This article is part two in a series covering the great tcpdump utility. You can use this utility to capture network traffic for troubleshooting and analysis (and eavesdropping). Here in part two, I demonstrate capturing and viewing data.
7. Option -r
If you made it this far and wrote a pcap file, you know you can’t use a simple text editor to read the file contents. Hence, you should use -r file.pcap. It reads existing capture files and prints them as an output.
# tcpdump -r dns.pcap
reading from file dns.pcap, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144
Warning: interface names might be incorrect
dropped privs to tcpdump
20:33:45.240421 wlp0s20f3 Out IP kkulkarni.attlocal.net.37376 > dsldevice.attlocal.net.domain: 8860+ PTR? 89.1.168.192.in-addr.arpa. (43)
20:33:45.250107 wlp0s20f3 In IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.37376: 8860* 1/0/0 PTR kkulkarni.attlocal.net. (79)
20:33:45.253418 wlp0s20f3 Out IP kkulkarni.attlocal.net.54366 > dsldevice.attlocal.net.domain: 23092+ PTR? 1.112.168.192.in-addr.arpa. (44)
20:33:45.260212 wlp0s20f3 In IP dsldevice.attlocal.net.domain > kkulkarni.attlocal.net.54366: 23092 NXDomain* 0/0/0 (44)
[ You might also enjoy: Enumerating a new network with Nmap ]
8. The host option
If you want to filter traffic for a particular host, you can use host ip or host name to capture packets for a specific host.
# tcpdump host redhat.com -i any -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:40:03.331999 tun0 Out IP kkulkarni > 10.4.204.55: ICMP echo request, id 3, seq 1, length 64
20:40:03.407110 tun0 In IP 10.4.204.55 > kkulkarni: ICMP echo reply, id 3, seq 1, length 64
20:40:03.474267 tun0 Out IP kkulkarni.43846 > 10.4.204.55.hostmon: Flags [S], seq 708429466, win 64680, options [mss 1320,sackOK,TS val 2091589339 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
20:40:03.474377 tun0 Out IP kkulkarni.43848 > 10.4.204.55.hostmon: Flags [S], seq 1993455236, win 64680, options [mss 1320,sackOK,TS val 2091589340 ecr 0,nop,wscale 7,tfo cookiereq,nop,nop], length 0
4 packets captured
54 packets received by filter
0 packets dropped by kernel
You may use src or dst keywords to tell tcpdump if the packets captured should contain the host in the source or destination address, e.g., you can try to run tcpdump -i any src host localhost or tcpdump -i any dst host redhat.com
9. Logical operators
tcpdump supports and/or/not operators as keywords, e.g., tcpdump -i eth0 “host redhat.com and (port 80 or port 443)”. It is wise to use quotes around compound expressions so that bash doesn’t try to interpret parenthesis.
# tcpdump -i any "host redhat.com and (port 22 or port 443)"
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:47:07.210126 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [S], seq 2898988806, win 64680, options [mss 1320,sackOK,TS val 2092013075 ecr 0,nop,wscale 7], length 0
20:47:07.309977 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [S.], seq 3757049161, ack 2898988807, win 3960, options [mss 1320,nop,wscale 2,nop,nop,TS val 2416723958 ecr 2092013075,sackOK,eol], length 0
20:47:07.310082 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1, win 506, options [nop,nop,TS val 2092013175 ecr 2416723958], length 0
20:47:07.336927 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 1:518, ack 1, win 506, options [nop,nop,TS val 2092013202 ecr 2416723958], length 517
20:47:07.430495 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 518, win 1119, options [nop,nop,TS val 2416724085 ecr 2092013202], length 0
20:47:07.439951 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1:1309, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.439995 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 1309, win 502, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440032 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], seq 1309:2617, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 1308
20:47:07.440051 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 2617, win 494, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.440070 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 2617:3455, ack 518, win 1119, options [nop,nop,TS val 2416724087 ecr 2092013202], length 838
20:47:07.440084 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3455, win 488, options [nop,nop,TS val 2092013305 ecr 2416724087], length 0
20:47:07.442272 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 518:644, ack 3455, win 502, options [nop,nop,TS val 2092013307 ecr 2416724087], length 126
20:47:07.540457 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 644, win 1150, options [nop,nop,TS val 2416724191 ecr 2092013307], length 0
20:47:07.540516 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3455:3506, ack 644, win 1150, options [nop,nop,TS val 2416724192 ecr 2092013307], length 51
20:47:07.540549 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 0
20:47:07.541003 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 644:747, ack 3506, win 502, options [nop,nop,TS val 2092013406 ecr 2416724192], length 103
