Difference between revisions of "Tcpdump"
(Created page with "Category:Hacking Category:Linux Category:Networking Category:SE Fundamentals = About = From the tcpdump <code>man</code> page: Tcpdump prints out a descri...") |
(→About) |
||
Line 8: | Line 8: | ||
From the tcpdump <code>man</code> page: | From the tcpdump <code>man</code> page: | ||
− | Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump. | + | <pre>Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.</pre> |
The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the <code>man</code> page or otherwise. | The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the <code>man</code> page or otherwise. |
Revision as of 16:58, 14 January 2020
Contents
About
From the tcpdump man
page:
Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.
The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the man
page or otherwise.
Required Client Software
Linux/Unix/macOS
OpenSSH is typically available as a package with most unix and linux variants, which includes macOS. You can determine whether or not tcpdump is installed by opening a terminal and running the following command:
$ tcpdump --version
If it is not installed, please consult your distribution's package manager for instructions.
Using tcpdump
More here soon!
Cookbook
Here are some useful ways to use tcpdump.
Capture CDP
The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.
This information is extremely useful, for example, to determine which device and port number a system is connected to.
To capture this information on eth0
, we would use the following command:
$ tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
This will listen on the interface until a CDP packet is returned. It will display the packet data and exit.
Credit goes to Steve Kehlet for this.