i eth0 dst host 192.168.10.4 and icmp |
Finally, you can combine options and filters as you need. For example, with the following line you will capture arp request from network 192.168.10.0/24 passing trough eth0 and including MAC address. Also, host name will be not resolved:
|
1 |
tcpdump -ni eth0 -e src net 192.168.10.0/24 and arp |
The same example, can be also exported as Wireshark file:
|
1 |
tcpdump -s0 -w mycapture.pcap -ni eth0 -e src net 192.168.10.0/24 and arp |
tcpdump is a very powerfull, there are a lot of other options an filters to speedup your troubleshooting and go deep in the analysis. You can get more information on the official website tcpdump.org.