20:47:07.642712 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 747, win 1176, options [nop,nop,TS val 2416724288 ecr 2092013406], length 0
20:47:07.642759 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [P.], seq 3506:3664, ack 747, win 1176, options [nop,nop,TS val 2416724289 ecr 2092013406], length 158
20:47:07.642815 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 0
20:47:07.643276 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [P.], seq 747:778, ack 3664, win 502, options [nop,nop,TS val 2092013508 ecr 2416724289], length 31
20:47:07.645016 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [F.], seq 778, ack 3664, win 502, options [nop,nop,TS val 2092013510 ecr 2416724289], length 0
20:47:07.740205 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740283 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [F.], seq 3664, ack 778, win 1184, options [nop,nop,TS val 2416724391 ecr 2092013508], length 0
20:47:07.740328 tun0 Out IP kkulkarni.58218 > 10.4.204.55.https: Flags [.], ack 3665, win 502, options [nop,nop,TS val 2092013606 ecr 2416724391], length 0
20:47:07.740358 tun0 In IP 10.4.204.55.https > kkulkarni.58218: Flags [.], ack 779, win 1184, options [nop,nop,TS val 2416724392 ecr 2092013510], length 0
20:47:22.662001 tun0 Out IP kkulkarni.46274 > 10.4.204.55.ssh: Flags [S], seq 401723346, win 64680, options [mss 1320,sackOK,TS val 2092028527 ecr 0,nop,wscale 7], length 0
20:47:22.745682 tun0 In IP 10.4.204.55.ssh > kkulkarni.46274: Flags [R.], seq 0, ack 401723347, win 0, length 0
10. Keyword net
The net keyword can be used to specify what network to capture on by using CIDR notation. You could use src and dst network CIDRs with a logical operator and filter packages more precisely.
# tcpdump -i any -n "src net 192.168.0.0/16 and not dst net 10.0.0.0/8" -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:49:05.299091 wlp0s20f3 B IP 192.168.1.76.49154 > 255.255.255.255.ircu-3: UDP, length 188
20:49:05.300437 wlp0s20f3 Out IP 192.168.1.89.36676 > 18.211.133.65.https: Flags [.], ack 493003385, win 2033, options [nop,nop,TS val 2037223284 ecr 885784861], length 0
20:49:06.238513 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
20:49:06.238603 wlp0s20f3 Out IP 192.168.1.89.49254 > 66.187.232.64.https: UDP, length 1384
4 packets captured
5 packets received by filter
0 packets dropped by kernel
11. Keyword ether
Filters can be applied using the ether host keyword to restrict traffic capture to a MAC address. Use the -e to print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11. The example below captures the Layer 2 broadcast traffic:
# tcpdump ether host ff:ff:ff:ff:ff:ff -i wlp0s20f3 -e -c4
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:56:35.965137 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:36.886722 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:37.808286 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
20:56:39.958693 cc:ab:2c:60:a4:a8 (oui Unknown) > Broadcast, ethertype Unknown (0x7373), length 121:
0x0000: 1211 0000 0043 c76d 1204 8629 6fdb 3304 .....C.m...)o.3.
0x0010: 6f06 5a3c 0bcf 3f58 6dad 1cf0 48c1 dd1a o.Z<..?Xm...H...
0x0020: 2fca 9a26 0fb3 0000 0201 8003 06cc ab2c /..&...........,
0x0030: 60a4 a104 0104 0701 071b 0100 0806 ccab `...............
0x0040: 2c60 a4a8 0901 030e 1800 0000 0000 0000 ,`..............
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0019 0844 1e7f 903a 6871 54 ...D...:hqT
4 packets captured
4 packets received by filter
0 packets dropped by kernel
12. Keyword ip6
IPv6 Traffic can be captured using the ip6 keyword. Here is an example:
# tcpdump -i any ip6 host google.com -c4
tcpdump: data link type LINUX_SLL2
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
21:00:22.825749 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 1, length 64
21:00:22.863347 wlp0s20f3 In IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 1, length 64
21:00:23.827332 wlp0s20f3 Out IP6 kkulkarni.attlocal.net > ord38s18-in-x0e.1e100.net: ICMP6, echo request, id 8, seq 2, length 64
21:00:23.864202 wlp0s20f3 In IP6 ord38s18-in-x0e.1e100.net > kkulkarni.attlocal.net: ICMP6, echo reply, id 8, seq 2, length 64
4 packets captured
7 packets received by filter
0 packets dropped by kernel
[ A free guide from Red Hat: 5 steps to automate your business. ]
Wrap up
Here in part two, you learned six new options for managing packet captures on the network using tcpdump. This article builds on the information covered in part one. In the final installment, you'll see six more flags that help filter tcpdump results.
저자 소개
유사한 검색 결과
More than meets the eye: Behind the scenes of Red Hat Enterprise Linux 10 (Part 4)
Why should your organization standardize on Red Hat Enterprise Linux today?
The Overlooked Operating System | Compiler: Stack/Unstuck
Linux, Shadowman, And Open Source Spirit | Compiler
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
가상화
온프레미스와 클라우드 환경에서 워크로드를 유연하게 운영하기 위한 엔터프라이즈 가상화의 미래
