defect.ch - Wiki

User Tools

Site Tools

You are here: defect.ch - Wiki » Applications » tcpdump
apps:tcpdump

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
apps:tcpdump [2015-08-11 13:56] rootapps:tcpdump [2019-04-26 10:44] – [Dump for Wireshark with rotation] root
Line 1: Line 1:
 ====== tcpdump ====== ====== tcpdump ======
 +
 +==== Filtering ====
 +
 +tcpdump uses packet filter syntax for filtering. For help see
 +<code bash>
 +man 7 pcap-filter
 +</code>
  
 ==== Port include ==== ==== Port include ====
-  # tcpdump -n -tttt -i rl0 dst port 22102+<code bash> 
 +# tcpdump -n -tttt -i rl0 dst port 221027 
 +</code>
  
 ==== Host include ==== ==== Host include ====
-  # tcpdump -n -tttt -i rl0 host 192.168.10.2+<code bash> 
 +# tcpdump -n -tttt -i rl0 host 192.168.10.2 
 +</code>
  
 ==== SSH exclude ==== ==== SSH exclude ====
-  # tcpdump -n -i rl0 'not port 22' +<code bash> 
- +# tcpdump -n -i rl0 'not port 22'
-==== Dump for Wireshark with rotation ==== +
- +
-<code> +
-# tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root+
 </code> </code>
  
-<code> +==== Dump full Packages for Wireshark ==== 
--i lo+<code bash
 +# tcpdump -s 65535 -w /tmp/test.pcap
 </code> </code>
  
-Listen on loopback interface. +==== Filter IPv6 Network ==== 
- +<code bash> 
-<code> +# tcpdump -n 'net 2001:470:26:6bd::/64 and port 443' 
--G $((10*60))+</code> 
 +   
 +==== Show IPsec packets ==== 
 +<code bash> 
 +# tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'
 </code> </code>
  
-Rotate logs every 10 minutes. +==== Dump for Wireshark with rotation ==== 
- +<code bash
-<code> +# tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
--s 65535+
 </code> </code>
  
-Capture full package.+  * -i lo 
 +    * Listen on loopback interface.
  
-<code> +  * -G <nowiki>$((10*60))</nowiki> 
--w /tmp/test.%Y-%m-%dT%H:%M.pcap +    * Rotate logs every 10 minutes.
-</code>+
  
-Save dump to file. Ex. test.2015-08-11T12:16.pcap+  * -s 65535 
 +    * Capture full package.
  
-<code> +  * -/tmp/test.%Y-%m-%dT%H:%M.pcap 
--Z root +    * Save dump to file. Ex. test.2015-08-11T12:16.pcap
-</code>+
  
-Run as root user. //I had some permission problems with default user (tcpdump)//+  * -Z root 
 +    * Run as root user. //I had some permission problems with the default user (tcpdump)//
apps/tcpdump.txt · Last modified: 2023-09-09 15:13 by Manuel Frei