Tuesday, July 28, 2009

Finally Tcpdump

Although I like wireshark the most, but there are times when you have to use tcpdump. Anyways if I need any colorful troubleshooting I generally save the tcpdump capture in a pcap file, and later view it in wireshark.

This is for reference, its not a guide but just a list of usage commands that I picked from various sources. Yeah I admit, I am one of those lamers who prefer to google than reading the man page. :/ Most are picked from wireshark's homepage :

http://openmaniak.com/tcpdump.php

1.tcpdump
2.tcpdump -v //verbose
3.tcpdump -D //lists devices
4.tcpdump -n //avoid dns lookup
5.tcpdump -q // quick output
6.tcpdump udp // capture udp packets only :: useful
7.tcpdump -w capture.cap //save the capture to a file named capture.cap :: useful
8.tcpdump -r capture.cap //read dump from capture.cap
9.tcpdump host abc.com //packets coming from or going towards abc.com ::useful
10.tcpdump src xx.xx.xx.aa and dst xx.xx.xx.bb
11.tcpdump -A //displays the packet's content ::useful
12.tcpdump -i eth1 //capture on interface eth1
13.tcpdump -v -A udp and dst 192.168.69.238 or dst 192.168.69.242 -i eth1
14.tcpdump -n -S -s 15000 -vv -X 'host 192.168.0.159 and udp and port 1717'
-S print absolute IP sequence number (not relative)
-n no address resolution
-s size of capture for each packet (15000 should be enough to hold data returned by query,
you will have to play with this depending on what type of query you issue)
-X print HEX and ASCII version of packet 'host 192.168.0.159 and udp and port 1717'

for an exhaustive list, see the man page

http://linux.die.net/man/8/tcpdump

Eg.

tcpdump -v -A udp and dst 192.168.69.238 or dst 192.168.69.242 -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
03:25:40.691905 IP (tos 0x0, ttl 64, id 23436, offset 0, flags [DF], proto UDP (17), length 40) node242.39738 > 192.168.69.238.chargen: UDP, length 12
E..([.@.@.....E...E..:.....XHello World!
03:25:40.692592 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1052) 192.168.69.238.chargen > node242.39738: UDP, length 1024
E.....@.@.)...E...E....:....FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy


tcpdump -n -S -s 15000 -vv -X 'host 192.168.0.159 and udp and port 1717'

09:41:54.262946 IP (tos 0x0, ttl 255, id 28832, offset 0, flags [DF], length: 46) 192.168.0.159.33365 > 69.25.16.47.1717: [udp sum ok] UDP, length: 18
0x0000: 4500 002e 70a0 4000 ff11 e2f6 c0a8 009f E...p.@.........
0x0010: 4519 102f 8255 06b5 001a 8e36 fefd 004e E../.U.....6...N
0x0020: bf06 01ff ffff 0000 0000 0000 0000 ..............