Documente Academic
Documente Profesional
Documente Cultură
1 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
tcpdump
tcpdump
5/25/2015 12:17 PM
2 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
tcpdump
# tcpdump -n
5/25/2015 12:17 PM
3 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553:2546456749, ack 1824683693, win 3
55, options [nop,nop,TS val 620879437 ecr 620879348], length 196
-n
tcpdump
# tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:23:47.934665 IP 10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], seq 2546457621:2546457817, ack 1824684201,
win 355, options [nop,nop,TS val 621010158 ecr 621010055], length 196
# tcpdump -v
-v
5/25/2015 12:17 PM
4 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553:2546456749, ack 1824683693, win 3
55, options [nop,nop,TS val 620879437 ecr 620879348], length 196
tcpdump
v
tcpdump
# tcpdump -vvv -c 1
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:36:13.873456 IP (tos 0x10, ttl 64, id 121, offset 0, flags [DF], proto TCP (6), length 184)
blog.ssh > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect -> 0x0dfd), seq 2546458841:2546458973,
ack 1824684869, win 355, options [nop,nop,TS val 621196643 ecr 621196379], length 132
# tcpdump -i eth0
tcpdump
eth0
5/25/2015 12:17 PM
5 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553:2546456749, ack 1824683693, win 3
55, options [nop,nop,TS val 620879437 ecr 620879348], length 196
-i
any
tcpdump
# tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
16:45:59.312046 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2547763641:2547763837, ack 1824693949, win 3
55, options [nop,nop,TS val 621343002 ecr 621342962], length 196
# tcpdump -w /path/to/file
tcpdump
5/25/2015 12:17 PM
6 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553:2546456749, ack 1824683693, win 3
55, options [nop,nop,TS val 620879437 ecr 620879348], length 196
tcpdump
-w
# tcpdump -w /var/tmp/tcpdata.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
1 packet captured
2 packets received by filter
0 packets dropped by kernel
CTRL+C
tcpdump
# tcpdump -r /path/to/file
5/25/2015 12:17 PM
7 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
-r
# tcpdump -r /var/tmp/tcpdata.pcap
reading from file /var/tmp/tcpdata.pcap, link-type EN10MB (Ethernet)
16:56:01.610473 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2547766673:2547766805, ack 1824696181, win 3
55, options [nop,nop,TS val 621493577 ecr 621493478], length 132
tcpdump
# tcpdump -s 100
tcpdump
-s
tcpdump
# tcpdump -c 10
tcpdump
CTRL+C
5/25/2015 12:17 PM
8 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
-c
tcpdump
5/25/2015 12:17 PM
9 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
tcpdump
5/25/2015 12:17 PM
10 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
source
10.0.3.1
destination
host 10.0.3.1
10.0.3.1
10.0.3.1
10.0.3.1
src
host
5/25/2015 12:17 PM
11 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
dst
tcpdump
5/25/2015 12:17 PM
12 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
and
and
22
tcpdump
60738
and
and
&&
&&
&&
5/25/2015 12:17 PM
13 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
or
||
or
tcpdump
80
443
80
http
443
https
5/25/2015 12:17 PM
14 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
host
or
or
5/25/2015 12:17 PM
15 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
80
443
10.0.3.169
10.0.3.1
10.0.3.246
5/25/2015 12:17 PM
16 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
# tcpdump -nvvv -i any -c 20 '((port 80 or port 443) and (host 10.0.3.169 or host 10.0.3.1)) and dst host
10.0.3.246'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:53:30.349306 IP (tos 0x0, ttl 64, id 52641, offset 0, flags [DF], proto TCP (6), length 60)
10.0.3.1.35407 > 10.0.3.246.80: Flags [S], cksum 0x1b25 (incorrect -> 0x4890), seq 3026316656, win 292
00, options [mss 1460,sackOK,TS val 623255761 ecr 0,nop,wscale 7], length 0
