tcpdump
Usage
$ tcpdump
Listens on default interface, dumps everything
ping localhost
ping remote machine
$ tcpdump -i eth0
Listen on a specific interface
$ tcpdump -vi eth0
Verbose mode
$ tcpdump -vvi eth0
More verbose
19:54:09.884696 darkstar.digitalhermit.com >
ns1.digitalhermit.com: icmp: echo request (DF)
19:54:09.884845 ns1.digitalhermit.com >
darkstar.digitalhermit.com: icmp: echo reply
Timestamp source host > destination host: protocol (DF - don't fragment)
$ tcpdump -xi eth0
Print hex/ascii dump of the packet
$ tcpdump -x -s0 -i eth0
Print hex/ascii, but also grab the entire packet instead of just
68 bytes
$ tcpdump -X -s0 -i eth0
Same as above, but print ASCII alongside the hex
$ tcpdump -Xqnr tcpdump.log
save to tcpdump.log and ascii mode
$ ping 192.168.0.1
Generates Internet Control Message Protocol (ICMP) packets
4500 0054 0000 4000 4001 a93e c0a8 0815
c0a8 0805 0800 9212 1e2a 0001 47a1 3f41
d0dc 0500 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
Examining this packet in depth (byte by byte)
4500
4 IP V4 packet type
5 Number of 32bit (4 byte) words forming the header, usually 5
00 Differentiated Services Code Point, used for QoS. Usually 0
0054
Size of datagram in bytes
0000
Identification
40
Flags
00
Fragment offset
40
TTL
01
Protocol (Important flag)
1=ICMP
2=IGMP
6=TCP
17=UDP
a93e
Header Checksum
c0a80815
Source Address (IP Address of the original sender)
c0 = 192
a8 = 168
08 = 8
15 = 21
c0a80805
Destination Address (IP Address of the final destination)
Begin the ICMP Header
08
Type of Packet (See ICMP list). Here, 08 denotes ICMP echo
request
00
Zero for an echo request packet. Look at ICMP list for options.
9212
Checksum
1e2a
Identifier
0001
Sequence Number
$ tcpdump host 192.168.0.1
Specifies that only packets to/from host are captured
Useful for sniffers operating directly on a hub
$ tcpdump dst host 192.168.0.1
Specifies only packets destined for host are captured
$ tcpdump dst host 192.168.0.1 and tcp dst port 80
Captures packets destined for 192.168.0.1:80
$ tcpdump dst host 192.168.0.1 and tcp dst port 80 and sre host 192.168.8.21
Captures requests from a specific source machine
$ tcpdump host 192.168.0.1 -w outfile.tcpdump
Writes to a file for later processing
Useful if GUI not installed on capture machine
Usage
$ tcpdump
Listens on default interface, dumps everything
ping localhost
ping remote machine
$ tcpdump -i eth0
Listen on a specific interface
$ tcpdump -vi eth0
Verbose mode
$ tcpdump -vvi eth0
More verbose
19:54:09.884696 darkstar.digitalhermit.com >
ns1.digitalhermit.com: icmp: echo request (DF)
19:54:09.884845 ns1.digitalhermit.com >
darkstar.digitalhermit.com: icmp: echo reply
Timestamp source host > destination host: protocol (DF - don't fragment)
$ tcpdump -xi eth0
Print hex/ascii dump of the packet
$ tcpdump -x -s0 -i eth0
Print hex/ascii, but also grab the entire packet instead of just
68 bytes
$ tcpdump -X -s0 -i eth0
Same as above, but print ASCII alongside the hex
$ tcpdump -Xqnr tcpdump.log
save to tcpdump.log and ascii mode
$ ping 192.168.0.1
Generates Internet Control Message Protocol (ICMP) packets
4500 0054 0000 4000 4001 a93e c0a8 0815
c0a8 0805 0800 9212 1e2a 0001 47a1 3f41
d0dc 0500 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
Examining this packet in depth (byte by byte)
4500
4 IP V4 packet type
5 Number of 32bit (4 byte) words forming the header, usually 5
00 Differentiated Services Code Point, used for QoS. Usually 0
0054
Size of datagram in bytes
0000
Identification
40
Flags
00
Fragment offset
40
TTL
01
Protocol (Important flag)
1=ICMP
2=IGMP
6=TCP
17=UDP
a93e
Header Checksum
c0a80815
Source Address (IP Address of the original sender)
c0 = 192
a8 = 168
08 = 8
15 = 21
c0a80805
Destination Address (IP Address of the final destination)
Begin the ICMP Header
08
Type of Packet (See ICMP list). Here, 08 denotes ICMP echo
request
00
Zero for an echo request packet. Look at ICMP list for options.
9212
Checksum
1e2a
Identifier
0001
Sequence Number
$ tcpdump host 192.168.0.1
Specifies that only packets to/from host are captured
Useful for sniffers operating directly on a hub
$ tcpdump dst host 192.168.0.1
Specifies only packets destined for host are captured
$ tcpdump dst host 192.168.0.1 and tcp dst port 80
Captures packets destined for 192.168.0.1:80
$ tcpdump dst host 192.168.0.1 and tcp dst port 80 and sre host 192.168.8.21
Captures requests from a specific source machine
$ tcpdump host 192.168.0.1 -w outfile.tcpdump
Writes to a file for later processing
Useful if GUI not installed on capture machine
'IT > Tips' 카테고리의 다른 글
| diff, patch, cvs (0) | 2007.01.15 |
|---|---|
| Shell programming (0) | 2007.01.15 |
| dynamic Library 적용 (0) | 2007.01.15 |
| Linux Bell on_off (0) | 2007.01.15 |
| shell readline HowTo (0) | 2007.01.15 |