Tcpdump

From ISI Support Wiki
Revision as of 16:57, 14 January 2020 by Isiadmin (talk | contribs) (Created page with "Category:Hacking Category:Linux Category:Networking Category:SE Fundamentals = About = From the tcpdump <code>man</code> page: Tcpdump prints out a descri...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


About

From the tcpdump man page:

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression; the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. It can also be run with the -V flag, which causes it to read a list of saved packet files. In all cases, only packets that match expression will be processed by tcpdump.

The information provided on this page only covers a small portion of the things you can do with tcpdump and it is recommended that you read more about it via the man page or otherwise.

Required Client Software

Linux/Unix/macOS

OpenSSH is typically available as a package with most unix and linux variants, which includes macOS. You can determine whether or not tcpdump is installed by opening a terminal and running the following command: 

   $ tcpdump --version

If it is not installed, please consult your distribution's package manager for instructions.

Using tcpdump

More here soon!

Cookbook

Here are some useful ways to use tcpdump.

Capture CDP

The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol developed by Cisco Systems. It is used to share information about directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.

This information is extremely useful, for example, to determine which device and port number a system is connected to.

To capture this information on eth0, we would use the following command: 

   $ tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

This will listen on the interface until a CDP packet is returned. It will display the packet data and exit.

Credit goes to Steve Kehlet for this.

Additional Resources

Retrieved from "https://wiki.isi.jhu.edu/index.php?title=Tcpdump&oldid=228"