Tcpdump basics

This command is very useful for example in a linux firewall so you can monitor network packets, you can use at any linux machine too, here is a basic usage of it:

 

# tcpdump -nli any 'host 192.168.1.3' 

 

    tcpdump - is the command in question 

    n - is not to convert IPs to names 

    l - for the output to be organized in lines 

    i - it is the interface that has been set to "any" here, that is, any interface but in         place of any could be used such as "eth0" 

 

An important choice is whether you want to use logical operators like AND and OR

 

# tcpdump -nli any 'host 192.168.1.3 and host 8.8.4.4' 

 

This way just above will show only the communication between IPs 192.168.1.3 and 8.8.4.4 

 

# tcpdump -nli any 'host 192.168.1.3 or host 8.8.4.4' 

 

This last one just above will show any communication that involves the IPs 192.168.1.3 OR 8.8.4.4 even if it is with some other IP eg 192.168.1.6 

 

You can also exclude IPs from your capture: 

 

# tcpdump -nli any 'host 192.168.1.3 and not host 192.168.1.6' 

 

This will exclude from capture any communication involving IP 192.168.1.6  

A "dst" destination or an "src" source can also be used: 

 

# tcpdump -nli any '(dst host 179.181.128.208 or dst host 189.16.237.110) and (port 8080 or 3128 or 80 or 443 or 53)' 

 

This is the basics for troubleshooting and verification and never forget the command: 

 

# man tcpdump 

 

can't forget man for any command =) 

 

Website: https://www.intelligencesoftware.com.br

Ads: https://ads.intelligencesoftware.com.br