18:53:30.349558 IP (tos 0x0, ttl 64, id 52642, offset 0, flags [DF], proto TCP (6), length 52)
10.0.3.1.35407 > 10.0.3.246.80: Flags [.], cksum 0x1b1d (incorrect -> 0x3454), seq 3026316657, ack 365
7995297, win 229, options [nop,nop,TS val 623255762 ecr 623255762], length 0
18:53:30.354056 IP (tos 0x0, ttl 64, id 52643, offset 0, flags [DF], proto TCP (6), length 475)
10.0.3.1.35407 > 10.0.3.246.80: Flags [P.], cksum 0x1cc4 (incorrect -> 0x10c2), seq 0:423, ack 1, win
229, options [nop,nop,TS val 623255763 ecr 623255762], length 423
18:53:30.354682 IP (tos 0x0, ttl 64, id 52644, offset 0, flags [DF], proto TCP (6), length 52)
10.0.3.1.35407 > 10.0.3.246.80: Flags [.], cksum 0x1b1d (incorrect -> 0x31e6), seq 423, ack 190, win 2
37, options [nop,nop,TS val 623255763 ecr 623255763], length 0
tcpdump
tcpdump
tcpdump
5/25/2015 12:17 PM
17 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq 682725222, win 2920
0, options [mss 1460,sackOK,TS val 619989005 ecr 0,nop,wscale 7], length 0
10.0.3.246
56894
192.168.0.92
22
tcpdump
src-ip.src-port >
dest-ip.dest-port: Flags[S]
>
>
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq 682725222, win 2920
0, options [mss 1460,sackOK,TS val 619989005 ecr 0,nop,wscale 7], length 0
SYN
Flags [S]
tcpdump
[S]
5/25/2015 12:17 PM
18 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
[.]
[P]
[F]
[R]
[S.]
SYN-ACK
15:15:43.323412 IP (tos 0x0, ttl 64, id 51051, offset 0, flags [DF], proto TCP (6), length
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x0388), seq
29200, options [mss 1460,sackOK,TS val 619989005 ecr 0,nop,wscale 7], length 0
15:15:44.321444 IP (tos 0x0, ttl 64, id 51052, offset 0, flags [DF], proto TCP (6), length
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x028e), seq
29200, options [mss 1460,sackOK,TS val 619989255 ecr 0,nop,wscale 7], length 0
15:15:46.321610 IP (tos 0x0, ttl 64, id 51053, offset 0, flags [DF], proto TCP (6), length
10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect -> 0x009a), seq
29200, options [mss 1460,sackOK,TS val 619989755 ecr 0,nop,wscale 7], length 0
10.0.3.246
SYN
60)
682725222, win
60)
682725222, win
60)
682725222, win
192.168.0.92
192.168.0.92
5/25/2015 12:17 PM
19 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
15:18:25.716453 IP (tos 0x10, ttl 64, id 53344, offset 0, flags [DF], proto TCP (6), length 60)
10.0.3.246.34908 > 192.168.0.110.22: Flags [S], cksum 0xcf3a (incorrect -> 0xc838), seq 1943877315, wi
n 29200, options [mss 1460,sackOK,TS val 620029603 ecr 0,nop,wscale 7], length 0
15:18:25.716777 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.110.22 > 10.0.3.246.34908: Flags [S.], cksum 0x594a (correct), seq 4001145915, ack 194387731
6, win 5792, options [mss 1460,sackOK,TS val 18495104 ecr 620029603,nop,wscale 2], length 0
15:18:25.716899 IP (tos 0x10, ttl 64, id 53345, offset 0, flags [DF], proto TCP (6), length 52)
10.0.3.246.34908 > 192.168.0.110.22: Flags [.], cksum 0xcf32 (incorrect -> 0x9dcc), ack 1, win 229, op
tions [nop,nop,TS val 620029603 ecr 18495104], length 0
SYN
192.168.0.110
10.0.3.246
SYN-ACK
SYN
ACK
10.0.3.246
192.168.0.110
SYN-ACK-ACK
SYN-ACK
tcpdump
-XX
5/25/2015 12:17 PM
20 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
5/25/2015 12:17 PM
21 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
5/25/2015 12:17 PM
22 of 27
0x01f0:
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
0a0d 0a
...
-A
GET
5/25/2015 12:17 PM
23 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
ssldump
wireshark
tcpdump
tcpdump
5/25/2015 12:17 PM
24 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
tcpdump
5/25/2015 12:17 PM
25 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
1 Comment
anon.coder
[BENJAMIN CANE]
Awesome article!
5/25/2015 12:17 PM
26 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
5/25/2015 12:17 PM
27 of 27
http://bencane.com/2014/10/13/quick-and-practical-reference-for-tcpdump/
5/25/2015 12:17 PM