defect.ch - Wiki

User Tools

Site Tools

You are here: defect.ch - Wiki » Applications » tcpdump
apps:tcpdump

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
apps:tcpdump [2016-05-20 16:53] – syntax highlighting rootapps:tcpdump [2025-01-29 12:36] (current) – icmp Manuel Frei
Line 1: Line 1:
 ====== tcpdump ====== ====== tcpdump ======
  
-==== Port include ====+===== General Information ===== 
 + 
 +==== Links ==== 
 + 
 +  * Official Site: [[https://www.tcpdump.org/]] 
 +  * Source Code: [[https://github.com/the-tcpdump-group/tcpdump]] 
 +  * man 1 tcpdump: [[https://www.tcpdump.org/manpages/tcpdump.1.html]] 
 +  * mans 7 pcap-filter: [[https://www.tcpdump.org/manpages/pcap-filter.7.html]] 
 + 
 +==== Filter Syntax ==== 
 + 
 +tcpdump uses pcap-filter syntax to apply Berkeley Packet Filters (BPF) to the traffic. More details about the syntax are shown in the manpage. 
 <code bash> <code bash>
-# tcpdump -n -tttt -i rl0 dst port 221027+man 7 pcap-filter
 </code> </code>
  
-==== Host include ====+==== IPv6 ==== 
 + 
 +As of version 4.99.5 (2024-04-07) be careful with IPv6 filters. For example, the 'tcp' filter doesn't support IPv6. 
 + 
 +See the BUG section of "man 7 pcap-filters"
 +<code -> 
 +       Arithmetic  expression  against  transport  layer headers, like tcp[0], 
 +       does not work against IPv6 packets.  It only looks at IPv4 packets. 
 +</code> 
 + 
 + 
 +===== Filter Examples ===== 
 + 
 +==== Specific Port ====
 <code bash> <code bash>
-tcpdump -n -tttt -i rl0 host 192.168.10.2+tcpdump -n -tttt -i rl0 dst port 221027
 </code> </code>
  
-==== SSH exclude ====+==== Specific Host ====
 <code bash> <code bash>
-tcpdump -n -i rl0 'not port 22'+tcpdump -n -tttt -i rl0 host 192.168.10.2
 </code> </code>
  
-==== Dump full Packages for Wireshark ====+==== Exclude SSH ====
 <code bash> <code bash>
-tcpdump -s 65535 -w /tmp/test.pcap+tcpdump --i rl0 'not port 22'
 </code> </code>
  
-==== Filter IPv6 Network ====+==== Specific IPv6 Network ====
 <code bash> <code bash>
-tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'+tcpdump -n 'net 2001:470:26:6bd::/64 and port 443'
 </code> </code>
      
-==== Show IPsec packets ====+==== IPsec packets ====
 <code bash> <code bash>
-tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50'+tcpdump -i igb0 -n -p 'udp port 500 or udp port 4500 or ip proto 50' 
 +</code> 
 + 
 +==== TCP SYN packets ==== 
 + 
 +=== IPv4 === 
 + 
 +<code bash> 
 +tcpdump -i eth0 -nn "tcp[tcpflags] == tcp-syn" 
 +</code> 
 + 
 +=== IPv6 === 
 + 
 +<code bash> 
 +tcpdump -i eth0 -nn "ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02)" 
 +</code> 
 + 
 +=== IPv4 & IPv6 === 
 + 
 +<code bash> 
 +tcpdump -i eth0 -nn "(tcp[tcpflags] == tcp-syn) or (ip6 and (ip6[6] == 0x06) and (ip6[53] == 0x02))" 
 +</code> 
 + 
 +==== ICMP without echo request/reply ==== 
 + 
 +<code bash> 
 +tcpdump -ni eth0 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' -v 
 +</code> 
 + 
 +===== General Usage Examples ===== 
 + 
 +==== Dump full Packages for Wireshark (DEPRECATED) ==== 
 + 
 +If the snaplen (-s) is not specified or set to zero, it will use the **default lenght of 262144 bytes.** 
 + 
 +You may find some examples on the internet where it is set to 65535. The reason is, that in the early days, the default was 68 Bytes (IPv4) and 96 Bytes (IPv6). It was changed to 65535 Bytes with commit [[https://github.com/the-tcpdump-group/tcpdump/commit/8c63baec6f9524d8308ef5553d5bae789b1e47b7|GitHub: tcpdump: Commit: Make the default snapshot length the maximum; add a #define for the]] on 2009-03-05T09:01:29.000Z (tcpdump 4.1.0). Later the commit [[https://github.com/the-tcpdump-group/tcpdump/commit/d033c1bc381c76d13e4aface97a4f4ec8c3beca2|GitHub: tcpdump: Commit: Don't treat 65535 as the maximum snapshot length.]] on 2014-06-25T20:18:18.000Z (tcpdump 4.6.0-bp) extended the max to 131072 after libpcap extended the max from 65535 Bytes to 131072 Bytes with commit [[https://github.com/the-tcpdump-group/libpcap/commit/a8cd00e8ae4468a9e64cfa9ee38972b950024bbd|Github: libpcap: Commit: Don't treat 65535 as the maximum snapshot length.]] on 2014-06-25T20:15:51.000Z (libpcap 1.6.0-bp). 
 + 
 +<code bash> 
 +tcpdump -s 65535 -w /tmp/test.pcap
 </code> </code>
  
 ==== Dump for Wireshark with rotation ==== ==== Dump for Wireshark with rotation ====
 <code bash> <code bash>
-tcpdump -i lo -G $((10*60)) -s 65535 -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root+tcpdump -i lo -G $((10*60)) -w /tmp/test.%Y-%m-%dT%H:%M.pcap -Z root
 </code> </code>
  
Line 41: Line 104:
   * -G <nowiki>$((10*60))</nowiki>   * -G <nowiki>$((10*60))</nowiki>
     * Rotate logs every 10 minutes.     * Rotate logs every 10 minutes.
- 
-  * -s 65535 
-    * Capture full package. 
  
   * -w /tmp/test.%Y-%m-%dT%H:%M.pcap   * -w /tmp/test.%Y-%m-%dT%H:%M.pcap
Line 49: Line 109:
  
   * -Z root   * -Z root
-    * Run as root user. //I had some permission problems with default user (tcpdump)//+    * Run as root user. //(default is 'tcpdump'. After attaching to the input device, tcpdump will drop its root privileges and switch the user to tcpdump (or the user specified by -Z). This means, the to write dump files with -w, this user have to be able to create and write files.)//
apps/tcpdump.1463756024.txt.gz · Last modified: 2016-05-20 16:53 by root